Compromised Systems Powered Off or Disconnected

Key systems have been powered off by users, IT, or as part of a premature containment action. Volatile data (running processes, network connections, memory-resident malware) is lost. Remote collection tools cannot reach the host.

Signals

•EDR console shows the agent last check-in was hours/days ago
•ICMP/ping sweep and remote management tools cannot reach the endpoint
•Incident log notes show IT or the end user powered off the machine before IR engagement

Pivot Actions

1.Do NOT power the system back on until forensic imaging is ready to prevent destruction of hibernation files and disk state
2.Perform a forensic disk image (dd, FTK Imager) before any reboot to preserve the current disk state
3.Recover pagefile.sys, hiberfil.sys, and swap partitions for partial volatile-data reconstruction
4.Pull all available remote logs (SIEM, EDR historical, DC auth logs) that captured activity while the host was online

Alternate Evidence Sources

•Pagefile.sys and hiberfil.sys for partial memory reconstruction
•EDR historical telemetry captured before the agent went offline
•Domain controller authentication and Group Policy logs for the offline host

Related Procedures

Volatile Memory Capture

preserve

Identify Patient Zero (First Compromised System)

triage

EDR Telemetry Collection

collect