RE: Identifying Win2K/XP Encrypted Files

From: Dante Mercurio <dmercurio(at)ccgsecurity.com>
Date: Thu Jan 30 2003 - 09:39:01 EST

Pulling the plug would lose access to any third-party encrypted partitions that may otherwise be accessible. PGPDisk comes to mind. If the drive was mounted, and you pull the plug, you've lose the capability of seeing that partition and any evidence on it unless you can recover the key.

Anyone have any recommendations in that regard? Would a better policy be to poke a little? What about information in active memory?

M. Dante Mercurio
dmercurio@ccgsecurity.com
Consulting Group Manager
Continental Consulting Group, LLC
www.ccgsecurity.com

-----Original Message-----
From: Craig Earnshaw [mailto:Craig.Earnshaw@TheEntrepreneur.Com] Sent: Thursday, January 30, 2003 9:11 AM To: Nexus
Cc: forensics@securityfocus.com
Subject: Re: Identifying Win2K/XP Encrypted Files

  As a general rule of thumb, as long as it's not a *nix box, or an NT or Win2K server, you're usually fine to pull the plug (emphasis on the "usually" - if you do it and all goes wrong don't blame me!!!)

Craig G Earnshaw
Head of Forensic Computing Services
Lee & Allen Consulting Ltd
London - New York - Hong Kong

>>I would actually suggest a different method. If you are tasked to

>>subsequently be used to suggest that you have tampered with the
>>evidence.

>Obviously it's better than shutting the box down as something may be

---

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

---

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Thu Jan 30 09:33:33 2003