During the 2011 DC edition of the Blackhat conference, Andrew Case did a presentation about his research on de-anonymization of Live CDs through forensics techniques applied to the system memory content, which mostly concerned T(A)ILS itself. Some parts of it were also talking about memory analysis of Tor itself.

  • Slides can be found here
  • Full paper can be found here

The disclosure of this attack leads to a better implementation of the smem feature in Tails, using kexec to ensure every non-kernel bit of the memory is wiped; this new implementation is shipped in Tails 0.7 and later. Implementation of automatic memory wiping ?when the live media is removed, also shipped as of Tails 0.7, also helps defeating it, at least in the case this attack takes place when someone's home is raided.