Powering Off Devices

The subject deliberately powers off corporate devices to obstruct remote forensic acquisition, containment, or monitoring. This tactic prevents endpoint detection and response (EDR) tools, disk imaging systems, and memory capture utilities from executing, delaying evidence collection and hindering response actions.

Often triggered by awareness of investigative scrutiny, powering down devices can result in the loss of volatile data and disruption of containment workflows. The tactic is especially effective in environments reliant on real-time telemetry or remote tooling.

This activity could be considered an anti-forensics technique, especially when the device is powered off during periods where the subject is expected to be working.