Re: [Vol-users] Memory Imaging Using Firewire
8 Jul
2008
8 Jul
'08
4:28 p.m.
evb,
There a number of potential techniques that are being used to deal with
locked machines. Though I must give my usual caveats that I would make
sure you know what you are doing and actually have experience with the
acquisition method before trying it as part of a real investigation.
Some of the techniques are hardware dependent, have the potential to BSOD
the machine, or are potentially destructive, so you may only get one
attempt. In some instances, it may be useful to get outside help.
As Jim and Jamie mentioned, performing acquisition via firewire is a
potential option. Details about this technique can be found on the follow
site: http://storm.net.nz/projects/16. They even mention using a CardBus
firwire card. Others have successfully used techniques similar to those
presented in the Cold Boot paper (http://citp.princeton.edu/memory/) or
similarly, msramdmp: (http://mcgrewsecurity.com/projects/msramdmp/)
Depending on how the laptop is configured, the hibernation file is another
alternative. There are also other hardware solutions but they are very
expensive.
Regards,
AW
On Tue, 8 Jul 2008, Jim Gordon wrote:
I know that Jon Evans at Gwent Police in the UK has demonstrated this
method. I'll be amazed if Jon doesn't subscribe to this list and so may be
able to give some more info.
More info can be found here:
http://forums.remote-exploit.org/archive/index.php/t-13922.html
The method utilises Adam Boileau's Winlockpwn tool. Adam's Pythonraw tool
is available on Helix. http://www.e-fense.com/helix/downloads.php
If I recall one "slight" issue with this method is the tendency to BSOD. To
quote Keith Lockhart at Access Data "This is a Bad thing!"
Jim
On 8/7/08 18:00, "vol-users-request(a)volatilityfoundation.org"
<vol-users-request(a)volatilityfoundation.org> wrote:
Send Vol-users mailing list submissions to
vol-users(a)volatilityfoundation.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
or, via email, send a message with subject or body 'help' to
vol-users-request(a)volatilityfoundation.org
You can reach the person managing the list at
vol-users-owner(a)volatilityfoundation.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Vol-users digest..."
Today's Topics:
1. RE: Memory imaging (Jamie Levy)
----------------------------------------------------------------------
Message: 1
Date: Mon, 7 Jul 2008 14:57:33 -0400
From: "Jamie Levy" <jamie.levy(a)gmail.com>
Subject: RE: [Vol-users] Memory imaging
To: vol-users(a)volatilityfoundation.org
Message-ID:
<cac8c8a90807071157w7b6e388ej660382ede0116884(a)mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Hi evb,
I'm not sure, but maybe this will help (maybe someone else on here
knows better than I do):
http://computer.forensikblog.de/en/2008/02/acquisition_5_firewire.html
I've never tried memory acquisition using firewire, but it sounds like
it might be worth a try.
All the best,
-Jamie
------------------------------
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
End of Vol-users Digest, Vol 10, Issue 4
****************************************
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users