----- Original Message ----- From: "Craig Earnshaw" <Craig.Earnshawat_private> To: "Christopher Howell" <howellcat_private> Cc: <forensicsat_private> Sent: Thursday, January 30, 2003 1:13 PM Subject: Re: Identifying Win2K/XP Encrypted Files > I would actually suggest a different method. If you are tasked to seize > a machine you should do ABSOLUTELY NOTHING with it, apart from pulling > the plug out of the wall if it's up and running. Any actions that you > perform on the machine could potentially destroy evidence and > subsequently be used to suggest that you have tampered with the evidence. Has anyone found that this has a detrimental effect on the filesystem ? Obviously it's better than shutting the box down as something may be watching for that I know, just curious if the suituation has occured that the filesystem was damaged to the extent that the forensics analysis was hindered ? Cheers. ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jan 30 2003 - 06:01:01 PST