Triaging a computer allows investigators to gather volatile data that would be lost by pulling the plug on a live system.
The traditional protocols of Computer Forensics are well founded in the law enforcement community. Included are those for seizing live systems, most notably “pulling the plug” and delivering the computer to a laboratory for detailed analysis. The majority of the methodologies employed are forensically sound and routinely accepted by the criminal justice system. However, what is often overlooked is the fact that the criminal justice system continues to apply well established court accepted rules of evidence to digital evidence. Almost all the rules were adopted prior to digital evidence becoming a major contributing factor in criminal prosecutions. Stated another way, the rules of evidence, some of which date to the early days of Computer Forensics, have not kept pace with the continually changing digital world.
For instance, the “gold standard” for examiners is to maintain the integrity of evidentiary digital media, particularly hard drives. Examiners routinely attach hard drives to hardware write blockers and then use forensic tools to create images and to calculate hash values. This is one of the more important methodologies employed as it can ensure that the hard drive is not altered (i.e., no data is written to the hard drive). Although imaging a hard drive in this manner can be a very time consuming process, the methodology generally does ensure its integrity. When reexamined at a later time, its current hash value would be identical to its previous hash value (depending upon a number of factors). Matching hash values indicate that the hard drive has been maintained in its original condition.
Rethinking “Pulling the Plug”
Investigators are normally trained not to interact with a live system, or minimally, if the monitor screen appears blank, to slightly move the mouse to restore the screen. If the screen restores, they would then document any open applications or take photographs of the screen. Likewise, if the screen is password protected, they would document that fact and note the time they moved the mouse. As part of their routine search of the premises, they would look for any documents or “sticky notes” that may contain a password. Investigators are also trained not to interact with the computer’s keyboard, but rather to focus upon the necessary actions for securing and collecting the physical evidence. This ensures preservation of the computer’s hard drive in its original condition at the time of its seizure. Most investigators are aware that a routine shutdown may initiate a number of normal, system related processes that could overwrite potential evidence. They have additional awareness concerning potentially destructive programs that could be running in the background. Thus, the easiest method to avoid potential issues is the practice of “pulling the plug” on a live system. Later, at the time of trial, the investigator can state he/she did not interact with the computer’s keyboard and any inculpatory evidence was obtained from the computer’s hard drive.
There are Risks
“Pulling the plug” on a live system (desktop or laptop) is not without inherent risk. All stored volatile information (system time, the users logged-on, lists of open files, network information and connections, process information, contents of the clipboard, mapped drives, the contents of RAM, etc.) is lost when power is removed. Many computers have BIOS and hard drive passwords that can be set by the user. Removing power from a live system with a BIOS password will cause difficulties later when a forensic examiner attempts to gain access to the BIOS to obtain system information. Likewise, if the hard drive is password protected, it may be unrecognized or unreadable by forensic software tools. Another area of concern is if the user is employing cloud computing applications. Most likely any probative evidence will be lost once the power is removed. Of great concern is the use of resident encryption applications. A number of these are readily available, some with the ability to encrypt individual files, directories, or the entire volume or physical hard drive itself! During normal shutdown or removal of power, these applications will normally re-encrypt the file, directory, volume, or hard drive, making it difficult or impossible for an examiner to obtain probative data from the hard drive.