kgo at grant-olson.net
Sat Mar 6 00:09:54 CET 2010
On 03/05/2010 05:18 PM, Robert J. Hansen wrote:
> On 3/5/10 5:04 PM, Grant Olson wrote:
>> That article was a little vague. And I don't know much about memory
>> forensics in practice. Do you know that it actually was a hibernation
>> file and not swap space?
> Note Jesse's phrasing: "volatile memory forensics." Swap space is
> nonvolatile storage. Hibernation files are just dumps-to-disk of the
> state of volatile memory when the laptop lid is closed. Extracting keys
> from swap space is a solved problem: hit Google Scholar and search for
> "file carving" and you'll get a lot of relevant papers.
> (While you're at it, check Google Scholar and search for "memory
> forensics kornblum" -- Jesse is pretty widely published in memory
> forensics. That doesn't mean he's automatically right, but he's not
> just some random LiveJournal account, either.)
> Further, two co-workers of mine have spoken in person with the
> investigators involved in this prosecution. These co-workers report to
> me that the investigators have confirmed it was hibernation file analysis.
> If you want to know specifics, I'd suggest calling the prosecutor and
> asking for copies of the indictment. It's a public record and the
> prosecutor is required to provide a copy upon request.
Thanks a million for all this. The company "Volatile Systems" was
really messing with my google-fu.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 554 bytes
Desc: OpenPGP digital signature
More information about the Gnupg-users