Windows Incident Response is talking about the information in RAM and the courts. How do the (American) courts look at the information the RAM?
Well, in a recent case were the defendant didn't kept logfiles of their visitors was asked for the information stored in RAM. This seems a very silly question to me since it's temporary information.
In short, the document illustrates a discussion in which RAM constitutes "electronically stored information", and can be included in discovery. The document contains statement such as "...Server Log Data is temporarily stored in RAM and constitutes a document...".
Interestingly enough, there is also discussion of "sploilation of evidence" due to the defendant's failure to preserve/retain RAM.
So since the information is kept in memory but never written to logfiles on disk, this information is supposed to be preserved anyway. How much (application) data is manipulated in memory but never written to disk? Do we now need software to dump our memory? And how many times? Dumping your entire RAM contents to disk every hour? Auwch.
Monday
RAM data as legal evidence
Subscribe to:
Post Comments (Atom)
Security4all Blog
Twitter
Slideshare
Facebook
Digg
Flickr
1 comments:
The judge on the case knew technically what she ruled upon. The ruling was done to force torrentspy to turn on logging. Not that I approve of this, as I frown upon the legal stance here... as a defendant normally can't be forced to produce evidence for the prosecution.
Read the comments on slashdot... That'll clear a lot up for you. ;-)
Post a Comment