What type of acquisition is performed when the computer has an encrypted drive and the password or passphrase is available?

Live acquisition is used when you work with a running system and you have the password to unlock an encrypted drive. The key idea is to capture evidence in the system’s current state, including memory (RAM) contents, running processes, and open network connections, while also unlocking the disk so you can access decrypted data. With the password available, you can provide it to unlock the drive and image the system while it’s live, preserving volatile artifacts (like encryption keys and credentials) that would be missed if you powered the machine down first. This approach yields access to both the unlocked data on disk and the live, in‑memory information that can be crucial for the investigation. Static acquisition, by contrast, images the drive after the system is powered off and would keep data encrypted at rest, with no memory contents or keys captured. A hybrid method blends elements of both, but isn’t necessary here since you can achieve access to decrypted data and memory artifacts through a pure live collection. Snapshot is not the typical method for a physical machine’s disk with encryption.