![]() ![]() If the power is cut (you pull the plug), the computer resumes from the saved hibernation file without losing the user’s authenticated session or the encryption keys (unless the crypto container is specifically configured to wipe such keys when entering low-power mode). If the computer is left connected to a power source, resuming from hybrid sleep is just as fast as resuming from normal sleep. This file contains, among other things, on-the-fly encryption keys used by crypto containers and encrypted VM apps to access encrypted data on the fly. Once the computer begins transitioning into this low-power state, Windows saves the content of the computer’s RAM into a hibernation file. This option attempts to combine the benefits of sleep and hibernation. To prevent this situation, Microsoft developed a so-called “Hybrid sleep” option. However, if the power is lost while the computer is sleeping (which is exactly what happens when you pull the plug), the entire content of the computer’s RAM is lost. This results in near-instant transition between active and sleep phases, and near-instant wake. If the “hybrid” option is not selected, when entering this low-power state, the computer will not save the contents of the RAM onto non-volatile media. By default, Windows 10 computers come pre-configured with Hybrid Sleep (see screen shot). Sleep is the first-engaged low-power mode in Windows. There are several low-power options in Windows desktop computers, each carrying certain forensic implications. The difference between Sleep, Hybrid Sleep, Hibernation and Fast Startup in Windows However, VeraCrypt has a dedicated setting that does unmount the disk(s) on this condition. By default, no crypto container app unmounts encrypted disks once the user session is locked. This is a separate state that has a separate configuration setting. By default, all of these settings are off, so VeraCrypt default behavior is similar to BitLocker. VeraCrypt containers, on the other hand, have a handful of settings that, once selected, make VeraCrypt automatically lock encrypted disks and wipe the encryption keys from the memory when the computer enters a pre-configured state. This means that, by default, BitLocker disks will be kept mounted after the computer resumes, and there is no easy way to alter this setting other than modifying the system’s group security policy. The default setting for many crypto containers (including BitLocker in all configurations) is resuming seamlessly after sleep or hibernation. Most crypto containers (except BitLocker in TPM mode) will lose the encryption key and require the user to enter the password to unlock encrypted disks or VMs. ![]() Computer reboot or shutdown, whether clean or forced.Depending on the settings, such events may include: ![]() The reason for this are the security settings available in many crypto containers and encrypted VM apps that unmount encrypted data and delete the encryption keys from the computer’s memory on certain events. If there is encryption present, you may lose access to encrypted disks and/or virtual machines once you pull the plug, shut down the computer, log off the current user, allow the computer to sleep or hibernate or even allow the computer’s screen to lock after a timeout. If the computer is running with an authenticated user session, we strongly recommend scanning the PC for encrypted (and mounted) disks and virtual machines before you do anything else. Laptops, ultrabooks and 2-in-1 capable of “modern standby” or “connected standby” have different forensic implications and are protected in a different manner (via BitLocker Device Encryption). Note: this article addresses the various sleep modes in desktop computers only. Is the computer powered on, sleeping, or hibernated? If it’s powered on, do you have access to an authenticated user session? Your approach may be different depending on the answers. ![]() Is it powered on, sleeping, or hibernated? In this article we’ll discuss what exactly you may be losing when pulling the plug. This strategy carries risks that may overweigh the benefits. When analyzing connected computers, one may be tempted to pull the plug and bring the PC to the lab for in-depth research. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |