Craig, Excellent points, all. > the system that you're talking about > imaging has a number of active users Good assumption. Also consider a system with services, such as a web server, ftp server, etc. > Even with really high data transfer rates it's going > to take a good 20 > mins to take the image of that system, I've used the term "smear-shot", vice "snapshot", to describe this...for exactly the reasons you pointed out. As the image is being made of the live system, sectors that have already been copied may be altered. In such a case, you would end up with an image in which the data isn't simply a snapshot of what was on the drive at the time the system was shut down, but rather "smeared" over the time interval of the imaging process. A reader of this list sent me email stating that there are legal reasons for imaging a live system, but given what you've specifically pointed out (and without elaboration by that reader), I can't see how there _would_ be any legal reason for doing so. Carv __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jun 19 2002 - 09:39:32 PDT