[Vol-users] Memory Imaging Using Firewire

echo6 echo6_uk at yahoo.com
Mon Jul 14 16:35:05 CDT 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks AAron,

Apologies all I've come into the conversation a little late, in fact due
to work I've had a leave of absence from "the scene" for about 10 months.

Eric, George has correctly identified some artifacts in a memory image I
acquired sometime ago (Windows 2000 IIRC),  in fact the issue is
mentioned on Adam's web site.  It was a good find by George and is
deserving of more research :)  Although I personally I wouldn't be so
dismissive as George, but again that would largely depend on the type of
case and evidence you are attempting to recover.

Locked boxes are a cause for concern for incident responders and LEA
alike.  It is a problem I spent quite sometime searching for some
practical answers, more so considering the increasing use of full drive
encryption.  Unfortunately if presented with the "Lunar Screen" or login
screen auto-run is disabled by default,  I'm sure George/AAron can
correct me if I'm wrong there.

There is no silver bullet when using firewire,  personally I would use
it as a last ditch attempt to acquire physical memory.  In the
circumstances you've described I would be tempted to give it a go.

The BSOD mentioned by Jim are a certainty on Windows 2000 boxes.
Probably due to poor driver implementation with Windows, at least that
is what I suspect.

George is quite correct in stating further research is needed in this
area.  I suspect that IEEE394 specs vary considerably between chipset
vendors and you need a certain amount of luck with the right mix to
successfully acquire :-(

I would never recommend this method on a production server unless you
had tested it previously.  If you were in that position then you would
probably have appropriate incident response procedures in place to
acquire physical memory.

There is also the "vulnerability" that Joanna Rutkowska mentions,  but
only affects AMD based machines not Intel, ATM.
http://theinvisiblethings.blogspot.com/2007/01/beyond-cpu-cheating-hardware-based-ram.html

Adam Boileau also released the code he uses to open locked boxes,  it is
~  briefly mentioned in the post Jim mentioned at remote-exploit.  Again
I have had this working successfully, on occasions!  Personally I prefer
this option to unlock the box which would allow me to view, assess and
deploy tools of choice.  If I only acquire physical memory I don't know
if there any encrypted volumes mounted and thus would not have an
opportunity to acquire them before pulling the plug.  As with any tool
you deploy live you should be in a position to understand the impact and
be in a position to explain the artifacts left behind.  Depending on
your case causing these may justify a means to and end in order to
acquire the evidence.

In evb's case I think it would be more important to recover contraband
images/pictures, possible internet/network activity, and preserve
possible encryption passwords.  Again George correct me if I am wrong
but the issues you identified with the memory image are more likely to
have an impact on the tasks/processes/executables analysis and their
integrity than that of other forensic artifacts that would be of value
to evb's case?  I do agree however there is a big reliability issue
which cannot be ignored.

AAron, yep MFTT initiative is worth while one and needs a lot of input.
~ It is good see George here on the list :)

Jon.

AAron Walters wrote:
|
| Jon.
|
| No worries.  Welcome to the list! I'm just glad you finally figured it
| out.  Have you had a chance to look at the archives?  Since I know you
| have experience testing acquisition mechanisms, with firewire
| acquisition, and are obviously familiar with the legal considerations.
| Would you care to speak to George's email regarding the issues with
| firewire acquisition?
|
| Thanks,
|
| AW
|
|
|
| On Mon, 14 Jul 2008, echo6 wrote:
|
|> Sorry AAron,  Yahoo spam filter was a bit aggressive !  I got here in
|> the end :-)
|>
|> What tools do peeps prefer for memory acquisition now that we have some
|> choices ?
|>
|> Regards,
|> Jon.
|>
|

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIe8aJbSv1saVS9ucRAolKAJ9KLpS+raTbpyQON1I0R6wLHTE6+gCgj7zC
TiSNsNjjQGaP3vne9o6WDjE=
=dMxr
-----END PGP SIGNATURE-----



More information about the Vol-users mailing list