The preferred method for the acquisition of memory is through direct contact with the suspect system. This allows incident response analysts to adapt in the event that a tool or technique does not work. This method is also faster at obtaining the necessary files since it doesn't depend on a stable network connection. Although this is the preferred method to use, there may be geographical constraints, especially with larger organizations where the incident response analysts are a plane-ride away from the location containing the evidence.

In the case of remote acquisition, incident response analysts can leverage the same tools that are utilized in local acquisition. The one change is that incident response analysts are required to utilize remote technology to access the suspect systems and perform the capture. In the following sections, two options will be discussed: the open source tool WinPmem and the commercial option F-Response. As with any method that is utilized, incident response analysts should ensure that they document any use of remote technology. This will allow for the proper identification of legitimate as opposed to suspect connections later.