Forensic memory dumping issues
Arne Vidstrom from ntsecurity.nu wrote an interesting paper about problems with forensic RAM dumps from Windows XP. His summary on this topic is:
“Memory dumping tools that use the PhysicalMemory device in Windows XP can be blocked by allocating memory buffers with special memory types. In older versions of Windows the tools instead could possibly cause cache incoherence with some processor types, or other adverse side effects. The problem can also occur on a system that has not been manipulated at all by any attacker.”
