Hosting Provided By

Re: Identifying Win2K/XP Encrypted Files

From: John L. Clarke, III <joclarke(at)cisco.com>
Date: Tue Feb 04 2003 - 13:07:28 EST

Hi Chris;

While several have answered already, and a couple touched on this area, I would caution that there are (such as here at Cisco) issues with the poweroff on a running windows box. Specifically, we have Pointsec - a harddrive encryption software - running. This encrypts the *entire* drive, from the boot sector, not just pieces like PGPDisk. You powercycle the box, what you have is a prompt from Pointsec. Failing that, you have garbage.

The upside to Pointsec is that it's a key escrow and some of our admins have the 'god mode' keys to decrypt. Lacking that, you end up with nada.

Just one example of what you need to be aware of when cycling systems. :-0 Not that it helps with your particular case, I suppose.

/john

At 1/29/2003 12:23 -0500, Christopher Howell wrote:
>Does anyone know a slick way to find encrypted files on a running Win2K/XP

John L. Clarke, III                             Cisco Systems, Inc.
joclarke@cisco.com                              Information Security
           Team Lead: SecOps, Incidents, Investigations

PGP: 28FE 9973 9A75 6408 59DB 5D82 73B4 FB04

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Wed Feb 5 08:34:19 2003

This message: [ Message body ]
Next message: Simson L. Garfinkel: "confusion about 256 bits vs. 256 processors"
Previous message: Christine Siedsma: "Re: Computer Forensic Books 2002 - 1Q*2003"
In reply to: Christopher Howell: "Identifying Win2K/XP Encrypted Files"
In reply to LupulDacic: "Raspuns: Identifying Win2K/XP Encrypted Files"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:43 EDT