On 03/05/2010 05:18 PM, Robert J. Hansen wrote: > On 3/5/10 5:04 PM, Grant Olson wrote: >> That article was a little vague. And I don't know much about memory >> forensics in practice. Do you know that it actually was a hibernation >> file and not swap space? > > Note Jesse's phrasing: "volatile memory forensics." Swap space is > nonvolatile storage. Hibernation files are just dumps-to-disk of the > state of volatile memory when the laptop lid is closed. Extracting keys > from swap space is a solved problem: hit Google Scholar and search for > "file carving" and you'll get a lot of relevant papers. > > (While you're at it, check Google Scholar and search for "memory > forensics kornblum" -- Jesse is pretty widely published in memory > forensics. That doesn't mean he's automatically right, but he's not > just some random LiveJournal account, either.) > > Further, two co-workers of mine have spoken in person with the > investigators involved in this prosecution. These co-workers report to > me that the investigators have confirmed it was hibernation file analysis. > > If you want to know specifics, I'd suggest calling the prosecutor and > asking for copies of the indictment. It's a public record and the > prosecutor is required to provide a copy upon request. >
Thanks a million for all this. The company "Volatile Systems" was really messing with my google-fu.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
