Most crypto containers (except BitLocker in TPM mode) will lose the encryption key and require the user to enter the password to unlock encrypted disks or VMs. Computer reboot or shutdown, whether clean or forced.
Depending on the settings, such events may include: The reason for this are the security settings available in many crypto containers and encrypted VM apps that unmount encrypted data and delete the encryption keys from the computer’s memory on certain events. If there is encryption present, you may lose access to encrypted disks and/or virtual machines once you pull the plug, shut down the computer, log off the current user, allow the computer to sleep or hibernate or even allow the computer’s screen to lock after a timeout. If the computer is running with an authenticated user session, we strongly recommend scanning the PC for encrypted (and mounted) disks and virtual machines before you do anything else. Laptops, ultrabooks and 2-in-1 capable of “modern standby” or “connected standby” have different forensic implications and are protected in a different manner (via BitLocker Device Encryption). Note: this article addresses the various sleep modes in desktop computers only. Is the computer powered on, sleeping, or hibernated? If it’s powered on, do you have access to an authenticated user session? Your approach may be different depending on the answers. Is it powered on, sleeping, or hibernated? In this article we’ll discuss what exactly you may be losing when pulling the plug. This strategy carries risks that may overweigh the benefits.
When analyzing connected computers, one may be tempted to pull the plug and bring the PC to the lab for in-depth research.
0 kommentar(er)
