Computer Forensics: Re: forensics Digest 17 Jun 2005 15:04:36 -0000 Issue 499

Ethical Hacking Training at InfoSec Institute

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.

Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.

Computer Forensics Computer-Forensics

[Top] [All Lists]

Re: forensics Digest 17 Jun 2005 15:04:36 -0000 Issue 499

from [Valdis . Kletnieks] Network Security

[Permanent Link]

Subject:	Re: forensics Digest 17 Jun 2005 15:04:36 -0000 Issue 499
Date:	Sat, 25 Jun 2005 16:43:23 -0400

On Sat, 25 Jun 2005 14:52:16 EDT, "George M. Garner Jr." said:

Farmer and Venema address this question in their book (Forensic Discovery,
p. 182).  The long and short of it is that it all depends.  Modern Intel
CPU's tend to have bios settings that clear main memory on restart, but
there are exceptions.  Sun SPARC's and Apple G4's typically do not clear
main memory.

So, to answer the question you really have to test with the specific
hardware in question.


Also, keep in mind that what the BIOS/CPU do at restart is totally irrelevant
if the question is "the memory has been powered down, and a forensics expert
has cracked the case and pulled the DIMM - what information can be reclaimed
from the DIMM given a properly designed test harness in a lab".

Remember - there'd be no *reason* for a BIOS setting to clear memory unless
the BIOS designers knew that the RAM *wouldn't* be all-zeros at power-up. ;)

pgpIQyZmvrz6u.pgp
Description: PGP signature

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
Re: forensics Digest 17 Jun 2005 15:04:36 -0000 Issue 499, tearsong Re: forensics Digest 17 Jun 2005 15:04:36 -0000 Issue 499, Valdis . Kletnieks RE: forensics Digest 17 Jun 2005 15:04:36 -0000 Issue 499, George M. Garner Jr. Re: forensics Digest 17 Jun 2005 15:04:36 -0000 Issue 499, Valdis . Kletnieks <= Re: forensics Digest 17 Jun 2005 15:04:36 -0000 Issue 499, John Herron

Previous by Date:	Re: Tools accepted by the courts, Jack Seward
Next by Date:	RE: Tools accepted by the courts, Jerry Saperstein
Previous by Thread:	RE: forensics Digest 17 Jun 2005 15:04:36 -0000 Issue 499, George M. Garner Jr.
Next by Thread:	Re: forensics Digest 17 Jun 2005 15:04:36 -0000 Issue 499, John Herron
Indexes:	[Date] [Thread] [Top] [All Lists]