BATTLEFIELD DIGITAL FORENSICS

Devices might be found in different states:
device is discovered in power-on state
o unlocked (direct access to device)
o locked/user logged-off/…
o in suspend mode 37
device is discovered in power-off state
If the computer system (desktop, server) is powered on, the SOF operator should try to acquire volatile
content. Volatile evidence may help the investigation or it might be the only evidence there is! If it is not taken,
this will undermine the digital evidence investigation. The importance of acquiring this data is covered in
paragraph 6.3 – ‘Assessing Gatherable Intelligence‘. This part of the exfiltration process makes demands on the
technical architecture supporting the SOF team (See paragraph 6.2.1.3 – ‘Vector Options‘). The technology
used has to follow the order of volatility. The huge variety of possible devices and operating systems means
that it will be a challenge to prepare a convenient exfiltration point capable of gathering not only RAM dump,
but also options like temporary system files, swap files, network configuration and settings if available. [28,
chapter 8.6.18.2]
Devices in this category may also contain a FireWire port. Check if a port is available, to use it for RAM
acquisition.
The next step after the volatile data acquisition (if the system is powered on) is to shut down the device. It is
recommended to do this abruptly by removing the power (the ‘pull the plug approach’). 38 This action must also
be taken if any destructive operation is visibly running on the system. The following step is the physical
extraction of the storage from the device. A spinning hard disk or solid state disk (SSD) may usually be found
inside current desktop computers
Physical extraction consists of extracting media devices that are parts of a physically bigger system (such as a
desktop or server) and that are not easily transportable during the operation. It may result in removing
different types of disk drives that are built into computer systems. Note that if a RAID 0 setup has been used
(as an anti-forensics measure 39 ), this requires discovering and extracting all the disks used in the setup.
a) Remove the hard drive (step-by-step instructions)
Note: This guide applies to a hard drive that is mounted inside the desktop computer case. A cordless electric
screwdriver is usually needed to open the desktop (server) case and handle the drive if it is fixed.
1. Make sure the computer is powered off and the power cable is disconnected.
37 In some devices it may be possible to detect the suspend mode from slowly blinking LED lights. For example, because of security bugs
[35], it is possible to see the OS’s desktop contents on resume from suspend before the lock dialog. For capturing the content from the
screen in such a scenario during a special operation, a (high speed) video camera would be required. If the suspended device is properly
secured into a Faraday bag with battery supply, this can be done after the special operation in the forensics investigation. This means that
resuming should be tried during the secure operation only if it is not possible to capture the suspended device (for example because of the
size of it).
38 If a graceful shutdown is undertaken, then there may be data destruction (for example if the equipment has been booby-trapped) or
other ways that the evidence may be altered during the graceful shutdown process.
39 Read more from paragraph 7.1 – ‘Data and Device Hiding‘. Before removing devices it should also be remembered that hard disks and
SSD drives may be encrypted.
48