Hey Tom, That's why I pointed that out. It seems that when the ones are turned into zeros there could be some information that is indeed left behind. Or left out as the case maybe. As part of my log file white paper, I've included information about various registry settings that one could use to see if a system was being compromised or not and what to do to protect those log files. I like digging into this stuff. Just all is time consuming. I really should start going to those types of conventions. I would gain a lot out of the attendance. Joseph -----Original Message----- From: Thomas W. Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Saturday, February 09, 2002 8:26 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Black Hat Conference was FAR OUT! http://www.ISAserver.org Hi Joseph, Good info. Actually, something that came up in one of the talks relates to this. You might not want to enable this option on machines that you'll want to preserve the 'chain of evidence' on after an attack. Some helpful information for forensic analysis might be available in the page file. Thanks! Tom www.isaserver.org/shinder -----Original Message----- From: Joseph [mailto:cismic@xxxxxxx] Sent: Saturday, February 09, 2002 8:31 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Black Hat Conference was FAR OUT! http://www.ISAserver.org Good going! Here is a cool tip for your books: There is a registry key that can be created so that the memory manager clears the page file when the system goes down: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\MemoryManagement\ClearPageFileAtShutdown: 1 Note: when clearing of the page file only is done when the system is brought down in a controlled fashion. If the machine is just switched off or brought down in any other brute way, of course no clearing will be performed. Joseph -----Original Message----- From: Thomas W. Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Saturday, February 09, 2002 6:29 PM To: [ISAserver.org Discussion List] Subject: [isalist] Black Hat Conference was FAR OUT! http://www.ISAserver.org Hey everyone, I just got back from the Black Hat security conference and it was GREAT! The talks I attended were top notch and I learned a TON of stuff that I can put into practice right away. Also was a great consciousness raising experience and gave me some ideas for more articles on ISAserver.org. I wasn't thinking of giving awards for the conference, but here's a few: TOUGHEST QUESTION ASKER: thor@xxxxxxxxxxxxxxx HOTTEST BABE: Ping MOST INTERESTING AND THOUGHT PROVOKING CONVERSATIONS: Guys from the NSA (names withheld :-) MOST LIKELY TO BE NICKNAMED SUPERMAN WHO CAN LEAP TALL AIRPORTS WITH A SINGLE BOUND: Jim Harrison If you didn't make it to the conference, make sure you hit the one in Las Vegas in late July of this year. Thanks! Tom www.isaserver.org/shinder ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: cismic@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: cismic@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')