Memory forensics

Grant Olson kgo at
Sat Mar 6 00:09:54 CET 2010

On 03/05/2010 05:18 PM, Robert J. Hansen wrote:
> On 3/5/10 5:04 PM, Grant Olson wrote:
>> That article was a little vague.  And I don't know much about memory
>> forensics in practice.  Do you know that it actually was a hibernation
>> file and not swap space?
> Note Jesse's phrasing: "volatile memory forensics."  Swap space is
> nonvolatile storage.  Hibernation files are just dumps-to-disk of the
> state of volatile memory when the laptop lid is closed.  Extracting keys
> from swap space is a solved problem: hit Google Scholar and search for
> "file carving" and you'll get a lot of relevant papers.
> (While you're at it, check Google Scholar and search for "memory
> forensics kornblum" -- Jesse is pretty widely published in memory
> forensics.  That doesn't mean he's automatically right, but he's not
> just some random LiveJournal account, either.)
> Further, two co-workers of mine have spoken in person with the
> investigators involved in this prosecution.  These co-workers report to
> me that the investigators have confirmed it was hibernation file analysis.
> If you want to know specifics, I'd suggest calling the prosecutor and
> asking for copies of the indictment.  It's a public record and the
> prosecutor is required to provide a copy upon request.

Thanks a million for all this.  The company "Volatile Systems" was
really messing with my google-fu.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 554 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20100305/e3474a09/attachment.pgp>

More information about the Gnupg-users mailing list