Hosting Provided By

RE: Identifying Win2K/XP Encrypted Files

From: <Glenn_Everhart(at)bankone.com>
Date: Thu Jan 30 2003 - 09:20:08 EST

If you pull the plug, you lose any possibility of finding what is in memory only. Thus, info like what connections are open, what processes are running, what files are open becomes unavailable.

More seriously, if the system uses an encrypting disk (or virtual disk) package where the encryption key is a memory-only thing you may have essentially no way to find anything at all. A cryptodisk would ensure that everything on the hard drive is garbage...unless you know the decryption key.

I tend to favor using some known utilities to poke around first and record some of what is going on, with a witness around who can testify if need be what he saw.

I agree re looking for high entropy patches of storage; that is more likely to be encrypted. Note however there are some forms of stego that decrease it again (texto for example).

-----Original Message-----
From: Nexus [mailto:nexus@patrol.i-way.co.uk] Sent: Thursday, January 30, 2003 8:46 AM To: Craig Earnshaw
Cc: forensics@securityfocus.com
Subject: Re: Identifying Win2K/XP Encrypted Files

Original Message ----- From: "Craig Earnshaw" <Craig.Earnshaw@TheEntrepreneur.com> To: "Christopher Howell" <howellc@njdcj.org> Cc: <forensics@securityfocus.com> Sent: Thursday, January 30, 2003 1:13 PM Subject: Re: Identifying Win2K/XP Encrypted Files

> I would actually suggest a different method. If you are tasked to seize

Has anyone found that this has a detrimental effect on the filesystem ? Obviously it's better than shutting the box down as something may be watching for that I know, just curious if the suituation has occured that the filesystem was damaged to the extent that the forensics analysis was hindered ?

Cheers.

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Thu Jan 30 09:24:25 2003

Do you need help?

This message: [ Message body ]
Next message: Bob the Builder: "Re: Identifying Win2K/XP Encrypted Files"
Maybe in reply to: Christopher Howell: "Identifying Win2K/XP Encrypted Files"
In reply to Craig Earnshaw: "Re: Identifying Win2K/XP Encrypted Files"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:43 EDT