RE: [Vol-users] Memory Imaging Using Firewire

George, You raise some very good points! I firmly believe that more research needs to be done in analyzing all the mechanism being used for memory acquisition, not just firewire. This is the reason that we have started the Memory Forensics Tool Testing (MFTT) initiative. It is our hope that you will be willing to combine your experiences with ours to make this a valuable contribution to the community. On that note, did you ever do more research into the issue discussed on Boileau's website or would you care to provide more details about the discrepancies and the testing methods used? As we have discussed previously, I think the question of evidentiary value is a little more complicated. How would you recommend that evb acquire a sample of memory given his situation? Based on the possibility of the aforementioned discrepancies, is it better that he not collect a sample of memory? Do you think that this administrative action would be based solely on an artifact extracted from the memory sample? I typically try to acquire as many artifacts as possible using the "best" mechanisms available. While being cognizant of the evidential issues and appreciating their importance, I typically try to focus on the technical aspects since I'm not a lawyer. That is why I pay them the big bucks! Thanks again for your insightful email and we are greatful for your contributions to the list. AW On Tue, 8 Jul 2008, George M. Garner Jr. wrote: