12:30 p.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Sorry AAron, Yahoo spam filter was a bit aggressive ! I got here in
the end :-)
What tools do peeps prefer for memory acquisition now that we have some
choices ?
Regards,
Jon.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFIe38XbSv1saVS9ucRAvm/AJ0R+nu5ud781uohH5bTrTKafJwZXACdGRJq
alg5C8CXQqUmvwKm/bgLWEg=
=qY5a
-----END PGP SIGNATURE-----
1:21 p.m.
Jon.
No worries. Welcome to the list! I'm just glad you finally figured it
out. Have you had a chance to look at the archives? Since I know you
have experience testing acquisition mechanisms, with firewire acquisition,
and are obviously familiar with the legal considerations. Would you care
to speak to George's email regarding the issues with firewire acquisition?
Thanks,
AW
On Mon, 14 Jul 2008, echo6 wrote:
Sorry AAron, Yahoo spam filter was a bit aggressive !
I got here in
the end :-)
What tools do peeps prefer for memory acquisition now that we have some
choices ?
Regards,
Jon.
5:35 p.m.
New subject: Memory Imaging Using Firewire
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Thanks AAron,
Apologies all I've come into the conversation a little late, in fact due
to work I've had a leave of absence from "the scene" for about 10 months.
Eric, George has correctly identified some artifacts in a memory image I
acquired sometime ago (Windows 2000 IIRC), in fact the issue is
mentioned on Adam's web site. It was a good find by George and is
deserving of more research :) Although I personally I wouldn't be so
dismissive as George, but again that would largely depend on the type of
case and evidence you are attempting to recover.
Locked boxes are a cause for concern for incident responders and LEA
alike. It is a problem I spent quite sometime searching for some
practical answers, more so considering the increasing use of full drive
encryption. Unfortunately if presented with the "Lunar Screen" or login
screen auto-run is disabled by default, I'm sure George/AAron can
correct me if I'm wrong there.
There is no silver bullet when using firewire, personally I would use
it as a last ditch attempt to acquire physical memory. In the
circumstances you've described I would be tempted to give it a go.
The BSOD mentioned by Jim are a certainty on Windows 2000 boxes.
Probably due to poor driver implementation with Windows, at least that
is what I suspect.
George is quite correct in stating further research is needed in this
area. I suspect that IEEE394 specs vary considerably between chipset
vendors and you need a certain amount of luck with the right mix to
successfully acquire :-(
I would never recommend this method on a production server unless you
had tested it previously. If you were in that position then you would
probably have appropriate incident response procedures in place to
acquire physical memory.
There is also the "vulnerability" that Joanna Rutkowska mentions, but
only affects AMD based machines not Intel, ATM.
http://theinvisiblethings.blogspot.com/2007/01/beyond-cpu-cheating-hardware…
Adam Boileau also released the code he uses to open locked boxes, it is
~ briefly mentioned in the post Jim mentioned at remote-exploit. Again
I have had this working successfully, on occasions! Personally I prefer
this option to unlock the box which would allow me to view, assess and
deploy tools of choice. If I only acquire physical memory I don't know
if there any encrypted volumes mounted and thus would not have an
opportunity to acquire them before pulling the plug. As with any tool
you deploy live you should be in a position to understand the impact and
be in a position to explain the artifacts left behind. Depending on
your case causing these may justify a means to and end in order to
acquire the evidence.
In evb's case I think it would be more important to recover contraband
images/pictures, possible internet/network activity, and preserve
possible encryption passwords. Again George correct me if I am wrong
but the issues you identified with the memory image are more likely to
have an impact on the tasks/processes/executables analysis and their
integrity than that of other forensic artifacts that would be of value
to evb's case? I do agree however there is a big reliability issue
which cannot be ignored.
AAron, yep MFTT initiative is worth while one and needs a lot of input.
~ It is good see George here on the list :)
Jon.
AAron Walters wrote:
|
| Jon.
|
| No worries. Welcome to the list! I'm just glad you finally figured it
| out. Have you had a chance to look at the archives? Since I know you
| have experience testing acquisition mechanisms, with firewire
| acquisition, and are obviously familiar with the legal considerations.
| Would you care to speak to George's email regarding the issues with
| firewire acquisition?
|
| Thanks,
|
| AW
|
|
|
| On Mon, 14 Jul 2008, echo6 wrote:
|
|> Sorry AAron, Yahoo spam filter was a bit aggressive ! I got here in
|> the end :-)
|>
|> What tools do peeps prefer for memory acquisition now that we have some
|> choices ?
|>
|> Regards,
|> Jon.
|>
|
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFIe8aJbSv1saVS9ucRAolKAJ9KLpS+raTbpyQON1I0R6wLHTE6+gCgj7zC
TiSNsNjjQGaP3vne9o6WDjE=
=dMxr
-----END PGP SIGNATURE-----
5:39 p.m.
New subject: Memory Imaging Using Firewire
Jon,
It took me a little while to dig up our correspondence from two years ago. Two years ago
you sent me two memory "images" taken in short succession from a single computer
system. The first memory "image" was acquired via firewire using Adam
Boileau's code. The second "image" was acquired using GMG Systems, Inc.
KnTDD. Interestingly, there were artifacts from the firewire memory acquisition in the
KnTDD memory dump. Here is a comparison of the output resulting from the two methods:
<Quote/>
For example, consider the following start of the KdVersionBlock as acquired by KnTDD and
firewire, respectively:
KnTDD:
0046F6A0 38 39 41 42 43 44 45 46 D0 B9 54 80 D0 B9 54 80 89ABCDEFйT€Ð¹T€
0046F6B0 00 00 00 00 00 00 00 00 4B 44 42 47 **70 02** 00 00 KDBGp
0046F6C0 00 00 40 80 00 00 00 00 88 64 45 80 00 00 00 00 @€ ˆdE€
firewire
0046B940 38 39 41 42 43 44 45 46 D0 70 54 80 D0 70 54 80 89ABCDEFÐpT€ÐpT€
0046B950 00 00 00 00 00 00 00 00 4B 44 42 47 **08 02** 00 00 KDBG
0046B960 00 00 40 80 00 00 00 00 70 2E 45 80 00 00 00 00 @€ p.E€
The two octets that follow the tag "KDBG" are in each case the size of the
version block. In the case of the KnTDD-acquired image the value is 70 02 (0x270). In
the case of firewire the value is 08 02 (0x208). This value is hard coded in the kernel
and cannot change without a change in the kernel. Also, the physical offset within the
page has changed. While I can understand how a page might move to a different physical
address, the offset within the page should remain unchanged.
</Quote>
Ideally, we should have run KnTDD twice, once before and then after the firewire memory
dump. However, the fact that KnTDD was run after the firewire memory dump and produced
expected results is sufficient to show that the problem occurred with the firewire
acquisition, not the memory itself. The firewire memory dump evidenced a fairly high bit
error rate. What is more troubling, virtual-to-physical address translation was
impossible because kernel variables were displaced by arbitrary offsets within the memory
dump from their expected physical locations. Interestingly, Brian Carrier also reported
that some physical pages were transposed from their corresponding locations in a DD memory
"dump." They were not able to explain the result.
Would you say that errors of this sort "are more likely to have an impact on the
tasks/processes/executables analysis and their integrity than that of other forensic
artifacts that would be of value to evb's case?"
Now let me qualify the foregoing: This was just one memory "image" acquired
using firewire. It is entirely possible that further testing would show that more recent
firewire controllers/operating systems etc. are reliable. On the other hand, firewire
controllers typically are not used to acquire memory in this manner, even though the
functionality technically is a part of the specification. So it is entirely possible that
further testing would show that none of the existing firewire controllers are reliable for
physical memory acquisition. We simply don't know.
Getting back to evb's problem: I would have no problem with using firewire to unlock
the computer, either directly or by recovering a user's password. My problem is with
using firewire to acquire *evidence* that will subsequently serve as the basis for some
action against the employee. Presumably the company intends to terminate the employee if
it finds contraband on his computer. However, the employer itself may be found liable if
subsequently the employer's actions are judged to have been arbitrary. An action for
which the only supporting evidence is found to be inadmissible would by definition be
arbitrary. Knowing something and proving it in court are two different things. As
forensic experts, we are about the latter; and while we may not be lawyers, to be
effective we must know at least enough about the law so as to present evidence so as to
prove something. And we need to know when that presentation is not going to fly.
Regards,
ReC.
5966
days inactive
5967
days old
vol-users@lists.volatilityfoundation.org
3 comments
3 participants
participants (3)
-
AAron Walters -
echo6 -
George M. Garner Jr.