The Differences Between Full Disk And Triage Acquisition

In digital forensics, data acquisition is a key first step in the investigation process. For acquiring data from either physical or virtual machines, there are two high-level approaches: full disk acquisition and triage acquisition. Each has its advantages and disadvantages, and choosing which method to use depends on what outcome investigators want from an acquisition. Here are the two methods in more detail, including their strengths and best use cases.

Triage Acquisition:

Triage acquisition is a method used when investigators need to quickly collect volatile data and essential artifacts from a live system. Unlike full disk acquisition, which involves making a complete copy of a storage device, triage acquisition prioritizes efficiency and speed. It targets critical information such as running processes, network connections, and volatile memory, providing investigators with immediate insights into the system’s state.

Full Disk Acquisition:

Full Disk Acquisition involves creating a bit-by-bit copy of an entire storage device, including all allocated and unallocated sectors. This comprehensive approach ensures a complete preservation of the digital evidence, allowing for thorough analysis without altering the original data. However, this thorough collection comes at the price of speed in some cases. Full disk acquisition, however, is very important when you’re dealing with high-severity alerts and the scope of your investigation has already been narrowed and/or when the integrity of the data must be maintained for legal purposes, such as in criminal investigations or civil litigation.

Choosing the Right Type of Acquisition

The decision between full disk and triage acquisition depends on what an investigator is looking for. Both methods are often used in an investigation at different stages. Triage acquisition excels in situations where time is of the essence, enabling investigators to quickly gather data from a large number of systems. This can be useful to cast a wide net to look for suspicious activity or files across a large number of machines in a reasonable timeframe.

On the other hand, full disk acquisition is very useful when ensuring that nothing is missed when collecting evidence as it takes a complete image of the disk. This is useful when collecting data from a machine that is known to be compromised and an investigator wants to ensure that nothing is missed, however, this depth comes at the cost of time in some cases.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

An Example

You have an environment with 50,000 hosts and you are informed of a new zero-day vulnerability that needs to be investigated. By following an effective incident response plan, you should be able to narrow the scope of your investigation significantly by performing the following, as an example:

The Cado Platform

The Cado platform supports both full disk and triage acquisition across different resource types in hybrid environments, allowing security teams the flexibility to choose the acquisition type that best meets their needs.

If you want to know more about how the Cado platform can speed up investigations, schedule a demo with our team.

Leave a Comment

Latest Videos

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles