RE: Identifying Win2K/XP Encrypted Files

From: Dante Mercurio (dmercurioat_private)
Date: Thu Jan 30 2003 - 06:39:01 PST

Next message: Burnette, Michael: "RE: Identifying Win2K/XP Encrypted Files"

Previous message: Bob the Builder: "Re: Identifying Win2K/XP Encrypted Files"
Maybe in reply to: Christopher Howell: "Identifying Win2K/XP Encrypted Files"
Next in thread: Brian Carrier: "Re: Identifying Win2K/XP Encrypted Files"
Next in thread: Burnette, Michael: "RE: Identifying Win2K/XP Encrypted Files"
Reply: Brian Carrier: "Re: Identifying Win2K/XP Encrypted Files"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Pulling the plug would lose access to any third-party encrypted
partitions that may otherwise be accessible. PGPDisk comes to mind. If
the drive was mounted, and you pull the plug, you've lose the capability
of seeing that partition and any evidence on it unless you can recover
the key.

Anyone have any recommendations in that regard? Would a better policy be
to poke a little? What about information in active memory?

M. Dante Mercurio
dmercurioat_private
Consulting Group Manager
Continental Consulting Group, LLC
www.ccgsecurity.com

-----Original Message-----
From: Craig Earnshaw [mailto:Craig.Earnshawat_private] 
Sent: Thursday, January 30, 2003 9:11 AM
To: Nexus
Cc: forensicsat_private
Subject: Re: Identifying Win2K/XP Encrypted Files


  As a general rule of thumb, as long as it's not a *nix box, or an NT 
or Win2K server, you're usually fine to pull the plug (emphasis on the 
"usually" - if you do it and all goes wrong don't blame me!!!)

Craig G Earnshaw
Head of Forensic Computing Services
Lee & Allen Consulting Ltd
London - New York - Hong Kong

>>I would actually suggest a different method.  If you are tasked to 
>>seize a machine you should do ABSOLUTELY NOTHING with it, apart from 
>>pulling the plug out of the wall if it's up and running.  Any actions 
>>that you perform on the machine could potentially destroy evidence and

>>subsequently be used to suggest that you have tampered with the 
>>evidence.
>>    
>>
>
>Has anyone found that this has a detrimental effect on the filesystem ?

>Obviously it's better than shutting the box down as something may be 
>watching for that I know, just curious if the suituation has occured 
>that the filesystem was damaged to the extent that the forensics 
>analysis was hindered ?
>
>Cheers.
>
>
>  
>



-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service. For
more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com




-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Burnette, Michael: "RE: Identifying Win2K/XP Encrypted Files"
Previous message: Bob the Builder: "Re: Identifying Win2K/XP Encrypted Files"
Maybe in reply to: Christopher Howell: "Identifying Win2K/XP Encrypted Files"
Next in thread: Brian Carrier: "Re: Identifying Win2K/XP Encrypted Files"
Next in thread: Burnette, Michael: "RE: Identifying Win2K/XP Encrypted Files"
Reply: Brian Carrier: "Re: Identifying Win2K/XP Encrypted Files"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jan 30 2003 - 06:33:18 PST