On 3/5/10 5:04 PM, Grant Olson wrote: > That article was a little vague. And I don't know much about memory > forensics in practice. Do you know that it actually was a hibernation > file and not swap space?
Note Jesse's phrasing: "volatile memory forensics." Swap space is nonvolatile storage. Hibernation files are just dumps-to-disk of the state of volatile memory when the laptop lid is closed. Extracting keys from swap space is a solved problem: hit Google Scholar and search for "file carving" and you'll get a lot of relevant papers. (While you're at it, check Google Scholar and search for "memory forensics kornblum" -- Jesse is pretty widely published in memory forensics. That doesn't mean he's automatically right, but he's not just some random LiveJournal account, either.) Further, two co-workers of mine have spoken in person with the investigators involved in this prosecution. These co-workers report to me that the investigators have confirmed it was hibernation file analysis. If you want to know specifics, I'd suggest calling the prosecutor and asking for copies of the indictment. It's a public record and the prosecutor is required to provide a copy upon request. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
