Hi, What are the tools that you use to read the Image of the hibernated system files and even the normal images. Just hex editor's with some kind of data recognition or rippers that can identify and extract multiple file types or something else? In my opinion and based on the analysis i have done, the best option for NT/2K machine would be to 'pull the plug' after the initial analysis of the box is complete. NTFS survives the crash always (atleast most of the times). If it is win based compromised machine, there may be a possibility of things being reset or initialized at the next reboot. So, if the hibernate option exists and the OS and Machine supports, the best part is to do it. Then remove the HDD and proceed the offline analysis using an image. If not, after collecting the live data from the system, it is recommended to pull the plug and continue the offline analysis of the image. Cheers, Suresh Ponnusami, Internet Security Consultant, Co-Founder, nSecure Software (P) Ltd., Bangalore, INDIA. e-mail : suryaat_private Phone : +91 (0) 80 535 1545 Fax : +91 (0) 80 535 1551 ----- Original Message ----- Ben Wrote: > > Many newer computers and OS's have a "Hibernation" mode or (in the case > of Laptops mainly), they have a "Save-to-disk" function. > > This powers off the system and you can usually remove the hard disk > drive and image it, however, the image will contain a "snapshot" of the > system RAM and it should boot into the previous state. > > Obviously Network (and dial-up) Connections are broken, however devices > are restored to their previous state.. > > After gathering the normal "snapshot" of live information, would putting > the computer into hibernation (or standby-with-save-to-disk) be better > than shutting it down? > > Also, say you have just gathered the data from an NTFS box, do you shut > it down nicely (where every program gets an event to terminate, and can > subsequently "do stuff") or do you just grab that big cord at the back > and pull (NTFS volumes should survive quite easily). > > Does anyone have any thoughts on the usefulness of these procedures? > > Is there any "current pseud-standard" to just pull the plug after > gathering the live data instead of shutting down? > > -- Benjamin Holmes > > This message is not an official communication of my employer, Getronics. > > E&OE. All spelling and grammatical errors are for your enjoyment and > entertainment only and are copyright Benjamin Holmes. This message is > guaranteed free of exotic diseases. This e-mail message and any > attachments are confidential and may be privileged. If you are not the > intended recipient, please notify me immediately by replying to this > message and please destroy all copies of this message and attachments. > Please also try to forget everything you have read that was contained in > this E-Mail message, except this part, and you may not copy it. Thank > you. > ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jun 11 2002 - 11:04:46 PDT