RE: [Vol-users] Memory Imaging Using Firewire

Aaron, Unfortunately there is a big question mark over the evidentiary value of memory evidence acquired using firewire, which Boileau himself acknowledges on his web site. No one has bothered to do the basic research needed to establish when and if firewire memory dumps are reliable. In at least one case they clearly were unreliable. Presumably evb wants to acquire the memory with a view towards taking some administrative action against the employee. This action might itself have legal repercussions, especially if the firewire memory dump is not admitted to justify the actions taken. The heart of forensics is the relationship between the evidence and law. When discussing the technical aspects of acquiring volatile evidence we need also to keep in mind the evidentiary issues which may (almost certainly will) arise should the "evidence" ever be put to use. Regards, RossetoeCioccolato.