Well, more than passwords... All those encrypted DAT files everywhere, etc, 
that won't delete and always in use - also logs. And while XP keeps 3 system 
event logs, Vista logs EVERYTHING you do into 30+ log files, many of which 
can't be shut down like XP's and it's all kept in a 'new' log format so even 
the old log tools won't work. Some are unreadable because they are always in 
use too.

There are some forensic tools that help in these cases, but consider the part 
about being set up... they drop files on you, maybe even after confiscating it. 
At best, the forensic tools read what they can from these files. How about 
inserting entries or deleting them to cover or validate such planting?? No one 
but Microsoft knows the intricacies involved, and now they provide the tool.

The best you get to do is 'if' you can find a suitable forensic guru AND get 
him access to the machine afterward, now he won't be able to find any clues you 
were set up, where maybe he could've by some oversight before.

Perhaps it's a good idea to log everything with other tools too, on a separate 
machine, with backups off site, so at least your log of what happened will 
disagree with what Microsoft's says... A doubt in the case... and give them the 
burden of proving why your code didn't capture the incriminating event...


Michael Rigby-Jones wrote:
> 
> Hardly, this thing is simply a USB drive with a bunch of utilities on it
> for decrypting passwords etc.  I'm sure similar utilities exist for
> Linux...
> 
> Mike
> 
-- 
http://www.piclist.com PIC/SX FAQ & list archive
View/change your membership options at
http://mailman.mit.edu/mailman/listinfo/piclist