Forensics
IEEE 1394 (FireWire) Memory Imaging Feb 22 2007 04:28PM
Tim (tim-forensics sentinelchicken org) (2 replies)
Re: IEEE 1394 (FireWire) Memory Imaging Feb 23 2007 05:03PM
Christophe Monniez (d-fence swing be) (1 replies)
Re: IEEE 1394 (FireWire) Memory Imaging Feb 23 2007 06:09PM
Tim (tim-forensics sentinelchicken org)

Hi Christophe,

> I'm the maintainer of the FCCU GNU/Linux boot CD.
> (www.lnx4n6.be).
> We use this technique in investigation (thanks to Metlstorm for his
> help) and the tools are on the latest version of our boot CD (version
> 11.0).

Yes, I just noticed that. (Actually, Metlstorm mentioned it.)

> For using it, you need to have a mass storage device to acquire the ROM
> from before using it (because I didn't provide a ROM on the boot CD to
> avoid Copyright problems).

I see. I was wondering about the copyright issues... I actually tried
yanking a ROM off of a different attached mass storage device and using
it instead, but I wasn't able to pull it down.

> As far as I know, for win XP, a user have to be logged in first to have
> windows recognizing the false mass storage device.

That's interesting. I wonder if emmulating some other type of device,
which also requires DMA, will allow access when users aren't logged
in...

> And if you want to do it again against the same computer, you have to
> manually "uninstall" the device from the windows system (we saw that
> during demonstration of this technique).

That's also good to know.

> The next step (we are looking for that and MetlStorm too), is to find
> the bytes in the ROM that tell Windows that this is mass storage device.
> The idea is to make an "injector" without the need of ROM.
>
> Metlstorm is also working on a better interface.

Yes, that sounds like a good approach. No need to emmulate a particular
storage device, if you know the right bits to twiddle. Are there other
device types (video, audio, etc) which might also cause Windows to open
up those physical filters?

Perhaps more relevant to the forensics side of the discussion, do you
know much about the findings by GM Garner that certain portions of
Windows memory are not correctly read by this method?

thanks,
tim

[ reply ]
Re: IEEE 1394 (FireWire) Memory Imaging Feb 23 2007 02:57PM
Valdis Kletnieks vt edu (1 replies)
Re: IEEE 1394 (FireWire) Memory Imaging Feb 23 2007 06:00PM
Tim (tim-forensics sentinelchicken org)


 

Privacy Statement
Copyright 2010, SecurityFocus