Hosting Provided By

Re: Identifying Win2K/XP Encrypted Files

From: Brian Carrier <carrier(at)cerias.purdue.edu>
Date: Thu Jan 30 2003 - 10:00:38 EST

On Thu, Jan 30, 2003 at 09:39:01AM -0500, Dante Mercurio wrote:
> Pulling the plug would lose access to any third-party encrypted

You can always use a windows port of 'dd' and netcat to acquire just the encrypted volume before the power is removed. After power is removed, perform a usual dead acquisition of the entire disk.

In terms of disk state, yanking the plug likely creates a better image than doing a live acquisition (which I guess really isn't saying much).

brian

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Thu Jan 30 13:15:54 2003

This message: [ Message body ]
Next message: Nathan Yocom: "RE: Identifying Win2K/XP Encrypted Files"
Previous message: Kevin.M-CTR.Shannon(at)faa.gov: "RE: Identifying Win2K/XP Encrypted Files"
In reply to Dante Mercurio: "RE: Identifying Win2K/XP Encrypted Files"
Next in thread: George M. Garner Jr.: "RE: Identifying Win2K/XP Encrypted Files"
Reply: George M. Garner Jr.: "RE: Identifying Win2K/XP Encrypted Files"
Reply: Clifford Thurber: "RE: Identifying Win2K/XP Encrypted Files"
Reply: Simson L. Garfinkel: "Re: Windows HD image for forensics testing"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:43 EDT