One thing to keep in mind when using VMWare to examine a live operating system, is that while changes are not made to the virtual hard drive, what the user sees *is* a modified copy. Filesystem metadata, registry information, among other things cannot be relied upon for accuracy. Do not get me wrong - I competely agree with you, and I use VMWare for this purpose, and I regularly send fan mail to their developers (no, not really.) It's just a point worth keeping in mind during analysis. -- Matt Quoting Kurt Seifried <bugtraqat_private>: > > Or use vmware to simply boot a windows system and view it, or boot it > from > within vmware itself (may have hardware issues though =). Beauty with > vmwareof course is you can set it to not write to the disk, allowing you > to > play with an image. > > > Kurt Seifried, kurtat_private > A15B BEE5 B391 B9AD B0EF > AEB0 AD63 0B4E AD56 E574 > http://seifried.org/security/ > http://www.idefense.com/digest.html > > > ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Mar 20 2002 - 06:49:43 PST