('binary' encoding is not supported, stored as-is) In-Reply-To: <200111291635.fATGZWgi004697@foo-bar-baz.cc.vt.edu> >Note that for *some* booby traps, "pulling the plug" may be the *wrong* thing >to do, and result in the loss of the evidence. Excellent point. There is a lot of volatile data that disappears when a system is powered down...and would be extremely useful in a case. For example, if someone suspects that a system has a trojan like Sub7 on it, and the bit-image copy of the drive shows the presence of the files, and the last access times, that only gets you so far. If information regarding the currently running processes had been collected using certain tools (which are generally platform specific), then it could have been determined if the process was running, and who, if anyone was connected to the trojan. ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Nov 29 2001 - 16:26:19 PST