Marius Andrita is a Cyber Forensic Specialist with the Romanian National Police and a panelist at the upcoming Digital Forensics Conference 2025. In this interview, he discusses the key differences between live data acquisition and traditional forensic methods, the growing impact of encryption on cyber investigations, and how preparation, speed, and precise documentation are critical when working with volatile digital evidence.

1. Can you explain the key differences between live data acquisition and traditional forensic analysis in cyber investigations?

In live acquisition I’m after what disappears the moment a system locks or powers off: RAM, crypto keys, tokens, active network connections, in-memory malware. It’s fast and intrusive, and I document every keystroke, hash every output, and photograph screens because I know I’m changing state. Traditional “dead-box” work is the opposite: write-blocked, bit-for-bit, and highly reproducible—perfect when the device is off or the scene is stable. Practically, if I find an unlocked machine with BitLocker/FileVault/LUKS or signs of fileless activity/C2, I go live first to capture the volatile layer, then I acquire a verified full image. If it’s powered down, I preserve it and image it. That balance—volatile first when it matters, methodical imaging for depth—is what keeps the evidence both useful and defensible.

2. What are some of the biggest practical challenges you face when acquiring and analyzing digital evidence in live environments?

Default encryption has turned fieldwork into a race with the lock screen: miss the RAM window and the target becomes a brick. Add EDR that blocks drivers, anti-forensic scripts that wipe on USB insertion or log out, time pressure around warrants, and the fact that key evidence often lives as cloud tokens rather than files. My answer is preparation and discipline, plus a go-bag with the vetted tools I use. Documentation runs in parallel so the chain of custody is as strong as the artefacts.

3. How does encryption impact your work in cyber forensics, and what strategies do you use to overcome encryption-related obstacles?

Encryption shapes everything. Full-disk/file encryption and secure enclaves mean the most valuable artefacts are often transient: keys in RAM, app secrets in keychains, tokens in memory. My default is “memory-first when unlocked”: extract BitLocker, FileVault, and LUKS/VeraCrypt material, and hunt for browser, OS keychain, and app tokens.

4. Could you share a case study or example where choosing between live data forensics and traditional methods significantly affected the investigation outcome?

Yes—I’ll also share one at the conference. It was a CSAM case where all critical evidence was found in live data, whereas the traditional method produced no actionable information.

5. How has your experience working on international operations shaped your approach to cyber forensic investigations within the Romanian National Police?

Working with Europol and partners taught me to be fast and defensible. I structure artefacts, timelines, and exports so any partner can ingest them immediately (AXIOM, X-Ways, FTK, Volatility outputs with versions noted), and I stay strict on scope—warrant/EIO limits and GDPR minimisation drive what I touch in live scenarios.