H C wrote: > I'm still not all that clear on _why_ you'd ever want to perform > imaging of a "live" system. I can see why one would want to collect > volatile data from the system, and then perhaps (based on decisions > made regarding the situation) move on to disconnecting the system, and > then imaging the drive. Some examples: - The computer has an encrypted file system, such as PGPdisk or Windows EFS, currently mounted. If the computer is shut down, an attempt to image it will only capture the encrypted data, not the true contents of the files. Without the passphrase, PGPdisk and EFS can create significant obstacles. - You're not allowed to shutdown the computer, even for a short period of time (e.g. the system has been damaged to the point where a reboot is not possible. Perhaps the attacker ran "rm -rf /etc/*" on the box) - Rebooting the machine may alert an intruder that somebody has noticed what they're doing. (e.g. If a server has been running for a 100 days and is suddenly rebooted without warning or explanation, it may appear suspicious.) -- SA Jesse Kornblum Chief, Research and Development Air Force Office of Special Investigations 1535 Command Drive Room CD208 Andrews AFB, MD 20762 USA DSN 857-1143 Commercial 240-857-1143 FAX 857-0963 STU-III 857-1143 email: jesse.kornblumat_private siprnet: jesse.kornblumat_private http://afosi-web.ogn.af.mil/xos/xosi/ http://www.afosi.af.smil.mil/xosi/ ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jun 18 2002 - 07:10:41 PDT