RAM is known to potentially contain many forensic artifacts related to investigations such as incident response, child exploitation, and almost all other computer forensic cases. These artifacts can include evidence such as images or partial images, malware code or partial malware code, passwords or password hashes, port and process data, and words used in a variety of computer applications.
This presentation will examine scenarios when RAM may persist after shutdown, re-boot, and removal of power. Testing is done where RAM is captured when it is known to be clear then after using the computer in a variety of shutdown scenarios including, but not limited to; normal shutdown, pulling the plug, normal shutdown followed by pulling the plug, those scenarios and removing the RAM modules from the computer, etc. These tests are also performed on a laptop computer which adds the element of battery power to the above scenarios.
Walter Hart, Sr. Manager - Professional Services, AccessData
Currently the Senior Manager for AccessData Group Professional Services for the Western Region, Walter has been active in Digital Forensics and investigations since the early 1990s for the United Stated Government. In that capacity, Walter was involved in investigations related to all manner of crimes involving digital media including cyber security, terrorism, theft of intellectual property, identify theft, Racketeer Influenced and Corrupt Organizations Act (RICO), homicide, and child exploitation, to name a few. Walter supervised a local digital forensics lab for the Department of Homeland Security, Homeland Security Investigations Special Agent in Charge, San Francisco. Walter has performed and/or supervised hundreds of digital forensics examinations.
Symantec
500 E Middlefield Rd,
Mountain View, CA 94043