Forensics
IEEE 1394 (FireWire) Memory Imaging Feb 22 2007 04:28PM
Tim (tim-forensics sentinelchicken org) (2 replies)
Hello,

I recently came across a fantastic (and alarming) tool kit for reading
systems' memory over firewire:
http://www.storm.net.nz/projects/16

I just used it to dump memory off of my laptop while booted to both
Windows XP and Linux. I'm kinda surprised that this vulnerability
hasn't been addressed in these OSes, since it has been known for some
time, but I guess it's more of a hardware problem.

In any case, I was wondering if anyone has used this technique to
capture physical memory in investigations. It seems like it could be
quite elegant and minimally intrusive, if well tested. If you have used
it, how did you account for the possibility of the suspect system
reading/writing your acquisition system's memory? It seems it could go
both ways. Secondly, have you had problems with specific OSes?
(Windows XP doesn't give up it's RAM, until you trick it into thinking
you're a mass storage device, then it works fine for me.)

thanks,
tim

PS- I appologize if this has been covered on the list in the past.
Please direct me to appropriate threads if so.

[ reply ]
Re: IEEE 1394 (FireWire) Memory Imaging Feb 23 2007 05:03PM
Christophe Monniez (d-fence swing be) (1 replies)
Re: IEEE 1394 (FireWire) Memory Imaging Feb 23 2007 06:09PM
Tim (tim-forensics sentinelchicken org)
Re: IEEE 1394 (FireWire) Memory Imaging Feb 23 2007 02:57PM
Valdis Kletnieks vt edu (1 replies)
Re: IEEE 1394 (FireWire) Memory Imaging Feb 23 2007 06:00PM
Tim (tim-forensics sentinelchicken org)


 

Privacy Statement
Copyright 2010, SecurityFocus