FW: [Vol-users] Memory Imaging Using Firewire

AAron Walters awalters at 4tphi.net
Tue Jul 8 16:15:39 CDT 2008


David,

Thanks for the response.  The only problem is that in evb's situation the 
machine in question "was not a part of the domain and had not been subject 
to auditing" and has "no network access".  But in some situations that may 
be a viable option depending on the types of systems involved.

My normal caveats also apply with untested kernel drivers used for 
acquisition.  Make sure you thoroughly test the mechanisms you plan to use 
because you don't want that driver to fail on a critical server.

Thanks,

AW


On Tue, 8 Jul 2008, david at sharpebusinesssolutions.com wrote:

>
> If this is a managed system, then if you have a software deployment tool 
> like SMS, Tivoli, or Unicenter can you just send down a job that runs 
> something like Mantech's new MDD.exe tool and write the RAM dump out to 
> a \\servername\sharename\filename?
>
> Otherwise, if you have admin access to the machine, can you psexec the 
> MDD.exe tool on the machine and write the RAM dump out to a 
> \\servername\sharename share (mdd -o 
> \\servername\sharename\filename.dd)?
>
> Doing either of the above would definitely alter the target machine more 
> than the Firewire method, but might be good enough depending on your 
> situation.
>
>
>
> -----Original Message-----
> From: vol-users-bounces at volatilityfoundation.org
> [mailto:vol-users-bounces at volatilityfoundation.org] On Behalf Of AAron
> Walters
> Sent: Tuesday, July 08, 2008 4:29 PM
> To: Jim Gordon
> Cc: vol-users at volatilityfoundation.org
> Subject: Re: [Vol-users] Memory Imaging Using Firewire
>
>
> evb,
>
> There a number of potential techniques that are being used to deal with
> locked machines.  Though I must give my usual caveats that I would make
> sure you know what you are doing and actually have experience with the
> acquisition method before trying it as part of a real investigation.
> Some of the techniques are hardware dependent, have the potential to
> BSOD the machine, or are potentially destructive, so you may only get
> one attempt. In some instances, it may be useful to get outside help.
>
> As Jim and Jamie mentioned, performing acquisition via firewire is a
> potential option.  Details about this technique can be found on the
> follow
> site: http://storm.net.nz/projects/16.  They even mention using a
> CardBus firwire card. Others have successfully used techniques similar
> to those presented in the Cold Boot paper
> (http://citp.princeton.edu/memory/) or similarly, msramdmp:
> (http://mcgrewsecurity.com/projects/msramdmp/).
> Depending on how the laptop is configured, the hibernation file is
> another alternative.  There are also other hardware solutions but they
> are very expensive.
>
> Regards,
>
> AW
>
> On Tue, 8 Jul 2008, Jim Gordon wrote:
>
>>
>> I know that Jon Evans at Gwent Police in the UK has demonstrated this
>> method.  I'll be amazed if Jon doesn't subscribe to this list and so
>> may be able to give some more info.
>>
>> More info can be found here:
>>
>> http://forums.remote-exploit.org/archive/index.php/t-13922.html
>>
>> The method utilises Adam Boileau's Winlockpwn tool.  Adam's Pythonraw
>> tool is available on Helix.
>> http://www.e-fense.com/helix/downloads.php
>>
>> If I recall one "slight" issue with this method is the tendency to
>> BSOD.  To quote Keith Lockhart at Access Data  "This is a Bad thing!"
>>
>> Jim
>>
>>
>>
>>
>> On 8/7/08 18:00, "vol-users-request at volatilityfoundation.org"
>> <vol-users-request at volatilityfoundation.org> wrote:
>>
>>>
>>> Send Vol-users mailing list submissions to
>>> vol-users at volatilityfoundation.org
>>>
>>> To subscribe or unsubscribe via the World Wide Web, visit
>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>> or, via email, send a message with subject or body 'help' to
>>> vol-users-request at volatilityfoundation.org
>>>
>>> You can reach the person managing the list at
>>> vol-users-owner at volatilityfoundation.org
>>>
>>> When replying, please edit your Subject line so it is more specific
>>> than "Re: Contents of Vol-users digest..."
>>>
>>>
>>> Today's Topics:
>>>
>>>    1. RE: Memory imaging (Jamie Levy)
>>>
>>>
>>> ---------------------------------------------------------------------
>>> -
>>>
>>> Message: 1
>>> Date: Mon, 7 Jul 2008 14:57:33 -0400
>>> From: "Jamie Levy" <jamie.levy at gmail.com>
>>> Subject: RE: [Vol-users] Memory imaging
>>> To: vol-users at volatilityfoundation.org
>>> Message-ID:
>>> <cac8c8a90807071157w7b6e388ej660382ede0116884 at mail.gmail.com>
>>> Content-Type: text/plain; charset=ISO-8859-1
>>>
>>> Hi evb,
>>>
>>> I'm not sure, but maybe this will help (maybe someone else on here
>>> knows better than I do):
>>>
>>> http://computer.forensikblog.de/en/2008/02/acquisition_5_firewire.htm
>>> l
>>>
>>> I've never tried memory acquisition using firewire, but it sounds
>>> like it might be worth a try.
>>>
>>> All the best,
>>>
>>> -Jamie
>>>
>>>
>>> ------------------------------
>>>
>>> _______________________________________________
>>> Vol-users mailing list
>>> Vol-users at volatilityfoundation.org
>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>>
>>>
>>> End of Vol-users Digest, Vol 10, Issue 4
>>> ****************************************
>>
>>
>> _______________________________________________
>> Vol-users mailing list
>> Vol-users at volatilityfoundation.org
>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
>
>
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>


More information about the Vol-users mailing list