Memory forensics

Robert J. Hansen rjh at
Fri Mar 5 23:18:53 CET 2010

On 3/5/10 5:04 PM, Grant Olson wrote:
> That article was a little vague.  And I don't know much about memory
> forensics in practice.  Do you know that it actually was a hibernation
> file and not swap space?

Note Jesse's phrasing: "volatile memory forensics."  Swap space is
nonvolatile storage.  Hibernation files are just dumps-to-disk of the
state of volatile memory when the laptop lid is closed.  Extracting keys
from swap space is a solved problem: hit Google Scholar and search for
"file carving" and you'll get a lot of relevant papers.

(While you're at it, check Google Scholar and search for "memory
forensics kornblum" -- Jesse is pretty widely published in memory
forensics.  That doesn't mean he's automatically right, but he's not
just some random LiveJournal account, either.)

Further, two co-workers of mine have spoken in person with the
investigators involved in this prosecution.  These co-workers report to
me that the investigators have confirmed it was hibernation file analysis.

If you want to know specifics, I'd suggest calling the prosecutor and
asking for copies of the indictment.  It's a public record and the
prosecutor is required to provide a copy upon request.

More information about the Gnupg-users mailing list