Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > forensics > 03 > 010214.html (Request Expert securityfocus.com Support)

RE: Identifying Win2K/XP Encrypted Files

From: Clifford Thurber <clifford(at)mediafarm.com>
Date: Fri Jan 31 2003 - 11:09:18 EST


Why would you pull the plug? Wouldnt using "shutdown" be sufficient to write out in memory data blocks back to disk. I would think you could image it before you shutdown the machine and then of course image after you ran shutdown for a more complete picture. Maybe "pull the plug" is not to be taken literal but I think you have to be careful with your diction on list that pertains legal issues, eividence etc.

-----Original Message-----
From: George M. Garner Jr. [mailto:gmgarner@erols.com] Sent: Thursday, January 30, 2003 3:48 PM To: 'Brian Carrier'
Cc: forensics@securityfocus.com
Subject: RE: Identifying Win2K/XP Encrypted Files

Brian,

>> In terms of disk state, yanking the plug likely creates a better
image
>> than doing a live acquisition (which I guess really isn't saying
>> much). <<

Many (if not most) modern file systems delayed writes with large in-memory write caches to improve performance. Any time a disk image is acquired without flushing the write cache, the resultant image is likely to be in an inconsistent state. This is because file system operations are not atomic and some component of a given operation may still be in the cache at the time the image is acquired. I do not see any difference in this regard between the two methods mentioned above (live acquisition vs. pulling the plug). Either method acquires a particular slice-in-time of a given file system.

Regards,

George.


This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Sun Feb 2 09:38:40 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:43 EDT

Do you need help?X
Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library