Computer Forensics: Graceful Shutdown vs. Pulling The Plug

by Sunny Hoi

There are always important decisions that a digital forensic examiner needs to make when securing digital evidence on the scene as it may ultimately render or hinder their forensic team’s ability to retrieve evidence and make a viable case.

There is always some debate on how to deal with live machines. It’s important to power down a computer in a way that will not corrupt the integrity of the files within the system.

Therefore, the question is should you shut down or unplug the machine, particularly one that is powered on and possibly encrypted (Full Disk Encryption, FDE).

In this article, we will share the best practices for securing a machine (PC/Workstation), particularly one that is powered on and possibly encrypted with full disk encryption.

Forensic Acquisition

Prior to proceeding in a digital investigation, you should always attempt to create a forensic image. Whenever possible, you should never conduct an analysis on a live machine.

The forensic acquisition stage is of great significance since if it is not performed correctly, all evidence extracted could very well be rendered inadmissible in court proceedings.

Deciding on how to carry out the acquisition is not as simple as one thinks. The forensic examiner ought to consider various variables present. If the investigator just proceeds to turn off the computer utilizing the regular shutdown method, it could potentially destroy much of the evidence during the process.

Whereas, pulling the plug could possibly preserve the most amount of evidence but could additionally corrupt numerous files that are being employed and ultimately damage the network.

Each situation demands a thorough review of the nature of the case and the device in question. What could be a reasonable set of measures for maintaining the integrity of one system can actually result in the loss of evidence on another.

The primary question that should be asked on scene is whether the computer is currently on or off?

If the machine is off, then the job is considerably easier since the forensic examiner could just skip straight to the acquisition stage.

If the system is on, the traditional perspective may conclude that it is best to turn the computer off immediately by unplugging it from its power source. Nonetheless, the increasing use of full disk encryption should be considered.

Furthermore, the Random Access Memory (RAM) includes evidence that does not exist anywhere else on the computer. Hence, acquiring volatile memory (RAM) of the machine is an essential part of the forensic acquisition. For instance, encryption keys and additional important artifacts may reside in the RAM. If the examiner manages to capture this, they will likely possess the keys to the hard drive under investigation.

If the machine is off, or the examiners do not collect this prior to turning it off, there is practically zero chance of accessing the data on the hard drive without obtaining the password from the user. Hence, think carefully before pulling the plug on a live machine. In the event that the machine is encrypted, you could lose your only chance of successfully accessing the machine.

Furthermore, chat logs and other data such as clipboard contents exist merely in the memory and are forever lost once the machine is shut down.

Hence, it is crucial to handle the computer appropriately and not rush to shut it down.

Advantages & Disadvantages Of Shutting Down A Live Machine

There are valid reasons for shutting down a live machine. A live machine that is running idle will typically have several background processes running which are continuously reading and writing data from and to the hard drive.

A hard shutdown involves removing the battery/unplugging the power cord which will preserve system files, ensuring that the data on the system is no longer altered.

Moreover, pulling the plug can prevent wiping utilities from activating upon hard shutdown and obstruct modifications to the timestamps of files and additional attributes.

In the event that you shut down the computer gracefully, there could potentially be deleterious programs that could execute on shutdown and eliminate any evidence by launching wipe utilities, for instance.

Additionally, a graceful shutdown involves potentially overwriting data on the hard drive since it writes plenty of data to the drive. When considering to gracefully shut down a computer, also consider the possibility that the machine could already be configured to clear the system pagefile upon regular shutdown.

Forensic professionals should not ignore the forensic value of virtual memory (Pagefile.sys) since the file may retain significant information shifted from RAM.

Computers are receiving more RAM which means that applications are storing plenty of temporary data in RAM.

Type Of Operating System

In the majority of cases, the type of operating system (OS) used on the computer should also be considered by the investigator when making a decision on whether to pull the plug or not.

In other words, the powering off procedure will vary according to the present operating system and the programs running at that time. Usually, the general rule is that if the system is a Windows server, running Linux/Unix, or macOS, it should be shut down employing the regular procedures.

Other types of Windows systems can have the plug pulled, but this is ultimately the investigator’s decision and the decision can vary according to the unique circumstances of the investigation.

Nevertheless, occasionally these machines should not be shut down at all which means there is one practicable option called a logical acquisition of the chosen target files and metadata.

Investigators should always keep in mind the best practices for shutting down computers. Therefore, such systems under investigation need to be powered off as specified.

Use Of Encryption On Computers

Provided that the machine is on, accessible, and the situation permits, you should attempt to figure out if the machine has any type of encryption enabled prior to doing anything else.

In the event that a hard drive is encrypted, the data on that particular drive is efficiently inaccessible to any adversary without the relevant password.

Thus, in the event that you discover that a suspect’s computer is on, accessible, and encrypted, you will uncover an important opportunity to access the data on that specific drive that will be lost if you just pull the plug and process it like additional devices.

Detecting Encryption

When an analyst encounters a live machine, they may find out if any encryption software is currently active.

Some popular encryption options include BitLocker and VeraCrypt.

The challenge that an analyst faces is not merely determining if encryption is deployed, but also if an encrypted disk or volume exists. If the investigator encounters a live machine and the drive happens to be mounted, this could potentially be the only opportunity that they may capture the data.

BitLocker

BitLocker is available for deployment on the following operating systems:

  • Windows 7 & Windows 7 (Ultimate & Enterprise Editions)
  • Windows 8 & Windows 8.1 (Pro & Enterprise Editions)
  • Windows 10 (Pro, Enterprise, & Education Editions)
  • Windows Server 2008 & Later

Finding out if the system is encrypted with BitLocker is typically easy.

To check if a drive is utilizing BitLocker, simply go to the “Start” Menu and click on “My Computer” or go to “File Explorer”/”Windows Explorer“. You should then see a list of all the drives. Any drive encrypted with BitLocker will have a padlock next to them.

Another approach to determining what drives have BitLocker enabled is by going to the “Control Panel“. Hence, “Control Panel” > “System and Security” > “BitLocker Drive Encryption” will display an overview of every drive and if they have BitLocker enabled.

The forensic investigator should pay considerable attention to the volume names displayed. The existence of a volume name that comprises the term “LOCKED“, “CRYPT“, “VAULT“, or a comparable term should serve as a valuable indication that volume level encryption could be present.

VeraCrypt

In the event that BitLocker is excluded, then the investigator can check for other encryption software installed on the system.

When a drive is encrypted using VeraCrypt, the analyst could proceed to visually inspect whether VeraCrypt is installed on the machine.

Therefore, you could check the start menu to see if VeraCrypt is present or proceed to check VeraCrypt’s default installation directory “(C:\Program Files\VeraCrypt)”.

You may also check whether any encryption software’s logo is present in the system tray. Typically, VeraCrypt will display an icon in the system tray. You can identify the logo of VeraCrypt and TrueCrypt by their distinctive icons.

The presence of the VeraCrypt icon should be a clear indication that encryption is being utilized on a live machine.
The presence of the TrueCrypt icon should be a clear indication that encryption is being utilized on a live machine.
The use of VeraCrypt on a live system can be discovered in the system tray of the Windows operating system.

Pay attention to any other encryption programs with terms such as “TrueCrypt“, “BestCrypt“, and “PGP“.

When you successfully launch VeraCrypt, you will obtain a list of all the drive letters. From this moment, you will be able to determine the presence of any mounted volumes and their locations.

Furthermore, you could review the list of installed programs for encryption software (“Start” > “Programs“) or check in the “Program Files” folder in “File Explorer”/”Windows Explorer“. Search for terms like “VeraCrypt“, “TrueCrypt“, “Crypt“, “PGP“, “Shredder“, and “Encrypt“.

If you can see any of these programs or icons, it implies the existence of an encrypted drive or volume.

If you were unable to locate any signs of encryption software present on the system, you could utilize a command-line tool to carry out a final check.

A free tool called Encrypted Disk Detector (EDD) can be used to check if a computer is utilizing encryption software like TrueCrypt, BitLocker, and PGP.

EDD quickly checks the local physical drives on a machine for encrypted volumes. If EDD does not locate any disk encryption signatures in the Master Boot Record (MBR), EDD will show useful information like the volume label for partitions on the particular drive.

EDD shows that PhysicalDrive0, Partition 1 is a BitLocker encrypted volume.

Bear in mind that EDD does depend on signatures to identify encrypted drives. Hence, there is no guarantee that drives encrypted using VeraCrypt can be precisely identified since VeraCrypt attempts to stay hidden. Consequently, EDD labels virtual disks as potential encrypted volumes.

Ensure that you have made a live image of the drives prior to pulling the plug. In the event that a live image is not possible, ensure you possess a RAM image.

Related Posts