FW: [Vol-users] Memory Imaging Using Firewire

david at sharpebusinesssolutions.com david at sharpebusinesssolutions.com
Tue Jul 8 15:53:59 CDT 2008

If this is a managed system, then if you have a software deployment tool like SMS, Tivoli, or Unicenter can you just send down a job that runs something like Mantech's new MDD.exe tool and write the RAM dump out to a \\servername\sharename\filename?

Otherwise, if you have admin access to the machine, can you psexec the MDD.exe tool on the machine and write the RAM dump out to a \\servername\sharename share (mdd -o \\servername\sharename\filename.dd)?

Doing either of the above would definitely alter the target machine more than the Firewire method, but might be good enough depending on your situation.

-----Original Message-----
From: vol-users-bounces at volatilityfoundation.org
[mailto:vol-users-bounces at volatilityfoundation.org] On Behalf Of AAron
Sent: Tuesday, July 08, 2008 4:29 PM
To: Jim Gordon
Cc: vol-users at volatilityfoundation.org
Subject: Re: [Vol-users] Memory Imaging Using Firewire


There a number of potential techniques that are being used to deal with
locked machines.  Though I must give my usual caveats that I would make
sure you know what you are doing and actually have experience with the
acquisition method before trying it as part of a real investigation. 
Some of the techniques are hardware dependent, have the potential to
BSOD the machine, or are potentially destructive, so you may only get
one attempt. In some instances, it may be useful to get outside help.

As Jim and Jamie mentioned, performing acquisition via firewire is a
potential option.  Details about this technique can be found on the
site: http://storm.net.nz/projects/16.  They even mention using a
CardBus firwire card. Others have successfully used techniques similar
to those presented in the Cold Boot paper
(http://citp.princeton.edu/memory/) or similarly, msramdmp:
Depending on how the laptop is configured, the hibernation file is
another alternative.  There are also other hardware solutions but they
are very expensive.



On Tue, 8 Jul 2008, Jim Gordon wrote:

> I know that Jon Evans at Gwent Police in the UK has demonstrated this 
> method.  I'll be amazed if Jon doesn't subscribe to this list and so 
> may be able to give some more info.
> More info can be found here:
> http://forums.remote-exploit.org/archive/index.php/t-13922.html
> The method utilises Adam Boileau's Winlockpwn tool.  Adam's Pythonraw 
> tool is available on Helix.  
> http://www.e-fense.com/helix/downloads.php
> If I recall one "slight" issue with this method is the tendency to 
> BSOD.  To quote Keith Lockhart at Access Data  "This is a Bad thing!"
> Jim
> On 8/7/08 18:00, "vol-users-request at volatilityfoundation.org"
> <vol-users-request at volatilityfoundation.org> wrote:
>> Send Vol-users mailing list submissions to 
>> vol-users at volatilityfoundation.org
>> To subscribe or unsubscribe via the World Wide Web, visit 
>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>> or, via email, send a message with subject or body 'help' to 
>> vol-users-request at volatilityfoundation.org
>> You can reach the person managing the list at 
>> vol-users-owner at volatilityfoundation.org
>> When replying, please edit your Subject line so it is more specific 
>> than "Re: Contents of Vol-users digest..."
>> Today's Topics:
>>    1. RE: Memory imaging (Jamie Levy)
>> ---------------------------------------------------------------------
>> -
>> Message: 1
>> Date: Mon, 7 Jul 2008 14:57:33 -0400
>> From: "Jamie Levy" <jamie.levy at gmail.com>
>> Subject: RE: [Vol-users] Memory imaging
>> To: vol-users at volatilityfoundation.org
>> Message-ID:
>> <cac8c8a90807071157w7b6e388ej660382ede0116884 at mail.gmail.com>
>> Content-Type: text/plain; charset=ISO-8859-1
>> Hi evb,
>> I'm not sure, but maybe this will help (maybe someone else on here 
>> knows better than I do):
>> http://computer.forensikblog.de/en/2008/02/acquisition_5_firewire.htm
>> l
>> I've never tried memory acquisition using firewire, but it sounds 
>> like it might be worth a try.
>> All the best,
>> -Jamie
>> ------------------------------
>> _______________________________________________
>> Vol-users mailing list
>> Vol-users at volatilityfoundation.org
>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>> End of Vol-users Digest, Vol 10, Issue 4
>> ****************************************
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
Vol-users mailing list
Vol-users at volatilityfoundation.org

More information about the Vol-users mailing list