Re: [Vol-users] Tool Testing (re:Dementia thread)
Stefan Vömel
10 Jan
2013
10 Jan
'13
2:45 p.m.
Hi everyone,
With respect to the requirements for sound memory *acquisition*, I have
done a lot of research in this area in the last year.
We have published a paper that might be of interest in this context:
"Correctness, atomicity, and integrity: Defining criteria for
forensically-sound memory acquisition"
(http://www.sciencedirect.com/science/article/pii/S1742287612000254)
In this paper, we have tried to formalize criteria that are required for
"properly" imaging memory. It's a more theoretic/formal work, however,
we have also developed a platform that measures in how far these
criteria are (not) met for selected acquisition utilities.
I'm currently writing a paper about the platform setup and the
respective evaluation results, so hopefully a preliminary version should
be available in a couple of weeks.
Best regards,
Stefan
Am 10.01.2013 18:03, schrieb Tom Yarrish:
All,
So over the course or Luka's thread on his research the subject of
testing your acquisition tools came up.
I know this topic has been mentioned before (in one of my own past
posts), but what is the requirement for memory acquisition tools to be
working "properly"? Especially since each time you run the test against
a memory image that image has changed.
What steps, at a minimum, should you be making sure that the tool you
are using/evaluating is doing what it should be doing? Listing
processes correctly? Showing the correct artifacts if I have Zeus on
the image?
The topic always seems to come up (even with physical devices) that you
have to test your tools, with no one ever saying what checkmarks you
have to make sure the tools does.
Thanks,
Tom
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
--
Dipl.-Wirtsch.-Inf Stefan Vömel
Chair for IT Security Infrastructures
University of Erlangen-Nuremberg
Martensstraße 3
91058 Erlangen-Tennenlohe
(+49) 91 31 85 699 10
stefan.voemel(a)cs.fau.de
Attachments:
- signature.asc (application/pgp-signature — 551 bytes)