[Vol-users] Memory Imaging Using Firewire

Jim Gordon jamesm.gordon at virgin.net
Tue Jul 8 14:30:40 CDT 2008


I know that Jon Evans at Gwent Police in the UK has demonstrated this
method.  I'll be amazed if Jon doesn't subscribe to this list and so may be
able to give some more info.

More info can be found here:

http://forums.remote-exploit.org/archive/index.php/t-13922.html

The method utilises Adam Boileau's Winlockpwn tool.  Adam's Pythonraw tool
is available on Helix.  http://www.e-fense.com/helix/downloads.php

If I recall one "slight" issue with this method is the tendency to BSOD.  To
quote Keith Lockhart at Access Data  "This is a Bad thing!"

Jim




On 8/7/08 18:00, "vol-users-request at volatilityfoundation.org"
<vol-users-request at volatilityfoundation.org> wrote:

> 
> Send Vol-users mailing list submissions to
> vol-users at volatilityfoundation.org
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> or, via email, send a message with subject or body 'help' to
> vol-users-request at volatilityfoundation.org
> 
> You can reach the person managing the list at
> vol-users-owner at volatilityfoundation.org
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Vol-users digest..."
> 
> 
> Today's Topics:
> 
>    1. RE: Memory imaging (Jamie Levy)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Mon, 7 Jul 2008 14:57:33 -0400
> From: "Jamie Levy" <jamie.levy at gmail.com>
> Subject: RE: [Vol-users] Memory imaging
> To: vol-users at volatilityfoundation.org
> Message-ID:
> <cac8c8a90807071157w7b6e388ej660382ede0116884 at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> Hi evb,
> 
> I'm not sure, but maybe this will help (maybe someone else on here
> knows better than I do):
> 
> http://computer.forensikblog.de/en/2008/02/acquisition_5_firewire.html
> 
> I've never tried memory acquisition using firewire, but it sounds like
> it might be worth a try.
> 
> All the best,
> 
> -Jamie
> 
> 
> ------------------------------
> 
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> 
> 
> End of Vol-users Digest, Vol 10, Issue 4
> ****************************************




More information about the Vol-users mailing list