On its face, the original question is basic and (perhaps erroneously) led me to the assumption that the OP is not very experienced with computer forensics. We've all been there and I didn't intend it to reflect poorly. However, I also think that with your initial response you made an assumption regarding the knowledge/experience level of the OP's ability to mitigate potential challenges to booting the laptop. If I'm going to assume knowledge level, I'd rather be conservative in my response than put the OP in a position to explain something s/he may know little about.
I agree that a "live acquire" is common and defensible, but I don't agree with booting the computer for a live acquire, especially given the apparent lack of knowledge in this area on the part of the OP. Someone with years of experience in this area probably could mitigate potential challenges, but why would they if they didn't HAVE to?
I'm not sure I follow what you mean by "apparent lack of knowledge in this area". Do you know the OP (personally, or professionally)? I have no information about the OP beyond their question, and I'm just trying to address their question without making any (potentially incorrect) assumptions about their knowledge level.
I agree that the best approach is to not place yourself in a position to have to address issues unless it's absolutely necessary, but I also think that addressing the issue of the "best" approach is relatively simple and straightforward.
With respect to mitigating potential challenges, I would hope that my last post provided some guidance in that area, particularly with respect to steps that can be taken to mitigate whatever challenges may come up.
I have no information about the OP beyond their question, and I'm just trying to address their question without making any (potentially incorrect) assumptions about their knowledge level.
I guess that if you go to a Cooking Recipes Forum and ask
How do I boil water?
It is likely that lots of long time members of the Forum will assume 😯 that you are a newbie with no experience…..
…. and they would be actually right! mrgreen roll
jaclaz
We dont now the OP's reasons. But why, as others have said, should booting be an absolute no no. Avoid - yes, proscribe - no.
Over here ACPO guidelines allow booting if the person doing so can justify (and document) their reasons.
I have examined a few systems that have been accidentally booted by the police over the years. Typically they come with an explanation (often non technical) of what they did and why (over enthusiastic beat copper etc.). A forenisc examination should be able to confirm whether their explanation is supported by the forensic evidence and once that is put to one side you can get on with the examination of what the bad guy did.
Paul,
I completely agree. Not being directly involved with LE, I've experienced a number of incidents in which the only way to get an image for analysis was a live acquisition; other means were either not feasible or too expensive (with respect to time, money, etc.) for the customer.
Examples include boot-from-SAN systems, as well as laptops with WDE.
I think that's too much of "…defense counsel could tear you apart on the stand for changing the system…" and not enough of "…the prosecution wouldn't allow you to get on the stand if that were the case…" and "…I'm able to demonstrate that my actions did NOT add 3000 indecent images to the system…".
We dont now the OP's reasons. But why, as others have said, should booting be an absolute no no. Avoid - yes, proscribe - no.
Over here ACPO guidelines allow booting if the person doing so can justify (and document) their reasons.
I have examined a few systems that have been accidentally booted by the police over the years. Typically they come with an explanation (often non technical) of what they did and why (over enthusiastic beat copper etc.). A forenisc examination should be able to confirm whether their explanation is supported by the forensic evidence and once that is put to one side you can get on with the examination of what the bad guy did.
I think Principles One and Two of ACPO are both relevant in this discussion.
Principle 1
No action taken by law enforcement agencies or their
agents should change data held on a computer or storage
media which may subsequently be relied upon in court.
Principle 2
In circumstances where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
Paul,
I think that's too much of "…defense counsel could tear you apart on the stand for changing the system…" and not enough of "…the prosecution wouldn't allow you to get on the stand if that were the case…" and "…I'm able to demonstrate that my actions did NOT add 3000 indecent images to the system…".
Yeah, sometime I think the defence would have you believe modified timestamps means you planted them….
What is the point of booting it up to get a live image, any data held in hiberfil etc will dissapear and you won't gain anything from volatile memory that was running at the time as it is a fresh boot.
Live boots are worthwhile if the laptop is running and you are gaining processes and connections that are being made currently, but when the laptop is powered down you lose more than you gain by booting it up to get a live image.
What is the point of booting it up to get a live image, any data held in hiberfil etc will dissapear and you won't gain anything from volatile memory that was running at the time as it is a fresh boot.
Live boots are worthwhile if the laptop is running and you are gaining processes and connections that are being made currently, but when the laptop is powered down you lose more than you gain by booting it up to get a live image.
Struggling to understand this.
What is the point of booting it up, … and you won't gain anything from volatile memory
If the laptop is switched off, i.e. you need to boot it, then you wont get anything from volatile memory anyway.
Live boots are worthwhile if the laptop is running
If the laptop is running you are not booting it.
If the laptop is running you are not booting it.
Or, you can boot the laptop, log into it, and acquire a live image.
I was making a comment about this post, if the laptop is already booted down then there will be nothing in RAM as it is volatile and once the power is lost so is the data. The main point as I believe of live acquisitions is to acquire data from RAM.
Therefore if you are booting up a device to acquire it live then it will hold no real value over doing a 'dead' forensic image.