[Vol-users] 29c3 defeating windows memory forensics
George M. Garner Jr.
ggarner_online at gmgsystemsinc.com
Wed Jan 9 14:04:41 CST 2013
> Unfortunately, that's not the case:(
> The reason is that the checksum is calculated on the buffer *after* it
> has been written to the file (basically the next call after
> When Dementia is used, checksum of the dump created by win32dd equals
> to the one printed out in the console.
Zut alors! This does point out the value of tool testing and not simply
relying upon manufacturer's representations of what their tools do.
Dimentia has already served a very useful purpose for the forensic
community. Keep up the good work!
More information about the Vol-users