[Vol-users] Memory Imaging Using Firewire

George M. Garner Jr. gmgarner at erols.com
Tue Jul 8 21:23:25 CDT 2008


I am sorry for the confusion but I wasn't referring to a court case.  Rather
I was referring to a single firewire memory "image" that was sent to me for
analysis.  I was able to determine from some kernel variables that the
operating system on the "suspect" computer would not have been able to run
if the "image" was accurate.  We simply don't know the reason why the
firewire memory "image" was corrupt.  Was it a bug in Boileau's python code,
or a bug in the Linux firewire driver, or a bug in that particular firewire
chipset?  I haven't had time to research the acquisition method further.  To
my knowledge no one has bothered to follow up with the sort of basic
research that would establish the parameters under which this acquisition
method may be used reliably.  

Your problem is that the only published report is that firewire memory
acquisition is unreliable, which may place you in a difficult position
should you choose to rely on it.

If the "prohibited pictures" are CP then you should turn the case over to
your local law enforcement who may have capabilities that are not available
to you.

Sorry that I cannot be of more help.



More information about the Vol-users mailing list