Forensics
IEEE 1394 (FireWire) Memory Imaging Feb 22 2007 04:28PM
Tim (tim-forensics sentinelchicken org) (2 replies)
Re: IEEE 1394 (FireWire) Memory Imaging Feb 23 2007 05:03PM
Christophe Monniez (d-fence swing be) (1 replies)
Le jeudi 22 février 2007 à 11:28 -0500, Tim a écrit :
> Hello,
>
> I recently came across a fantastic (and alarming) tool kit for reading
> systems' memory over firewire:
> http://www.storm.net.nz/projects/16
>
> I just used it to dump memory off of my laptop while booted to both
> Windows XP and Linux. I'm kinda surprised that this vulnerability
> hasn't been addressed in these OSes, since it has been known for some
> time, but I guess it's more of a hardware problem.
>
> In any case, I was wondering if anyone has used this technique to
> capture physical memory in investigations. It seems like it could be
> quite elegant and minimally intrusive, if well tested. If you have used
> it, how did you account for the possibility of the suspect system
> reading/writing your acquisition system's memory? It seems it could go
> both ways. Secondly, have you had problems with specific OSes?
> (Windows XP doesn't give up it's RAM, until you trick it into thinking
> you're a mass storage device, then it works fine for me.)
>
> thanks,
> tim
>
>
> PS- I appologize if this has been covered on the list in the past.
> Please direct me to appropriate threads if so.

Hi,

I'm the maintainer of the FCCU GNU/Linux boot CD.
(www.lnx4n6.be).
We use this technique in investigation (thanks to Metlstorm for his
help) and the tools are on the latest version of our boot CD (version
11.0).

For using it, you need to have a mass storage device to acquire the ROM
from before using it (because I didn't provide a ROM on the boot CD to
avoid Copyright problems).

As far as I know, for win XP, a user have to be logged in first to have
windows recognizing the false mass storage device.

And if you want to do it again against the same computer, you have to
manually "uninstall" the device from the windows system (we saw that
during demonstration of this technique).

The next step (we are looking for that and MetlStorm too), is to find
the bytes in the ROM that tell Windows that this is mass storage device.
The idea is to make an "injector" without the need of ROM.

Metlstorm is also working on a better interface.

--
Christophe Monniez <d-fence (at) swing (dot) be [email concealed]>
www.d-fence.be - www.lnx4n6.be

[ reply ]
Re: IEEE 1394 (FireWire) Memory Imaging Feb 23 2007 06:09PM
Tim (tim-forensics sentinelchicken org)
Re: IEEE 1394 (FireWire) Memory Imaging Feb 23 2007 02:57PM
Valdis Kletnieks vt edu (1 replies)
Re: IEEE 1394 (FireWire) Memory Imaging Feb 23 2007 06:00PM
Tim (tim-forensics sentinelchicken org)


 

Privacy Statement
Copyright 2010, SecurityFocus