I was asked an age-old question via a Twitter DM today:
"Should I pull the plug or image live?"
I thought this was a rhetorical or 'homework' question, because how would I know? I gave a short answer of it depends on this and that, assuming that the question was being asked generally. But then,
....he messaged that he was standing in front of a machine, onsite, and was wondering which was best...oh my..
Some of the problems
I sincerely did not know which was best because:
(a) I was not there,
(b) I was not part of the planning process,
(c) I have no idea of the case/data objectives, and
(d) I have no idea of the machine configuration.
Apparently, this forensics company had no plan other than to meet onsite and image whatever computers were there...
My only and best answer ended up being:
(a) Make a reasonable decision for today and
(b) Make a plan next time.
The forensic process begins before processing forensics begins
We hear all the time about making plans before starting work. "Work" can be a highly critical military mission or just driving to the office. Both require a plan. The highly critical military mission will have many more details and require more time to prepare than simply driving to work, but both require planning. If you think that driving to work doesn't require planning, then I would assume that you are continually late to work.
If we visualize what "forensic processing" is, we tend to think of things like indexing, running Python scripts, filtering data, and carving data. Rarely do we think of planning as part of forensic processing, yet planning should be considered the number one top tier aspect of every DFIR "operation". Before starting any process on data, you need to make a plan, regardless of your evidence being a 1MB file or 1PB of storage on dozens of devices.
No plan survives first contact
Few things go perfectly as planned, no matter how much time and effort you put into the plan. You would be mistaken to take that to mean planning is a waste of time. It simply means that you cannot plan for absolutely everything, but you can plan for many things, and for those things that were unforeseen, you will handle them on the spot. Having a plan gives you more time to make decisions. More time to think means less chance of rash, uninformed, misinformed, or ignorant decisions.
So the next time my Twitter DM buddy goes onsite, he will have a plan on how to approach devices. Even if the plan is to dead box image everything (ie: pull the plug), having a plan for devices where pulling the plug is impossible or unreasonable (encryption, etc..), can be made beforehand. This reduces time to preserve data, decreases risk of data destruction, and increases success in collecting all targeted data.
No. I am not just talking about pulling the plug
There is not a time that I touch evidence without a plan unless the evidence is unexpectedly placed in my hands. This goes way back to working a district as a police officer. If I saw evidence, I would have some plan of how to (1) identify and preserve the evidence and (2) how to collect it before touching it. Sometimes this would take half a second and on occasion, it would take hours. The same applies to electronic evidence. Do not process it without a plan.
Cases can fail by no fault of your own. And they can fail specifically and spectacularly because of you. Personally, I'd like to take myself out of the failure equation with planning and then use the gifts of planning to address the unforeseen circumstances.
Plan for the known to give you more time to handle the unknown.
In case none of this makes sense or means much to you, here is the practical aspect to take to the bank: If you were to spend 30 minutes planning your DFIR work (collection or analysis or presentation or etc...), you can save days or weeks over the life of that one case. DAYS OR WEEKS by spending MINUTES to plan. ON EVERY CASE. Have you ever wondered why a coworker can plow through case after case, doing great work while you might be struggling to keep your head above water? hint...it is not because of being better skilled...
If you are overwhelmed with work (who isn't?), you can mitigate a good portion of that caseload with proper planning. I have seen investigators drowning in a heavy caseload for the sole reason of failing to plan anything on any case. At some point, it is obvious that an investigator is the bottleneck in cases being late or unfinished because the investigator, or analyst, chooses to not plan.
Side note: I asked permission to blog about this from the person who DM'd me with a promise of not disclosing the name of the person or company. I think it important to share past errors to reduce future errrors.