Re: Identifying Win2K/XP Encrypted Files

From: Brian Carrier (carrierat_private)
Date: Fri Jan 31 2003 - 01:27:28 PST

Next message: Jeimy José Cno Martíne: "Computer Forensic Books 2002 - 1Q*2003"

Previous message: Dragos Ruiu: "Re: IDS and forensics"
In reply to: George M. Garner Jr.: "RE: Identifying Win2K/XP Encrypted Files"
Next in thread: Burnette, Michael: "RE: Identifying Win2K/XP Encrypted Files"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Jan 30, 2003 at 03:48:14PM -0500, George M. Garner Jr. wrote:
> >> In terms of disk state, yanking the plug likely creates a better
> image
> >> than doing a live acquisition (which I guess really isn't saying
> >> much). <<
> 
> Many (if not most) modern file systems delayed writes with large
> in-memory write caches to improve performance.  Any time a disk image is
> acquired without flushing the write cache, the resultant image is likely
> to be in an inconsistent state.  This is because file system operations
> are not atomic and some component of a given operation may still be in
> the cache at the time the image is acquired.  I do not see any
> difference in this regard between the two methods mentioned above (live
> acquisition vs. pulling the plug).  Either method acquires a particular
> slice-in-time of a given file system.  

Hey George,

Pulling the plug gives you the state at one instant.  Live acquisition
gives you a blend of the states for the 20-30 minutes that the
acquisition lasts for.  So, pulling the plug only introduces the
inconsistencies from the cache while live acquisition introduces the
same cache problems and new problems (for example, all clusters that
were allocated for files after the MFT was imaged would not be seen
using normal tools (except for the fragmented MFT entries that are
further in the disk)).

On the other hand, a live acquisition will require the usage of the
cache and the I/O will force the caches to be flushed more frequently.

As I said, it isn't really saying much when something is better than a
live acquisition.  I just think that the number of inconsistencies
could be smaller when comparing the size of a cache and how many things
could change over the duration of live acquisition.  

Of course, the silver bullet of evidence will probably not be written
regardless of which method is used ;).

brian

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Jeimy José Cno Martíne: "Computer Forensic Books 2002 - 1Q*2003"
Previous message: Dragos Ruiu: "Re: IDS and forensics"
In reply to: George M. Garner Jr.: "RE: Identifying Win2K/XP Encrypted Files"
Next in thread: Burnette, Michael: "RE: Identifying Win2K/XP Encrypted Files"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Feb 02 2003 - 06:35:30 PST