When investigating a powered-on device the following precautions should be taken:

• Move the mouse or glide your fingers across the touchpad if you suspect the device may be in a sleep state. Do not click on the buttons as this may open or close programs and processes.
• Photograph and record the screen and all visible programs, data, time, and desktop items.
• Unplug the power cord on desktops and remove the battery, if possible, on portables.

It is of utmost important that data stored in RAM and paging files be collected with as little modification to the data as possible. More on this will be covered in later chapters using imaging tools such as Guymager and DC3DD in Kali Linux. Other live acquisition tools such as C.A.I.N.E and Helix can also be used for acquiring RAM and the paging file.

There are quite a few reasons for imaging and acquiring the RAM. As mentioned in the previous chapter, data that may have been encrypted by the user may be stored in an unencrypted state of RAM. Logged in users, opened programs, accessed files, and running processes can all be extracted and analyzed if the RAM and paging file are analyzed. However, if the device is switched off or rebooted, this data and evidence can easily be lost.

For powered-on portable and powered-on devices, the battery should be removed, if possible. Some devices, however, may not have a removable battery. In these cases, the power button should be held down for 30 to 40 seconds, which forces the device to power off.