"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
news:(E-Mail Removed):

> From: "Bear Bottoms" <bearbottoms1+(E-Mail Removed)>
>
>| Dustin <(E-Mail Removed)> wrote in
>| news:Xns9FEAEC89E863AHHI2948AJD832@no:
>|
>>> Without knowing what infected you or how.. that image is going to
>>> get 0wned again. You accomplish nothing by doing this aside from
>>> giving the user a very false sense that they are safe again. Very
>>> unprofessional and irresponsible. Various individuals have tried to
>>> explain this but you smugly dismiss them.
>|
>| With an image of the infected system, all information is there to do
>| with as you will. Nothing is lost. You are simply wrong.
>
> That's not true. You ignore that Delta and Data Factors.
>
> The Delta Factor are those changes that have been made to the OS and
> software since the image was made.
>
> The Data Factor is the user data that can be lost with the restoration
> of an image.
>
> Dustin is correct.

Wow....how can both of you "experts" get it so wrong. It is an example
of ancient mentality hanging on in spite of a more learned approach.
>
> For YOU this might be a "good fit" solution but is not an overall
> solution. It is only a partial solution and requires a great deal of
> recognition and preparation. The computer user who thinks the DVD
> drive in the desktop is a cup holder will neither recognize this nor
> prepare for this. That a worsde case scenario computer user and their
> are a wide variety of people and the computer experience and
> knowledge. You have an overly simplistic POV that only comes from
> your experience. One has to put themselves into the shoes of a wide
> variety of computer users and see the state of affairs from their eyes
> and their POV. You also need to perform "thought experiments" with
> numerous "what if" scenarios to come up with broad spectrum solutions.

You are limiting your concept of what I speak to mounting an image and
exploring the malware from the mount. No! At any point and time, you can
reload that image and do what you will. You have lost nothing.

You should always first image a system that is infected before you do
anything else. After which, you can do whatever you wish to do with the
infected system, lose nothing, and if you muck it up you can reload and
start over. See, you can't project your mind-set away from the old
methods.

If anyone wishes to explore/analyze/attempt removal,"recognize and
prepare" and document to report, they can always reload the infected
image, do their thing and NOTHING is lost. Even with your narrow minded,
wrong, and not well thought out statements. Delta factor my ass. YOU
LOSE NOTHING - YOU CAN ALWAYS RELOAD THE INFECTED IMAGE and explore
away.

Most people won't. I know this from EXPERIENCE. Your candid off-the-cuff
snide remarks are noted again.



>
> I stated it before that imaging and backups are just one aspect of
> disaster recovery and not a solution for computer malware.
>

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
news:(E-Mail Removed):

> Are you suggesting that an image of the infected drive is the same
> *forensically* as having the actual 'still infected' drive to examine is?

Yes. It /is/ the same. It is still an image of the actual 'still infected'
drive. The mistake you are making is common...assumption. You are assuming
that one would explore the image from a mount. Wrong. If exploration for
whatever purposes is desired, you can reload the infected image and you
have it as it was...and it will do what it would do as if you never imaged.

Are you suggesting that an image is not the same system as it was after you
reload it?

Bear Bottoms wrote:
> "David H. Lipman"<DLipman~nospam~@Verizon.Net> wrote in
> news:(E-Mail Removed):
>
>> Are you suggesting that an image of the infected drive is the same
>> *forensically* as having the actual 'still infected' drive to examine is?

Somehow, you've attributed *my* question to David.

> Yes. It /is/ the same. It is still an image of the actual 'still infected'
> drive. The mistake you are making is common...assumption.

I'm not so sure that I'm the one assuming. I was asking a question and
you assume that I was assuming something that I'm not.

> You are assuming that one would explore the image from a mount.

Again, it is you doing the assuming here.

> Wrong. If exploration for
> whatever purposes is desired, you can reload the infected image and you
> have it as it was...and it will do what it would do as if you never imaged.
>
> Are you suggesting that an image is not the same system as it was after you
> reload it?

No, I asked a question, and you have given me an answer. I accept that
answer, but probably not for the reason you may think.

FromTheRafters <(E-Mail Removed)> wrote in
news:jgaac8$mdb$(E-Mail Removed):

> Bear Bottoms wrote:
>> "David H. Lipman"<DLipman~nospam~@Verizon.Net> wrote in
>> news:(E-Mail Removed):
>>
>>> Are you suggesting that an image of the infected drive is the same
>>> *forensically* as having the actual 'still infected' drive to
>>> examine is?
>
> Somehow, you've attributed *my* question to David.
>
>> Yes. It /is/ the same. It is still an image of the actual 'still
>> infected' drive. The mistake you are making is common...assumption.
>
> I'm not so sure that I'm the one assuming. I was asking a question and
> you assume that I was assuming something that I'm not.
>
>> You are assuming that one would explore the image from a mount.
>
> Again, it is you doing the assuming here.
>
>> Wrong. If exploration for
>> whatever purposes is desired, you can reload the infected image and
>> you have it as it was...and it will do what it would do as if you
>> never imaged.
>>
>> Are you suggesting that an image is not the same system as it was
>> after you reload it?
>
> No, I asked a question, and you have given me an answer. I accept that
> answer, but probably not for the reason you may think.
>
>

Isn't communication great

FromTheRafters <(E-Mail Removed)> wrote in
news:jgaac8$mdb$(E-Mail Removed):

> Bear Bottoms wrote:
>> "David H. Lipman"<DLipman~nospam~@Verizon.Net> wrote in
>> news:(E-Mail Removed):
>>
>>> Are you suggesting that an image of the infected drive is the same
>>> *forensically* as having the actual 'still infected' drive to
>>> examine is?
>
> Somehow, you've attributed *my* question to David.
>
>> Yes. It /is/ the same. It is still an image of the actual 'still
>> infected' drive. The mistake you are making is common...assumption.
>
> I'm not so sure that I'm the one assuming. I was asking a question and
> you assume that I was assuming something that I'm not.
>
>> You are assuming that one would explore the image from a mount.
>
> Again, it is you doing the assuming here.

OK, I'll play. How else could you have meant it?

On Jan 31, 5:56*am, Bear Bottoms <bearbottoms1+...@gmail.com> wrote:
> Dustin <bughunter.dus...@gmail.com> wrote innews:Xns9FEAEC89E863AHHI2948AJD832@no:
>
> > Without knowing what infected you or how.. that image is going to get
> > 0wned again. You accomplish nothing by doing this aside from giving
> > the user a very false sense that they are safe again. Very
> > unprofessional and irresponsible. Various individuals have tried to
> > explain this but you smugly dismiss them.
>
> With an image of the infected system, all information is there to do with
> as you will. Nothing is lost. You are simply wrong.

i don't think you're quite getting what dustin is saying.

if you put the system back to the state it was in before it got
infected, it will just get infected again. whatever got past your
defenses before will get past them again if they aren't augmented to
deal with what you just had. restoring a clean image doesn't augment
those defenses. without diagnostic information you can't perform that
augmentation.

if this needs to be said in pictures, so be it:
http://www.secmeme.com/2012/01/half-assed-recovery.html

kurt wismer <(E-Mail Removed)> wrote in
news:7992562b-1daf-4cab-a8cf-(E-Mail Removed):

> On Jan 31, 5:56*am, Bear Bottoms <bearbottoms1+...@gmail.com> wrote:
>> Dustin <bughunter.dus...@gmail.com> wrote
>> innews:Xns9FEAEC89E863AHHI2948A
> JD832@no:
>>
>> > Without knowing what infected you or how.. that image is going to
>> > get 0wned again. You accomplish nothing by doing this aside from
>> > giving the user a very false sense that they are safe again. Very
>> > unprofessional and irresponsible. Various individuals have tried to
>> > explain this but you smugly dismiss them.
>>
>> With an image of the infected system, all information is there to do
>> with as you will. Nothing is lost. You are simply wrong.
>
> i don't think you're quite getting what dustin is saying.
>
> if you put the system back to the state it was in before it got
> infected, it will just get infected again. whatever got past your
> defenses before will get past them again if they aren't augmented to
> deal with what you just had. restoring a clean image doesn't augment
> those defenses. without diagnostic information you can't perform that
> augmentation.
>
> if this needs to be said in pictures, so be it:
> http://www.secmeme.com/2012/01/half-assed-recovery.html
>

That is basic 101 stuff. Dustin doesn't understand the concept.

Bear Bottoms <bearbottoms1+(E-Mail Removed)> wrote in
news:Xns9FECA905F7C2Cbearbottoms1gmail.AC@130.225.254.104:

> kurt wismer <(E-Mail Removed)> wrote in
> news:7992562b-1daf-4cab-a8cf-f660957911c4
@k28g2000yqc.googlegroups.com:
>
>> On Jan 31, 5:56*am, Bear Bottoms <bearbottoms1+...@gmail.com> wrote:
>>> Dustin <bughunter.dus...@gmail.com> wrote
>>> innews:Xns9FEAEC89E863AHHI2948A
>> JD832@no:
>>>
>>> > Without knowing what infected you or how.. that image is going to
>>> > get 0wned again. You accomplish nothing by doing this aside from
>>> > giving the user a very false sense that they are safe again. Very
>>> > unprofessional and irresponsible. Various individuals have tried
>>> > to explain this but you smugly dismiss them.
>>>
>>> With an image of the infected system, all information is there to do
>>> with as you will. Nothing is lost. You are simply wrong.
>>
>> i don't think you're quite getting what dustin is saying.
>>
>> if you put the system back to the state it was in before it got
>> infected, it will just get infected again. whatever got past your
>> defenses before will get past them again if they aren't augmented to
>> deal with what you just had. restoring a clean image doesn't augment
>> those defenses. without diagnostic information you can't perform that
>> augmentation.
>>
>> if this needs to be said in pictures, so be it:
>> http://www.secmeme.com/2012/01/half-assed-recovery.html
>>
>
> That is basic 101 stuff. Dustin doesn't understand the concept.
>

Like I said, the first thing you should do to an infected system is to
image it. Then you can do whatever you are going to do to the infected
system and if you muck it up, you can reload the infected image and try
again until you get or do whatever it is you want.

You can also mount the infected image from a clean reload and retrieve
files if you like or get other information you might want.

There is no silver bullet against malware. People are going to get
infected sooner or later (or again). Of course they should do their
best to prevent future infections. Only advanced users can determine
most of what Dustin and David refer to and most average users won't do
any of that. They usually need to ask for help...with the system I
describe, they won't need help to recover. This has already been said by
me...and went over the heads of Dustin, David and a few more.

--
Bear
http://bearware.info
The real Bear's header path is:
news.sunsite.dk!dotsrc.org!filter.dotsrc.org!news.dotsrc.org!not-for-
mail

Bear Bottoms wrote:
> FromTheRafters<(E-Mail Removed)> wrote in
> news:jgaac8$mdb$(E-Mail Removed):
>
>> Bear Bottoms wrote:
>>> "David H. Lipman"<DLipman~nospam~@Verizon.Net> wrote in
>>> news:(E-Mail Removed):
>>>
>>>> Are you suggesting that an image of the infected drive is the same
>>>> *forensically* as having the actual 'still infected' drive to
>>>> examine is?
>>
>> Somehow, you've attributed *my* question to David.
>>
>>> Yes. It /is/ the same. It is still an image of the actual 'still
>>> infected' drive. The mistake you are making is common...assumption.
>>
>> I'm not so sure that I'm the one assuming. I was asking a question and
>> you assume that I was assuming something that I'm not.
>>
>>> You are assuming that one would explore the image from a mount.
>>
>> Again, it is you doing the assuming here.
>
> OK, I'll play. How else could you have meant it?

Exactly as I wrote it. I made no assumptions about what you were doing
with the drive or its image. I understood your answer as it applies to
your usage of images and have no problem with that.

The average user isn't going to do the right thing, and IMO that is to
replace the drive with one that has a clean image and turn the infected
drive over to forensic analysts. They will make an image with a trusted
application being run by a licensed operator. Giving them an image made
by Easeus probably isn't *the same* as far as they are concerned.

FromTheRafters <(E-Mail Removed)> wrote in news:jgcste$aqb$1@dont-
email.me:

> Bear Bottoms wrote:
>> FromTheRafters<(E-Mail Removed)> wrote in
>> news:jgaac8$mdb$(E-Mail Removed):
>>
>>> Bear Bottoms wrote:
>>>> "David H. Lipman"<DLipman~nospam~@Verizon.Net> wrote in
>>>> news:(E-Mail Removed):
>>>>
>>>>> Are you suggesting that an image of the infected drive is the same
>>>>> *forensically* as having the actual 'still infected' drive to
>>>>> examine is?
>>>
>>> Somehow, you've attributed *my* question to David.
>>>
>>>> Yes. It /is/ the same. It is still an image of the actual 'still
>>>> infected' drive. The mistake you are making is common...assumption.
>>>
>>> I'm not so sure that I'm the one assuming. I was asking a question and
>>> you assume that I was assuming something that I'm not.
>>>
>>>> You are assuming that one would explore the image from a mount.
>>>
>>> Again, it is you doing the assuming here.
>>
>> OK, I'll play. How else could you have meant it?
>
> Exactly as I wrote it. I made no assumptions about what you were doing
> with the drive or its image. I understood your answer as it applies to
> your usage of images and have no problem with that.

Fair enough.
>
> The average user isn't going to do the right thing,

I agree. They certainly aren't going to do as Dustin/David the
professionals would do or as they suggested.

> and IMO that is to
> replace the drive with one that has a clean image and turn the infected
> drive over to forensic analysts. They will make an image with a trusted
> application being run by a licensed operator. Giving them an image made
> by Easeus probably isn't *the same* as far as they are concerned.
>

They could do anything they decided to set up and/or what was required by
those they might decide to send it to...though I don't think sending some
one an image of /their/ computer is really a workable solution for
them...maybe so or some.

What I want them to do is learn to effectively use various image
techniques. Anyone with basic skills can easily learn this well enough to
become self-sufficient (no longer need the family or neighborhood geek or
pay money to get out of trouble). Much easier than learn to do what
Dustin/David suggest which takes a lot of effort, time, and experience.
That doesn't mean they shouldn't learn as much as possible about aspects of
what they suggest, just most people won't...some will.