Powered-on versus powered-off device acquisition
When investigating devices that are powered on and powered off, special consideration must be given to the volatility of data. Booting, rebooting, or shutting down a device can cause data to be written to the hard drive or even lost within RAM and the paging file.
Powered-on devices
When investigating a powered-on device the following precautions should be taken:
- Move the mouse or glide your fingers across the touchpad if you suspect the device may be in a sleep state. Do not click on the buttons as this may open or close programs and processes.
- Photograph and record the screen and all visible programs, data, time, and desktop items.
- Unplug the power cord on desktops and remove the battery, if possible, on portables.
It is of utmost important that data stored in RAM and paging files be collected with as little modification to the data as possible. More on this will be covered in later chapters using imaging tools such as Guymager and DC3DD in Kali...