Prosecution based on memory forensics

Robert J. Hansen rjh at
Thu Jan 13 04:54:25 CET 2011

When you close a laptop, Windows (or Mac OS X, or Linux, or what-have-you) takes a snapshot of memory contents and writes it to disk.  This can be a really big problem, since encryption keys, passphrases, and so forth are written out in the process.  For instance, if you have gpg-agent set up to cache your passphrase, your passphrase will probably be written to the hibernation file, unless the GnuPG devs have taken heroic measures to prevent this.

Last year we saw the first prosecution based on evidence recovered from a hibernation file.  The case is now over: Rajib K. Mitra has been convicted of eight counts of possession of child pornography and two counts of sexual exploitation of a child, according to the detective who was handling the case.

This is not something new: many people have been warning about hibernation files for years.  However, there are always people who will refuse to believe it until it's demonstrated in the real world.  That time is now.

More information about the Gnupg-users mailing list