Hosting Provided By

Re: Windows HD image for forensics testing

From: Simson L. Garfinkel <simsong(at)lcs.mit.edu>
Date: Mon Jul 14 2003 - 20:11:47 EDT

> The people that I know with Windows honeypots aren't sure if is legal

Well, there is a way around this problem.

Write a program that extracts the Windows DLL's, EXE's, etc, to "distfile1" from an existing Windows system.
Write a program that takes the Windows Honeypot image and removes everything that is in "distfile1" Call this "distfile2"
Distribute "distfile2" and a program that takes "distfile1" and produces the honeypot image.

This isn't a novel idea. Think of distfile2 as a patchfile and program #3 as "patch"

>
> brian

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Tue Jul 15 15:04:33 2003

This message: [ Message body ]
Next message: Christine Siedsma: "Re: Creation / modification / access dates"
Previous message: Gary Kessler: "Re: Creation / modification / access dates"
In reply to: Brian Carrier: "Re: Windows HD image for forensics testing"
In reply to Brian Carrier: "Re: Identifying Win2K/XP Encrypted Files"
Next in thread: Michael Edwards: "Proprietary hard drive interfaces"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:44 EDT