The preferred method for the acquisition of memory is through direct contact with the suspect system. This allows for adaptability by incident response analysts in the event that a tool or technique does not work. This method is also faster at obtaining the necessary files, as it does not depend on a stable network connection. Although this is the preferred method, there may be geographical constraints, especially with larger organizations where the incident response analysts are a plane ride away from the location containing the evidence.
In the case of a remote acquisition, incident response analysts can leverage the same tools utilized in local acquisition. The one change is that incident response analysts are required ...