According to the CHFI v11 Data Acquisition Concepts and Rules , dead acquisition is the forensic process specifically used to extract non-volatile data from storage media such as hard drives, SSDs, USB devices, and memory cards after the system has been powered off . This method ensures that the evidence is collected in a forensically sound and unaltered manner , which is essential for maintaining evidence integrity and legal admissibility.
In dead acquisition, the seized system is shut down, and the storage media is accessed using write blockers and forensic imaging tools to create a bit-by-bit copy of the disk. This allows investigators to safely analyze files, file system metadata, logs, deleted data, slack space, and unallocated space without modifying the original evidence. CHFI v11 emphasizes dead acquisition as the preferred approach when dealing with non-volatile data, particularly in corporate breach investigations where data integrity is critical.
The other options are not appropriate in this scenario. Volatile acquisition and live acquisition focus on collecting data from a running system, such as RAM, active processes, and network connections. Dynamic acquisition is not a standard CHFI-defined category for non-volatile disk evidence.
Therefore, since Detective Smith is extracting non-volatile data from a seized hard drive while preserving its original state , the correct CHFI v11–verified answer is Dead acquisition (Option B) .
