Hosting Provided By

RE: Identifying Win2K/XP Encrypted Files

From: George M. Garner Jr. <gmgarner(at)erols.com>
Date: Thu Jan 30 2003 - 15:48:14 EST

Brian,

>> In terms of disk state, yanking the plug likely creates a better
image
>> than doing a live acquisition (which I guess really isn't saying

Many (if not most) modern file systems delayed writes with large in-memory write caches to improve performance. Any time a disk image is acquired without flushing the write cache, the resultant image is likely to be in an inconsistent state. This is because file system operations are not atomic and some component of a given operation may still be in the cache at the time the image is acquired. I do not see any difference in this regard between the two methods mentioned above (live acquisition vs. pulling the plug). Either method acquires a particular slice-in-time of a given file system.

Regards,

George.

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Thu Jan 30 21:59:28 2003

This message: [ Message body ]
Next message: Christopher Howell: "Re: Identifying Win2K/XP Encrypted Files"
Previous message: John Howie: "RE: Identifying Win2K/XP Encrypted Files"
In reply to Brian Carrier: "Re: Identifying Win2K/XP Encrypted Files"
Next in thread: Brian Carrier: "Re: Identifying Win2K/XP Encrypted Files"
Reply: Brian Carrier: "Re: Identifying Win2K/XP Encrypted Files"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:43 EDT