[Vol-users] Memory Imaging Using Firewire

AAron Walters awalters at 4tphi.net
Tue Jul 8 17:08:56 CDT 2008


George,

You raise some very good points! I firmly believe that more research needs 
to be done in analyzing all the mechanism being used for memory 
acquisition, not just firewire.  This is the reason that we have started 
the Memory Forensics Tool Testing (MFTT) initiative. It is our hope that 
you will be willing to combine your experiences with ours to make this a 
valuable contribution to the community. On that note, did you ever do more 
research into the issue discussed on Boileau's website or would you care 
to provide more details about the discrepancies and the testing methods 
used?

As we have discussed previously, I think the question of evidentiary value 
is a little more complicated. How would you recommend that evb acquire a 
sample of memory given his situation?  Based on the possibility of the 
aforementioned discrepancies, is it better that he not collect a sample of 
memory? Do you think that this administrative action would be based solely 
on an artifact extracted from the memory sample? I typically try to 
acquire as many artifacts as possible using the "best" mechanisms 
available. While being cognizant of the evidential issues and appreciating 
their importance, I typically try to focus on the technical aspects since 
I'm not a lawyer. That is why I pay them the big bucks!

Thanks again for your insightful email and we are greatful for your 
contributions to the list.

AW

On Tue, 8 Jul 2008, George M. Garner Jr. wrote:

> Aaron,
>
> Unfortunately there is a big question mark over the evidentiary value of
> memory evidence acquired using firewire, which Boileau himself acknowledges
> on his web site.  No one has bothered to do the basic research needed to
> establish when and if firewire memory dumps are reliable.  In at least one
> case they clearly were unreliable.  Presumably evb wants to acquire the
> memory with a view towards taking some administrative action against the
> employee.  This action might itself have legal repercussions, especially if
> the firewire memory dump is not admitted to justify the actions taken.
>
> The heart of forensics is the relationship between the evidence and law.
> When discussing the technical aspects of acquiring volatile evidence we need
> also to keep in mind the evidentiary issues which may (almost certainly
> will) arise should the "evidence" ever be put to use.
>
> Regards,
>
> RossetoeCioccolato.
>
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>


More information about the Vol-users mailing list