For those interested, the "Forensic Discovery" book is available here
http//
Read through chapter 8…section 8.17 says
"As the size of the memory filling process grows, it accelerates the memory decay of cached files and of terminated anonymous process memory, and eventually the system will start to cannibalize memory from running processes, moving their writable pages to the swap space. That is, that's what we expected. Unfortunately even repeat runs of this program as root only changed about 3/4 of the main memory of various computers we tested the program on. Not only did it not consume all anonymous memory but it didn't have much of an affect on the kernel and file caches."
Very interesting stuff…
I wouldn't say we're stuck in a tarpit. Progress is being made even as I write this. The ACPO identified the need for this, and work has been done in the past.
As for the questions a lawyer might ask, I suspect it would be along the lines of how accurate are the results, is this method accepted and has it been peer reviewed, does it have an error rate. And then you get to junk science where the questions of memory displacement begin and end with the investigator on the stand left in quivering pile of mush because they can't explain how their tools works and have no idea how much memory is displaced, or how much of an impact their process actually has on a system, if only in testing. Outside of those questions, maybe we should ask some lawyers that specialize in cyberlaw what they would ask someone on the stand.
Re forensic discovery. The major factor there is that they used BSD and solaris, both with an arguably more efficient and effective memory management system than windows. They did a great job illustrating their experiments and thoughts though and provide a good path for future work(or current as it were). Wasn't that section in reference to the perl script designed to exhaust memory?
> …does it have an error rate.
This is what I meant by "tarpit". Same question, still no answer on how to address it. The recent updates to the ACPO guidelines make no mention of error rates.
> …investigator on the stand left in quivering pile of mush…
Again, tarpit. I can't see any prosecutor putting someone on the stand who isn't prepared for that, *if* it were to happen. Folks that have no significant experience beyond EnCase training get on the stand everyday and do just fine, it seems.
> …have no idea how much memory is displaced…
Tarpit #3…why is this even a factor?
Anyway, you said "Progress is being made even as I write this."…I'd love to know where, and I'd love to assist…
H
The recent updates to the ACPO guidelines make no mention of error rates.
Agreed, but doesn't the Daubert Standard?
EnCase training get on the stand everyday and do just fine, it seems.
I would agree with HC on this one, I think perhaps we can take things a little to far.
Tarpit #3…why is this even a factor?
4k may not seem a lot, but how much text can you hold in 4k that may be relevant to the case, for example a chat session?
Anyway, you said "Progress is being made even as I write this."…I'd love to know where, and I'd love to assist…
Likewise.
Jon,
> Agreed, but doesn't the Daubert Standard?
Perhaps, but how does one determine the error rate? Let's say you use tlist.exe or pslist.exe to get the active process list…how does one determine the error rate?
> 4k may not seem a lot,
4k is quite a bit…but my question is more along the lines of this…if the page is still actively being used, it won't be overwritten. At the worst, it will be swapped out to the pagefile. Therefore, any 'evidence' that may be overwritten or lost is without context anyway…one won't be able to associate something that's found to a specific process, etc.
H