Brian, >> In terms of disk state, yanking the plug likely creates a better image >> than doing a live acquisition (which I guess really isn't saying >> much). << Many (if not most) modern file systems delayed writes with large in-memory write caches to improve performance. Any time a disk image is acquired without flushing the write cache, the resultant image is likely to be in an inconsistent state. This is because file system operations are not atomic and some component of a given operation may still be in the cache at the time the image is acquired. I do not see any difference in this regard between the two methods mentioned above (live acquisition vs. pulling the plug). Either method acquires a particular slice-in-time of a given file system. Regards, George. ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jan 30 2003 - 18:59:07 PST