RE: Identifying Win2K/XP Encrypted Files

From: George M. Garner Jr. (gmgarnerat_private)
Date: Wed Feb 19 2003 - 08:15:58 PST

Next message: adminat_private: "RE: CRC32 vd MD5"

Previous message: Eloi Granado: "Re: Identifying Win2K/XP Encrypted Files"
In reply to: Eloi Granado: "Re: Identifying Win2K/XP Encrypted Files"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Eloi,

>> I suppose there are plenty of ways a Win2K/XP administrator can crash
>> a system... <<

Crashing a Windows system didn't used to be a problem.  :-)
[Un]fortunately, MS systems are becoming more reliable and you may need
to use something like http://www.osr.com/files/BANG.zip.  Note that bang
installs a small service on the subject system and modifies the system
registry.  Use at your own risk.

One disadvantage of this method is that device drivers may register a
callback routine that is executed during and written to the crash dump.
See
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/kmarch/
hh/kmarch/drvrrtns_0m2a.asp or
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/kmarch/
hh/kmarch/drvrrtns_5x2q.asp (Windows XP SP1 and later).  Much of the IO
subsystem has shut down by the time these callback routines are called.
Nevertheless, someone sophisticated enough to write a kernel mode
rootkit might be sophisticated enough to exploit these callback routines
to destroy evidence during the crash dump.  Fortunately, kernel mode
rootkits are not yet as common on Windows systems as on *nix systems.  

Power management also has been suggested as a possible method for
gathering volatile evidence from a running system.  Power management is
a cooperative process between the operating system and the applications
running on a system, however.  As such, it should be pretty easy to
exploit or frustrate.

There are a number of good methods for acquiring evidence from a running
computer system.  Each of these methods has its advantages and
disadvantages.  Each of these methods, including pulling the plug,
involves some level of evidence reduction or loss.  In all probability,
each of these methods may be frustrated to some extent, particularly if
your suspect knows in advance what you are going to do.

The important thing is to understand the advantages and disadvantages of
each method and then choose wisely based on what you are investigating
and what you suspect.

Regards,

George.





-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: adminat_private: "RE: CRC32 vd MD5"
Previous message: Eloi Granado: "Re: Identifying Win2K/XP Encrypted Files"
In reply to: Eloi Granado: "Re: Identifying Win2K/XP Encrypted Files"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Feb 19 2003 - 10:05:26 PST