EC-Council: Computer Hacking Forensic Investigator(CHFI-V10) |
||||
Module 2 : Computer Forensics Investigation Process |
||||
| Notes available : 7 |
You are not logged in. Please Login for track your learning progress |
|||
Operating System Shutdown Procedure, if System is in "ON" state
Investigators have to make a vital decision at the time of shutting down the computer system because it is important to shut down the operating system in a proper manner so that it will not damage the integrity of the files. In case the investigators need to shut the systems down, they must either collect or wait for the collection of the volatile data from the systems, as the system deletes them after shutting down, and they are impossible to retrieve. Different operating systems have different shutdown procedures. The first responders must follow the predefined shutdown procedure; otherwise, data may be lost as the hard drives may crash.
Follow these steps for Windows OS:
▪ Take a photograph of the screen
▪ Document any running programs
▪ Unplug the power cord from the wall socket
Follow these steps for Mac OS X:
▪ Record the time from the menu bar
▪ Click the Apple icon located on the top left-hand side of the Mac OS taskbar
▪ Select “Shut Down” near the bottom
▪ Unplug the power cord from the wall socket
Follow these steps for UNIX/Linux OS:
▪ Right click on the desktop and select the “Console” option
▪ If root user’s prompt is set to #sign mode,
o Enter the password if available and type sync;sync;halt to shut down the system
o If password is not available, unplug the power cord from the wall socket
▪ If it is set to console #sign mode,
o Enter the user’s ID and press Enter on the keyboard
o If the user ID is root, type sync;sync;halt to shut down the system
o If user’s ID is not root, unplug the power cord from the wall socket  |
Go to notes |  |