Pulling the plug

If we simply cut power to the subject system the filesystem(s) may not be clean. As previously mentioned, this is not necessarily as serious as it was before journaling filesystems became commonplace. One thing you can do to minimize the chances of dealing with a filesystem that is extremely dirty (lots of file operations waiting in the cache) is to run the sync command before pulling the plug. There is always a chance that an attacker has altered the sync program, but in the rare instances where they have done so your live analysis would likely have revealed this.

The best thing this method has going for it is that malware doesn’t have any chance to react. Given the information collected by running your scripts during the live analysis and memory image you have dumped, you are not likely to lose much if any information by pulling the plug. If you suspect a malware infection this is your best option in most cases.