RE: [Vol-users] Memory Imaging Using Firewire

evb, I am sorry for the confusion but I wasn't referring to a court case. Rather I was referring to a single firewire memory "image" that was sent to me for analysis. I was able to determine from some kernel variables that the operating system on the "suspect" computer would not have been able to run if the "image" was accurate. We simply don't know the reason why the firewire memory "image" was corrupt. Was it a bug in Boileau's python code, or a bug in the Linux firewire driver, or a bug in that particular firewire chipset? I haven't had time to research the acquisition method further. To my knowledge no one has bothered to follow up with the sort of basic research that would establish the parameters under which this acquisition method may be used reliably. Your problem is that the only published report is that firewire memory acquisition is unreliable, which may place you in a difficult position should you choose to rely on it. If the "prohibited pictures" are CP then you should turn the case over to your local law enforcement who may have capabilities that are not available to you. Sorry that I cannot be of more help. Regards, Rossetoecioccolato.