[Vol-users] RFI: Failed Memory Acquisitions

vol-users, As you know, one of the main goals of the Volatility Foundation is to promote the use of memory analysis within the forensics community. If you have been on this mailing list for a while or seen some of the recent court cases, you know that one of the main challenges facing investigators is the ability to reliably collect a sample of physical memory. The increasing number of acquisition tools has given people a lot of options but has also exacerbated the challenge of knowing which tool to use and under what circumstances. In order to address this and to reduce the amount of time we spend helping investigators troubleshoot bad memory samples, we are working on developing some memory acquisition guidelines for investigators. If you have had experiences where you were unable to collect a valid sample from a system, we would like to hear from you. This could mean that the system crashed during collection or the collected sample couldn’t be analyzed. In particular, we are interested in the details (hardware, software, etc) about the system the memory was being acquired from and the version of the tool you were using to perform the acquisition. If you have this type of information and are able to share, please contact me off list. Happy holidays and hope we can catch up in the New Year! AAron Walters The Volatility Foundation