When you seize a machine for analysis, you would not do an analysis directly on the machine (PC/Workstation). You'll first attempt to bring the machine to a forensic lab and make a forensic copy of the original machine.
Would you shut down the machine with OS, or just unplug?
In normal daily operation, you would lose more data by simply powering down. But in making forensic copy, unplugging the power line is considered to safer not to lose temporary files or not to change the time stamps. But unplugging will still lose some of data that has not been saved.
So, when would you shut down or unplug?
I don't think that shutting down has ever really been an option !(Maybe in a corporate environment.) The question should be
"Do I pull the plug or do I do some live forensics first ?"
-)
When you seize a machine for analysis, you would not do an analysis directly on the machine (PC/Workstation). You'll first attempt to bring the machine to a forensic lab and make a forensic copy of the original machine.
Perhaps…perhaps not. For a long time, EnCase has had disks available that you could use to preview a system, or even do a search against to determine if the system was "in scope".
Also, a great deal of information is available through live response and volatile data collection…information that may be pertinent to a case. Even some LEs I've spoken to have stated that they either currently collect the information, or they recognize the need for it and are moving in that direction.
Would you shut down the machine with OS, or just unplug?
Again…depends.
Remember there are also times when you *can't* shut down the system. The biggest reason for this is b/c the customer said so. Other reasons include boot-from-SAN systems, systems with HDD that don't have write-blockers (SAS SATA drives, for example), etc.
In normal daily operation, you would lose more data by simply powering down.
How so? Are you referring to the volatile data?
But in making forensic copy, unplugging the power line is considered to safer not to lose temporary files or not to change the time stamps. But unplugging will still lose some of data that has not been saved.
So, when would you shut down or unplug?
Well, you're correct…if you unplug the system, you're going to loose things like cached writes that haven't yet been committed to disk…whereas shutting the system down will force those writes to disk, as well as 'touch' other files.
Also, on Windows systems, you can set actions to occur when a user logs out, and you can also set a Registry key to clear the pagefile on shutdown. There are a number of things that can occur that are essentially booby-traps to the forensic analyst.
I agree with Azrael…live response should be a first consideration whenever encountering a live system. Some organizations, particularly LE, may benefit from making it a standard practice, rather than leaving it up to the person on-site to make the decision.
I would strongly recommend pulling the plug as opposed to shutting the system down cleanly…systems these days can recover from something like that much easier. However, that does not obviate the potential necessity for a live acquisition, either…something to keep in mind.
H
Thanks for clarification.
It makes whole lot more sense.
What about the NtShutdownSystem API form ntdll.dll it closes the system imminently in a second or 2, the buffers are flushed and the system goes off, no regular user log out and as well no other automatically started things that may appear during a regular shutdown.
I think another big thing to also keep in mind is encryption. They may have encrypted files/partitions mounted at the time you get in front of the system and the only chance you may have to get those mounted files is to do a live collection, if you power down….you may never have access to those files.
Datacarver is absolutely correct about the impact of encryption on the increasing need to do live forensics. Coming from a corporate environment, rogue Bitlocker use or unauthorized Truecrypt can really put a speedbump in any examiner's day/week/month/year.