----- Original Message ----- From: "Clifford Thurber" <cliffordat_private> > Why would you pull the plug? Wouldnt using "shutdown" be sufficient to write out in memory data blocks back to disk. I would think you could image it before you shutdown the machine and then of course image after you ran shutdown for a more complete picture. Maybe "pull the plug" is not to be taken literal but I think you have to be careful with your diction on list that pertains legal issues, eividence etc. As I mentioned in my original email, the problem with using 'shutdown' or an equivalent is that something may be watching for it. It makes no odds if you use your own "known good" binary when there is a LKM or other kernel level shim in there looking for a shutdown and then fragging the drive before it does the shutdown. Poof! goes your evidence, hence my question ;-) Cheers. ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Feb 02 2003 - 09:03:03 PST