In forensic investigations, which type of acquisition is typically performed on a computer seized during a police raid?

When a computer is seized in a police raid, the priority is to preserve evidence in its original state. Static acquisition achieves this by creating a bit-for-bit image of the storage while the system is powered off, typically using a write blocker to prevent any writes to the original media. This method captures everything on disk, including deleted data and slack space, and allows the image to be hashed to verify integrity, making it defensible in court. Volatile data kept in RAM is not captured in this step because it is lost when the machine is shut down. If RAM contents are needed, a live acquisition can be performed, but it carries a risk of altering data and is not the standard on-site method. Hybrid approaches combine both memory and disk data but aren’t the typical single-method choice for a standard seizure. Remote acquisition isn’t applicable to a device seized on-site.