RE: Identifying Win2K/XP Encrypted Files

From: Clifford Thurber (cliffordat_private)
Date: Fri Jan 31 2003 - 08:09:18 PST

Next message: Klaus Steding-Jessen: "Announce: chkrootkit 0.39a"

Previous message: Jeimy José Cno Martíne: "Computer Forensic Books 2002 - 1Q*2003"
Maybe in reply to: Christopher Howell: "Identifying Win2K/XP Encrypted Files"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Why would you pull the plug? Wouldnt using "shutdown" be sufficient to write out in memory data blocks back to disk. I would think you could image it before you shutdown the machine and then of course image after you ran shutdown for a more complete picture. Maybe "pull the plug" is not to be taken literal but I think you have to be careful with your diction on list that pertains legal issues, eividence etc.

-----Original Message-----
From: George M. Garner Jr. [mailto:gmgarnerat_private]
Sent: Thursday, January 30, 2003 3:48 PM
To: 'Brian Carrier'
Cc: forensicsat_private
Subject: RE: Identifying Win2K/XP Encrypted Files

Brian,

>> In terms of disk state, yanking the plug likely creates a better
image
>> than doing a live acquisition (which I guess really isn't saying
>> much). <<

Many (if not most) modern file systems delayed writes with large
in-memory write caches to improve performance.  Any time a disk image is
acquired without flushing the write cache, the resultant image is likely
to be in an inconsistent state.  This is because file system operations
are not atomic and some component of a given operation may still be in
the cache at the time the image is acquired.  I do not see any
difference in this regard between the two methods mentioned above (live
acquisition vs. pulling the plug).  Either method acquires a particular
slice-in-time of a given file system.  

Regards,

George.   

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Klaus Steding-Jessen: "Announce: chkrootkit 0.39a"
Previous message: Jeimy José Cno Martíne: "Computer Forensic Books 2002 - 1Q*2003"
Maybe in reply to: Christopher Howell: "Identifying Win2K/XP Encrypted Files"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Feb 02 2003 - 06:39:26 PST