[jaryd]

If the laptop turned off and the drive was encrypted by what basic method could they extrapolate the same information as if the computer was decrypted and powered on? Are you referring to some kind of memory attack? Wouldn't they need to be prepared to do that kind of forensic work in the extremely near term (or have some equipment on-hand to preserve the memory at least)? I'm pretty uninformed in this area and would appreciate a lesson.

[mburns]

You wouldn't turn off the device, particularly if you thought that turning it off could make you lose access to information.

That can be achieved by (1) transferring the machine to a portable battery unit without interrupting the power feed from the AC wall adapter and/or (2) imaging the machine's memory and mounted drives in-place.

These are things the FBI has in its toolbox, precisely because "yank the power cable" is how many criminals rely on protecting their otherwise encrypted data.