When you are collecting evidence a live system is always interesting. There is some debate on how to handle live systems. And while there certainly are interesting products on the market like the HotPlug Field Kit from Wiebetech there is a point where the system needs to power down. And the question is, should you pull the plug?
Before an investigation, you should always try to make a forensic image, if possible you never work on a live machine. But if you have to seize a live machine, things might get interesting. A few years back most investigators simply took a picture of the screen of what was open and pulled the plug. These days with encryption becoming more and more common it’s imperative you make a good assessment of the situation and make sure that taking the system offline doesn’t lock you out of the system.
There is a good reason to shut down a live system. A live system, even running idle will have numerous background processes running which are continually reading and writing data from and to the hard drive. When you decide to shut down the system, pulling the plug might be your best option. A normal shutdown will start a chain of actions that involve writing a lot of data to the hard drive, possibly overwriting important evidence. Removing the power will “freeze” the system in its current state, making sure that the data on the system is no longer modified.
What are the risks of “Pulling the plug?”.
There are some risks involved with “pulling the plug” on a live system. If the system is encrypted, you might lose your only chance to access the system. The same goes for encrypted files and password protected applications. If these drives are mounted or applications are unlocked, this is the chance to capture the data.
There is a lot of volatile information that is gone the second you pull the plug. Some examples of information that might be lost are:
- Open applications
- Running processes and services
- Caches (ARP/DNS etc)
- Open files
- Network connections
- Clipboard
Computers are getting more and more RAM, because of this, applications are storing a lot of temporary data in RAM. Private internet sessions (incognito) are stored in RAM. When such a browser is open when you pull the plug there is little chance you will find any artifacts stored on the hard drive (the page file might contain some data). The same applies to a lot of cloud applications, most data is temporarily stored in RAM before storing it online. This data will be gone the moment you pull the plug.
What should you do before you pull the plug?
The first thing you should always do, after documenting the situation, is trying to capture the RAM. The RAM will contain valuable information about the system, including the running applications. After you pull the plug, everything that was stored in the RAM will be gone.
Relevant articles: |
Forensics 101: RAM capture (FTK-Imager) |
The RAM capture might also contain the passwords and keys used for encryption. There are several tools and scripts available that are able to extract the keys from memory dumps depending on the software used to encrypt the drive.
If the situation allows, you should try to find out if the system has any form of encryption enabled. There are several ways the system can be encrypted. Some popular options are:
- VeraCrypt
- TrueCrypt
- Axcrypt
- BitLocker
- Folder lock
The challenge here is how to determine if encryption is used and if an encrypted disk or volume exists. If you encounter a live system and the drive is mounted, this might be the only time you are able to capture the data. Most encryption products are completely transparent for the end-user. From the perspective of the OS, the data on the mounted volume is unencrypted. There are some ways to check if a system is (potentially) using encryption.
1. Installed software and running processes
When encountering a live system, there are some simple checks you can do in order to determine if encryption software exists or is active.
BitLocker
BitLocker is available on the following operating systems:
- Windows Vista Enterprise / Ultimate
- Windows 7 Enterprise / Ultimate
- Windows 8 Pro / Enterprise
- Windows 8.1 Pro / Enterprise
- Windows 10 Pro / Enterprise / Education
The above versions of Windows have the option to use full-disk encryption on all hard-drives (including the system drive) and USB mass storage. Luckily identifying BitLocker encrypted devices is usually rather easy. When looking at all the drives in the computer overview (the old, “My Computer” screen) you will notice that all drives using BitLocker encryption will have a padlock next to them.
Another way to check what drives have BitLocker enabled is by checking the Control Panel. Under Control Panel\System and Security\BitLocker Drive Encryption, there is an overview of all drives and if they have BitLocker enabled.
VeraCrypt (TrueCrypt)
Looking for VeraCrypt volumes can be more complicated. Since VeraCrypt is based on TrueCrypt most of the steps I describe will be the same on systems using TrueCrypt.
When a (system) drive is encrypted with VeraCrypt there is no visual clue to tell you so. The best way is to check if VeraCrypt is installed on the system. Check the start menu for the application VeraCrypt or check the default installation directory: “c:\Program Files\VeraCrypt”. Normally Veracrypt will also show an icon in the system tray. You should be able to identify the icon by the VeraCrypt logo.
VeraCrypt logo | TrueCrypt logo |
By launching VeraCrypt you will get a list of all drive letters. Here you will be able to identify any mounted volumes and their locations.
2. Tools
If you are unable to find any telltale signs of encryption software it might be a good idea to do a last check with a tool.
One of the best tools to check if a system is using encryption software is Encrypted Disk Detector (EDD) from Magnet Forensics. EDD lists all of the current physical and logical drives it finds on the system. If it detects something special it will mark the detected drive and tell you why it is suspicious.
In this example we see that PhysicalDrive5, Partition 1 is a BitLocker encrypted volume:
And when EDD detects a virtual disk it’s marked yellow with a warning it might be a TrueCrypt or PGP encrypted volume:
EDD relies on signatures to detect encrypted drives. Because VeraCrypt tries to remain hidden there is no reliable way to detect these drives with 100% certainty. Therefor EDD marks virtual disks as possible encrypted volumes.
If you get warnings when running EDD you should consider making a live image of these drives before you pull the plug. Better safe than sorry. If a live image is no option, make sure you have a RAM image.
Pulling the plug
When you have taken care of all the above, and you are ready to pull the plug, you might want to pull the power cable out of the power supply or flip the switch on the power supply.
I have encountered many systems that were connected to an uninterruptible power supply (UPS), pulling the plug from a wall socket in these situations might signal the system so initiate a shutdown.