As a general rule of thumb, as long as it's not a *nix box, or an NT or Win2K server, you're usually fine to pull the plug (emphasis on the "usually" - if you do it and all goes wrong don't blame me!!!) Craig G Earnshaw Head of Forensic Computing Services Lee & Allen Consulting Ltd London - New York - Hong Kong >>I would actually suggest a different method. If you are tasked to seize >>a machine you should do ABSOLUTELY NOTHING with it, apart from pulling >>the plug out of the wall if it's up and running. Any actions that you >>perform on the machine could potentially destroy evidence and >>subsequently be used to suggest that you have tampered with the evidence. >> >> > >Has anyone found that this has a detrimental effect on the filesystem ? >Obviously it's better than shutting the box down as something may be >watching for that I know, just curious if the suituation has occured that >the filesystem was damaged to the extent that the forensics analysis was >hindered ? > >Cheers. > > > > ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jan 30 2003 - 06:18:55 PST