[Vol-users] Memory Imaging Using Firewire
awalters at 4tphi.net
Tue Jul 8 17:08:56 CDT 2008
You raise some very good points! I firmly believe that more research needs
to be done in analyzing all the mechanism being used for memory
acquisition, not just firewire. This is the reason that we have started
the Memory Forensics Tool Testing (MFTT) initiative. It is our hope that
you will be willing to combine your experiences with ours to make this a
valuable contribution to the community. On that note, did you ever do more
research into the issue discussed on Boileau's website or would you care
to provide more details about the discrepancies and the testing methods
As we have discussed previously, I think the question of evidentiary value
is a little more complicated. How would you recommend that evb acquire a
sample of memory given his situation? Based on the possibility of the
aforementioned discrepancies, is it better that he not collect a sample of
memory? Do you think that this administrative action would be based solely
on an artifact extracted from the memory sample? I typically try to
acquire as many artifacts as possible using the "best" mechanisms
available. While being cognizant of the evidential issues and appreciating
their importance, I typically try to focus on the technical aspects since
I'm not a lawyer. That is why I pay them the big bucks!
Thanks again for your insightful email and we are greatful for your
contributions to the list.
On Tue, 8 Jul 2008, George M. Garner Jr. wrote:
> Unfortunately there is a big question mark over the evidentiary value of
> memory evidence acquired using firewire, which Boileau himself acknowledges
> on his web site. No one has bothered to do the basic research needed to
> establish when and if firewire memory dumps are reliable. In at least one
> case they clearly were unreliable. Presumably evb wants to acquire the
> memory with a view towards taking some administrative action against the
> employee. This action might itself have legal repercussions, especially if
> the firewire memory dump is not admitted to justify the actions taken.
> The heart of forensics is the relationship between the evidence and law.
> When discussing the technical aspects of acquiring volatile evidence we need
> also to keep in mind the evidentiary issues which may (almost certainly
> will) arise should the "evidence" ever be put to use.
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
More information about the Vol-users