RAM memory imaging ...
 
Notifications
Clear all

RAM memory imaging through FireWire attack

10 Posts
5 Users
0 Likes
1,689 Views
 Okti
(@okti)
Posts: 7
Active Member
Topic starter
 

Hi everyone

First i would like to say that, I'm quite a beginner in this whole forensic business and I'v been visiting this forum for a quite a while now (mostly, just as a passive reader). So I was reading an article about "live" memory acquisition from "belkasoft" (link provided right here, from forensicfocus.com) and i'm pretty sure many of you had read that as well, and there was interesting topic about memory acquisition through FireWire attacks.

Since i never used any FireWire devices, this was quite a revelation and i'v never heard of such technique. So I spent good amount of time this morning looking for any info or tools which could perform this "attack". First thing I noticed is that any available information is outdated, and most of the links provided here (http//www.hermann-uwe.de/blog/physical-memory-attacks-via-firewire-dma-part-1-overview-and-mitigation), don't work or some are even in german language. Second, I haven't found mouch open-source or free tools which could help, the only software everyone seems to be referencing are python scripts (pythonraw1394) written by Adam Boileau (and even those are 8 years old), since most of the links are down I found those scripts suriprisingly in Ubuntu's launchpad.

Anyway and they don't seem to work. Since those scripts were written in 2006, python default installtion directory has changed, so you need to manually edit Makefile, manually edit one source file to correct path to "Python.h" (and this file won't exist, unless you installed python-dev package) oh yeah and I should say that i'm on latest ubuntu right now. So i sort of compiled these scripts, (compiler just gave one warning), but I couldn't find raw1394 kernel module, and as I understand it this module is vital to perform this attack. Also when I try to run any of the executables, it just gives me a buch of errors (but I think this may be that I haven't loaded the module yet). I have downloaded and installed all required libraries (libraw1394-11). So if anyone had experience with these scripts, any help would be much appreciated ).

So in short I would have a few questions regarding this technique

1. Is there any free and open-source tools available? (apart from pythonraw1394 I couldn't find anything).

2. Is this a still relevant technique when it comes to memory acquisition? I'm not really interested in gaining any paswords, and the whole purpose of this "attack" is seems exactly this. Btw, yesterday in this topic (http//www.forensicfocus.com/Forums/viewtopic/t=11448/postdays=0/postorder=asc/start=0/), user named "OPA-KUP" replied "We did dump memory - via firewire or with any software (FTK imager)" - so I see that people are still using it.

3. A bit of topic maybe but, in the article which I mentioned earlier (http//articles.forensicfocus.com/2013/06/18/discovering-ephemeral-evidence-with-live-ram-analysis/), author states that
" investigators must use a proper memory acquisition tool running in the system’s most privileged kernel mode. Notably, current versions (as of April 24, 2013) of two popular forensic memory dumping tools, AccessData FTK Imager and PMDump, run as user-mode applications and are unable to overcome protection imposed by anti-debugging systems operating in a privileged kernel mode. " Alot of you folk sem to be using FTK imager, I haven't used this application before, so is just really user-mode application? or it works fine without any "problems"?

Thanks!

 
Posted : 13/02/2014 8:00 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

It seems to me like you are mixing together two (different) things ?

  • Memory dump
  • Memory dump through "firewire attack"

See here first
http//www.forensicswiki.org/wiki/ToolsMemory_Imaging

The storm.net original page about the firewire attack (that is down) can be retrieved via Wayback Machine fine
https://web.archive.org/web/20100602081015/http//www.storm.net.nz/projects/16

jaclaz

 
Posted : 13/02/2014 8:22 pm
(@unicron)
Posts: 36
Eminent Member
 

This site should be able to answer most of your questions

http//www.breaknenter.org/projects/inception/

The technique is very much still relevant, and it is not just limited to gaining passwords (although that happens to be a nice by-product wink )

 
Posted : 13/02/2014 10:01 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Maybe I now understand what the question in #3 actually was.
See the page on Belkasoft
http//forensic.belkasoft.com/en/ram-capturer
particularly points

  • Designed to Bypass Active Anti-Debugging and Anti-Dumping Protection
  • Compared to Other Volatile Memory Capturing Tools
  • Consequences of Using a Wrong Tool

The point that the good Belkasoft guys are making in the cited article
http//articles.forensicfocus.com/2013/06/18/discovering-ephemeral-evidence-with-live-ram-analysis/
is about the possibility that "special" anti-forensics or anti-tampering softwares are running on the target system, more exactly specific "kernel-mode anti-debugging systems".

The theory is of course perfectly fine ) .

In practice one has to see which of the three possible scenarios you are into

  1. "normal" scenario (no anti-dumping tool running)
  2. "mild" scenario (e.g. commercial products and games that will at most prevent access to an "own" memory area)
  3. "worst-case" scenario (special kernel mode anti-debugging tool taking destructive measures)
  4. [/listo]
    it is likely that (just faked percentages 😯 ) "normal" scenario #1 accounts for 95% of cases, while "mild" scenario #2 accounts for 4.99999% of them and "worst case" scenario represents 0.00001% of cases and user OPA-KUP never found in his experience anything differing from the "normal" scenario, or maybe even a "mild" scenario was experienced but was not detected as such.

    jaclaz

 
Posted : 13/02/2014 10:43 pm
 Okti
(@okti)
Posts: 7
Active Member
Topic starter
 

It seems to me like you are mixing together two (different) things ?

  • Memory dump
  • Memory dump through "firewire attack"

jaclaz

No. I understand there are different techniques when it comes to memory acquisition, I was just wondering if anyone would do memory capture through firewire attacks these days. But anyway thanks for the useful info )

 
Posted : 14/02/2014 1:39 am
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

To be clear, the firewire attack is actually DMA attack, as the same as the "firewire attack" can be used through PCMCIA or Thunderbolt connection.

 
Posted : 14/02/2014 2:38 am
(@belkasoft)
Posts: 169
Estimable Member
 

No. I understand there are different techniques when it comes to memory acquisition, I was just wondering if anyone would do memory capture through firewire attacks these days. But anyway thanks for the useful info )

I was one of the authors of that Belkasoft article. I must say I know of no free tools using the FireWire acquisition method other than those mentioned in the original article. However, there are commercial solutions available, most of which are parts of larger forensic acquisition and analysis tools.

The acquisition techqnique is still valid, with some exceptions. Still works 100% for all Windows systems including Windows 8 (Microsoft seems reluctant to address the issue, although a KB article exists in TechNet desribing the issue and recommending disabling FireWire drivers if security becomes an issue).

Computers running Apple OS X now disable FireWire automatically when the computer is locked (e.g. after a certain inactivity period), so FireWire acquisition only works on non-locked computers (in which case a different, non-FireWire based tool can also be used).

 
Posted : 17/02/2014 2:46 pm
(@belkasoft)
Posts: 169
Estimable Member
 

In practice one has to see which of the three possible scenarios you are into

  1. "normal" scenario (no anti-dumping tool running)
  2. "mild" scenario (e.g. commercial products and games that will at most prevent access to an "own" memory area)
  3. "worst-case" scenario (special kernel mode anti-debugging tool taking destructive measures)
  4. [/listo]

I'm not sure whether or not crypto containers such as TrueCrypt, BitLocker or PGP Disk protect their memory sets from dumping. This would seem logical, but I don't know if they do this already. And even if they don't protect their memory sets yet, I'm pretty sure someone will come up with this idea pretty soon. So if one is taking a memory dump hoping to extract the encryption keys, one better use a proper tool now rather than later.

 
Posted : 17/02/2014 2:51 pm
 Okti
(@okti)
Posts: 7
Active Member
Topic starter
 

Sure nice to know more recent info on this. Thanks again.

 
Posted : 17/02/2014 5:44 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I'm not sure whether or not crypto containers such as TrueCrypt, BitLocker or PGP Disk protect their memory sets from dumping. This would seem logical, but I don't know if they do this already. And even if they don't protect their memory sets yet, I'm pretty sure someone will come up with this idea pretty soon. So if one is taking a memory dump hoping to extract the encryption keys, one better use a proper tool now rather than later.

Sure ) , the general idea of my post was NOT in any way to suggest that your approach/article/etc. is in any way "wrong" or "overzealous", only that the OP reference to the experience that user OPA-KUP shared on the forum might not (yet) include the "worst case" scenario (or such scenario was not detected), and as such not a valid counter argument to your approach.

On the other hand, and as I see it, and again with no intent in any way to undermine the approach described, we miss some sound "field" data to fully evaluate the "practical" *need* to elevate it to a new "standard".

In other words
Is the method you propose "better" or "safer"? Yes.
Is the *old* method "safe enough"? It depends.

I hope this clears the sense of my post.

jaclaz

 
Posted : 22/02/2014 1:24 am
Share: