If you pull the plug, you lose any possibility of finding what is in memory only. Thus, info like what connections are open, what processes are running, what files are open becomes unavailable. More seriously, if the system uses an encrypting disk (or virtual disk) package where the encryption key is a memory-only thing you may have essentially no way to find anything at all. A cryptodisk would ensure that everything on the hard drive is garbage...unless you know the decryption key. I tend to favor using some known utilities to poke around first and record some of what is going on, with a witness around who can testify if need be what he saw. I agree re looking for high entropy patches of storage; that is more likely to be encrypted. Note however there are some forms of stego that decrease it again (texto for example). -----Original Message----- From: Nexus [mailto:nexusat_private-way.co.uk] Sent: Thursday, January 30, 2003 8:46 AM To: Craig Earnshaw Cc: forensicsat_private Subject: Re: Identifying Win2K/XP Encrypted Files ----- Original Message ----- From: "Craig Earnshaw" <Craig.Earnshawat_private> To: "Christopher Howell" <howellcat_private> Cc: <forensicsat_private> Sent: Thursday, January 30, 2003 1:13 PM Subject: Re: Identifying Win2K/XP Encrypted Files > I would actually suggest a different method. If you are tasked to seize > a machine you should do ABSOLUTELY NOTHING with it, apart from pulling > the plug out of the wall if it's up and running. Any actions that you > perform on the machine could potentially destroy evidence and > subsequently be used to suggest that you have tampered with the evidence. Has anyone found that this has a detrimental effect on the filesystem ? Obviously it's better than shutting the box down as something may be watching for that I know, just curious if the suituation has occured that the filesystem was damaged to the extent that the forensics analysis was hindered ? Cheers. ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ********************************************************************** This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you ********************************************************************** ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jan 30 2003 - 06:24:19 PST