Hi everybody,
How do I take image from switched off laptop?
Remove the HDD and examine it outside the confines of the laptop; or did you mean something else?
Remove the HDD and examine it outside the confines of the laptop; or did you mean something else?
thanks for your reply …
Is there any way to have an image without removing the HDD??
If you can boot the laptop to a device other than the internal HDD (e.g. forensic boot CD or USB stick) then you can image it without removing the hard drive. Not without turning the laptop on, though…
Or, you can boot the laptop, log into it, and acquire a live image.
Assuming this is for some sort of anticipated litigation (hence "forensic") I would not suggest booting the laptop to acquire the image. Removal of the HDD and imaging via a write-blocker, or a forensic boot CD would be your best options. Based on the question I am assuming that the OP has little/no experience with this sort of thing and should probably seek out an experienced forensic examiner for assistance.
However, if "forensic" is not a concern, no problems with booting to acquire the a live image.
IMHO you always assume forensic and then it's a pleasant surprise if not. You can't go back after you've altered the data, so get a good image from the start and avoid any complications.
Assuming this is for some sort of anticipated litigation (hence "forensic") I would not suggest booting the laptop to acquire the image. Removal of the HDD and imaging via a write-blocker, or a forensic boot CD would be your best options. Based on the question I am assuming that the OP has little/no experience with this sort of thing and should probably seek out an experienced forensic examiner for assistance.
However, if "forensic" is not a concern, no problems with booting to acquire the a live image.
I'm not entirely sure what the issue is with acquiring the image live, particularly if documented, and why this could not be used in court. I know that this has been the case, and I also know of instances where data from systems acquired through this process has been presented and led to a plea agreement.
The way I look at it is this…if you can't, for whatever reason (and specifically b/c the OP asked that specific question) acquire the image by removing the drive and connecting it to a write-blocker, then booting the system to a Linux CD is an option…but not a viable one if the system has WDE, or even just encrypted volumes.
If you can justify your approach, and you document it, I do not see why a live image cannot be used in court…particularly if it's the only way you could have retrieved viable data.
Sure, there will be changes made to the system, because you did boot it and logged in to acquire the image. However, you can use the data you acquire to create a timeline and demonstrate the changes made to the system…Event Log entries created, Registry keys created/modified, etc.
If it's a CP case, for example, then what harm is there in booting the system and acquiring it, in the face of WDE? If you find 3000 illicit images, what is the effect of your booting the system to acquire it?
I agree that a "live acquire" is common and defensible, but I don't agree with booting the computer for a live acquire, especially given the apparent lack of knowledge in this area on the part of the OP. Someone with years of experience in this area probably could mitigate potential challenges, but why would they if they didn't HAVE to?
I'm not entirely sure what the issue is with acquiring the image live, particularly if documented, and why this could not be used in court. I know that this has been the case, and I also know of instances where data from systems acquired through this process has been presented and led to a plea agreement.
The way I look at it is this…if you can't, for whatever reason (and specifically b/c the OP asked that specific question) acquire the image by removing the drive and connecting it to a write-blocker, then booting the system to a Linux CD is an option…but not a viable one if the system has WDE, or even just encrypted volumes.
If you can justify your approach, and you document it, I do not see why a live image cannot be used in court…particularly if it's the only way you could have retrieved viable data.
Sure, there will be changes made to the system, because you did boot it and logged in to acquire the image. However, you can use the data you acquire to create a timeline and demonstrate the changes made to the system…Event Log entries created, Registry keys created/modified, etc.
If it's a CP case, for example, then what harm is there in booting the system and acquiring it, in the face of WDE? If you find 3000 illicit images, what is the effect of your booting the system to acquire it?
I agree that a "live acquire" is common and defensible, but I don't agree with booting the computer for a live acquire, especially given the apparent lack of knowledge in this area on the part of the OP. Someone with years of experience in this area probably could mitigate potential challenges, but why would they if they didn't HAVE to?
I'm not sure I follow what you mean by "apparent lack of knowledge in this area". Do you know the OP (personally, or professionally)? I have no information about the OP beyond their question, and I'm just trying to address their question without making any (potentially incorrect) assumptions about their knowledge level.
I agree that the best approach is to not place yourself in a position to have to address issues unless it's absolutely necessary, but I also think that addressing the issue of the "best" approach is relatively simple and straightforward.
With respect to mitigating potential challenges, I would hope that my last post provided some guidance in that area, particularly with respect to steps that can be taken to mitigate whatever challenges may come up.