Pulling the plug would lose access to any third-party encrypted partitions that may otherwise be accessible. PGPDisk comes to mind. If the drive was mounted, and you pull the plug, you've lose the capability of seeing that partition and any evidence on it unless you can recover the key. Anyone have any recommendations in that regard? Would a better policy be to poke a little? What about information in active memory? M. Dante Mercurio dmercurioat_private Consulting Group Manager Continental Consulting Group, LLC www.ccgsecurity.com -----Original Message----- From: Craig Earnshaw [mailto:Craig.Earnshawat_private] Sent: Thursday, January 30, 2003 9:11 AM To: Nexus Cc: forensicsat_private Subject: Re: Identifying Win2K/XP Encrypted Files As a general rule of thumb, as long as it's not a *nix box, or an NT or Win2K server, you're usually fine to pull the plug (emphasis on the "usually" - if you do it and all goes wrong don't blame me!!!) Craig G Earnshaw Head of Forensic Computing Services Lee & Allen Consulting Ltd London - New York - Hong Kong >>I would actually suggest a different method. If you are tasked to >>seize a machine you should do ABSOLUTELY NOTHING with it, apart from >>pulling the plug out of the wall if it's up and running. Any actions >>that you perform on the machine could potentially destroy evidence and >>subsequently be used to suggest that you have tampered with the >>evidence. >> >> > >Has anyone found that this has a detrimental effect on the filesystem ? >Obviously it's better than shutting the box down as something may be >watching for that I know, just curious if the suituation has occured >that the filesystem was damaged to the extent that the forensics >analysis was hindered ? > >Cheers. > > > > ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jan 30 2003 - 06:33:18 PST