-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, What about "bringing the system to its knees" (aka crashing) so it saves a memory dump to the disk? Do Win2K/XP do it by default? You would loose the data contained in the "free blocks" overriten by the dump, but it could be a good way of obtaining an "image" of the running system (if you can process it afterwards, of course). I suppose there are plenty of ways a Win2K/XP administrator can crash a system in "non standard" ways that not trip the wires of a virus/rootkit. Regards, Eloi Granado On Wednesday 12 February 2003 15:53, George M. Garner Jr. wrote: > These changes also might be visible in MFT mirror ($MftMirr) that > usually is located towards the middle of the volume, or in the log file > ($LogFile) or in the USN Journal ($Extend\$UsnJrnl). A thorough > investigation usually ends up looking at unallocated space anyway > because information is often hidden there. > > My purpose here is not to argue in favor of live acquisition. Pulling > the plug or shutting the system down normally will be better methods in > many (if not the majority) of cases. Rather, it is to call attention to > the nature of digital evidence gathered from a *running* computer > system. A running computer system is not inert. It is by nature > dynamic, interactive and interconnected. It should come as no surprise > that evidence gathered from a running computer system reflects the > artifacts of this change. The artifacts of change are viewed as > "defects" only because of the manner in which we are accustomed to > interpret the evidence. Interpreted in a different light, the artifacts > of change may provide an answer to what often is the most important > question concerning a running computer system: What is it *doing*. > > Regards, > > George. > > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com - -- - ----------------------------------------------------- Eloi Granado (eloiat_private) PGP Key: http://eloi.millorsoft.es/pgp-publickey.asc - ----------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+TNirewfs1FO2wi0RAoLUAKCEqgiLtlBy9aCaGMOK8mVZz7BvxwCgxO+H XTomlKikGIbJiG8qdVPmSSI= =DNLB -----END PGP SIGNATURE----- ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Feb 19 2003 - 06:56:11 PST