Forensics
IEEE 1394 (FireWire) Memory Imaging Feb 22 2007 04:28PM
Tim (tim-forensics sentinelchicken org)
Hello,

I recently came across a fantastic (and alarming) tool kit for reading
systems' memory over firewire:
http://www.storm.net.nz/projects/16

I just used it to dump memory off of my laptop while booted to both
Windows XP and Linux. I'm kinda surprised that this vulnerability
hasn't been addressed in these OSes, since it has been known for some
time, but I guess it's more of a hardware problem.

In any case, I was wondering if anyone has used this technique to
capture physical memory in investigations. It seems like it could be
quite elegant and minimally intrusive, if well tested. If you have used
it, how did you account for the possibility of the suspect system
reading/writing your acquisition system's memory? It seems it could go
both ways. Secondly, have you had problems with specific OSes?
(Windows XP doesn't give up it's RAM, until you trick it into thinking
you're a mass storage device, then it works fine for me.)

thanks,
tim

PS- I appologize if this has been covered on the list in the past.
Please direct me to appropriate threads if so.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus