On Thu, Jan 30, 2003 at 09:39:01AM -0500, Dante Mercurio wrote: > Pulling the plug would lose access to any third-party encrypted > partitions that may otherwise be accessible. PGPDisk comes to mind. If > the drive was mounted, and you pull the plug, you've lose the capability > of seeing that partition and any evidence on it unless you can recover > the key. You can always use a windows port of 'dd' and netcat to acquire just the encrypted volume before the power is removed. After power is removed, perform a usual dead acquisition of the entire disk. In terms of disk state, yanking the plug likely creates a better image than doing a live acquisition (which I guess really isn't saying much). brian ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jan 30 2003 - 10:13:45 PST