Memory forensics
Grant Olson
kgo at grant-olson.net
Sat Mar 6 00:09:54 CET 2010
On 03/05/2010 05:18 PM, Robert J. Hansen wrote:
> On 3/5/10 5:04 PM, Grant Olson wrote:
>> That article was a little vague. And I don't know much about memory
>> forensics in practice. Do you know that it actually was a hibernation
>> file and not swap space?
>
> Note Jesse's phrasing: "volatile memory forensics." Swap space is
> nonvolatile storage. Hibernation files are just dumps-to-disk of the
> state of volatile memory when the laptop lid is closed. Extracting keys
> from swap space is a solved problem: hit Google Scholar and search for
> "file carving" and you'll get a lot of relevant papers.
>
> (While you're at it, check Google Scholar and search for "memory
> forensics kornblum" -- Jesse is pretty widely published in memory
> forensics. That doesn't mean he's automatically right, but he's not
> just some random LiveJournal account, either.)
>
> Further, two co-workers of mine have spoken in person with the
> investigators involved in this prosecution. These co-workers report to
> me that the investigators have confirmed it was hibernation file analysis.
>
> If you want to know specifics, I'd suggest calling the prosecutor and
> asking for copies of the indictment. It's a public record and the
> prosecutor is required to provide a copy upon request.
>
Thanks a million for all this. The company "Volatile Systems" was
really messing with my google-fu.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 554 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20100305/e3474a09/attachment.pgp>
More information about the Gnupg-users
mailing list