From Forensics Wiki
Revision as of 04:56, 28 July 2012 by Joachim Metz
- Physical memory of a computer can be imaged by performing cold boot attack without running tools on an untrusted OS;
- Acquisition over a network connection without running tools on an untrusted OS;
- No need to reconstruct RAID arrays;
- Out-of-date software;
- No simple way to reconfigure Live CD: you cannot easily rebuild foo to support bar (e.g. rebuild Sleuthkit to support AFF).