What type of acquisition is used for most remote acquisitions?

Live acquisition focuses on gathering data from a system while it is running, including memory, active processes, and network connections. In remote investigations, you often can’t safely shut down or pause the target, but volatile data like RAM contents and live network activity can disappear quickly if you rely only on disk imaging. Capturing this running state preserves evidence that would be lost with a shutdown or with a non-live method, giving a fuller and more accurate picture of what was happening at the time of collection. A snapshot images only the storage or VM state at a single moment and typically misses memory and other volatile data, so it’s less reliable for remote cases where memory and live activity matter. Online methods resemble live capture but the established practice for remote acquisitions emphasizes collecting memory and running state, making live acquisition the best fit.