I'm just curious. I've read about law enforcement and what not recovering incriminating data from ram to get evidence, but how is it done? What kind of equipment would one need to recover files from a stick of ram?
Answer
Freeze the chip, pop it into another computer, and run the linux command dd to copy the raw data to disk.
After you have the raw data, copy it to a new partition using dd again and run an undelete program on the partition. Undelete should pull out any files that fall under a recognizable format (ex pictures, etc...). The rest could be further processed but not easily unless you know what you're looking for.
I can't say that I've done this myself but it's not hard to imagine how it's done.
Check out this video that Daniel Beck posted in the comments to see a demonstration of how to crack hard drive encryptions using this method.
No comments:
Post a Comment