Hosting Provided By

Re: Identifying Win2K/XP Encrypted Files

From: Nexus <nexus(at)patrol.i-way.co.uk>
Date: Sun Feb 02 2003 - 11:01:10 EST

Original Message ----- From: "Clifford Thurber" <clifford@mediafarm.com>

> Why would you pull the plug? Wouldnt using "shutdown" be sufficient to
write out in memory data blocks back to disk. I would think you could image it before you shutdown the machine and then of course image after you ran shutdown for a more complete picture. Maybe "pull the plug" is not to be taken literal but I think you have to be careful with your diction on list that pertains legal issues, eividence etc.

As I mentioned in my original email, the problem with using 'shutdown' or an equivalent is that something may be watching for it. It makes no odds if you use your own "known good" binary when there is a LKM or other kernel level shim in there looking for a shutdown and then fragging the drive before it does the shutdown. Poof! goes your evidence, hence my question ;-)

Cheers.

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Sun Feb 2 12:03:04 2003

This message: [ Message body ]
Next message: ^Shadown^: "Re: Identifying Win2K/XP Encrypted Files"
Previous message: Klaus Steding-Jessen: "Announce: chkrootkit 0.39a"
In reply to: Clifford Thurber: "RE: Identifying Win2K/XP Encrypted Files"
In reply to Clifford Thurber: "RE: Identifying Win2K/XP Encrypted Files"
Next in thread: ^Shadown^: "Re: Identifying Win2K/XP Encrypted Files"
Reply: ^Shadown^: "Re: Identifying Win2K/XP Encrypted Files"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:43 EDT