[Vol-users] Tool Testing (re:Dementia thread)

Stefan Vömel stefan.voemel at cs.fau.de
Thu Jan 10 13:45:41 CST 2013

Hi everyone,

With respect to the requirements for sound memory *acquisition*, I have
done a lot of research in this area in the last year.

We have published a paper that might be of interest in this context:
"Correctness, atomicity, and integrity: Defining criteria for
forensically-sound memory acquisition"

In this paper, we have tried to formalize criteria that are required for
"properly" imaging memory. It's a more theoretic/formal work, however,
we have also developed a platform that measures in how far these
criteria are (not) met for selected acquisition utilities.

I'm currently writing a paper about the platform setup and the
respective evaluation results, so hopefully a preliminary version should
be available in a couple of weeks.

Best regards,


Am 10.01.2013 18:03, schrieb Tom Yarrish:
> All,
> So over the course or Luka's thread on his research the subject of
> testing your acquisition tools came up.
> I know this topic has been mentioned before (in one of my own past
> posts), but what is the requirement for memory acquisition tools to be
> working "properly"?  Especially since each time you run the test against
> a memory image that image has changed.
> What steps, at a minimum, should you be making sure that the tool you
> are using/evaluating is doing what it should be doing?  Listing
> processes correctly?  Showing the correct artifacts if I have Zeus on
> the image?
> The topic always seems to come up (even with physical devices) that you
> have to test your tools, with no one ever saying what checkmarks you
> have to make sure the tools does.
> Thanks,
> Tom
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users

Dipl.-Wirtsch.-Inf Stefan Vömel

Chair for IT Security Infrastructures
University of Erlangen-Nuremberg

Martensstraße 3
91058 Erlangen-Tennenlohe

(+49) 91 31 85 699 10
stefan.voemel at cs.fau.de

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 551 bytes
Desc: OpenPGP digital signature
Url : https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20130110/a352fbb8/signature.bin

More information about the Vol-users mailing list