±Partners and Sponsors

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 0
New Yesterday: 6
Overall: 26964
Visitors: 68

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

RAM memory imaging through FireWire attack

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 
  

RAM memory imaging through FireWire attack

Post Posted: Thu Feb 13, 2014 10:00 am

Hi everyone

First i would like to say that, I'm quite a beginner in this whole forensic business and I'v been visiting this forum for a quite a while now (mostly, just as a passive reader). So I was reading an article about "live" memory acquisition from "belkasoft" (link provided right here, from forensicfocus.com) and i'm pretty sure many of you had read that as well, and there was interesting topic about memory acquisition through FireWire attacks.

Since i never used any FireWire devices, this was quite a revelation and i'v never heard of such technique. So I spent good amount of time this morning looking for any info or tools which could perform this "attack". First thing I noticed is that any available information is outdated, and most of the links provided here (http://www.hermann-uwe.de/blog/physical-memory-attacks-via-firewire-dma-part-1-overview-and-mitigation), don't work or some are even in german language. Second, I haven't found mouch open-source or free tools which could help, the only software everyone seems to be referencing are python scripts (pythonraw1394) written by Adam Boileau (and even those are 8 years old), since most of the links are down I found those scripts suriprisingly in Ubuntu's launchpad.

Anyway and they don't seem to work. Since those scripts were written in 2006, python default installtion directory has changed, so you need to manually edit Makefile, manually edit one source file to correct path to "Python.h" (and this file won't exist, unless you installed python-dev package) oh yeah and I should say that i'm on latest ubuntu right now. So i sort of compiled these scripts, (compiler just gave one warning), but I couldn't find raw1394 kernel module, and as I understand it this module is vital to perform this attack. Also when I try to run any of the executables, it just gives me a buch of errors (but I think this may be that I haven't loaded the module yet). I have downloaded and installed all required libraries (libraw1394-11). So if anyone had experience with these scripts, any help would be much appreciated :).

So in short I would have a few questions regarding this technique:

1. Is there any free and open-source tools available? (apart from pythonraw1394 I couldn't find anything).

2. Is this a still relevant technique when it comes to memory acquisition? I'm not really interested in gaining any paswords, and the whole purpose of this "attack" is seems exactly this. Btw, yesterday in this topic (http://www.forensicfocus.com/Forums/viewtopic/t=11448/postdays=0/postorder=asc/start=0/), user named "OPA-KUP" replied : "We did dump memory - via firewire or with any software (FTK imager)" - so I see that people are still using it.

3. A bit of topic maybe but, in the article which I mentioned earlier (http://articles.forensicfocus.com/2013/06/18/discovering-ephemeral-evidence-with-live-ram-analysis/), author states that:
" investigators must use a proper memory acquisition tool running in the system’s most privileged kernel mode. Notably, current versions (as of April 24, 2013) of two popular forensic memory dumping tools, AccessData FTK Imager and PMDump, run as user-mode applications and are unable to overcome protection imposed by anti-debugging systems operating in a privileged kernel mode. " Alot of you folk sem to be using FTK imager, I haven't used this application before, so is just really user-mode application? or it works fine without any "problems"?

Thanks!  

Okti
Newbie
 
 
  

Re: RAM memory imaging through FireWire attack

Post Posted: Thu Feb 13, 2014 10:22 am

It seems to me like you are mixing together two (different) things Confused :
  • Memory dump
  • Memory dump through "firewire attack"
See here first:
www.forensicswiki.org/...ry_Imaging

The storm.net original page about the firewire attack (that is down) can be retrieved via Wayback Machine fine:
web.archive.org/web/20...rojects/16

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: RAM memory imaging through FireWire attack

Post Posted: Thu Feb 13, 2014 12:01 pm

This site should be able to answer most of your questions:

http://www.breaknenter.org/projects/inception/

The technique is very much still relevant, and it is not just limited to gaining passwords (although that happens to be a nice by-product Wink )  

Unicron
Member
 
 
  

Re: RAM memory imaging through FireWire attack

Post Posted: Thu Feb 13, 2014 12:43 pm

Maybe I now understand what the question in #3 actually was.
See the page on Belkasoft:
forensic.belkasoft.com...m-capturer
particularly points:
  • Designed to Bypass Active Anti-Debugging and Anti-Dumping Protection
  • Compared to Other Volatile Memory Capturing Tools
  • Consequences of Using a Wrong Tool

The point that the good Belkasoft guys are making in the cited article:
articles.forensicfocus...-analysis/
is about the possibility that "special" anti-forensics or anti-tampering softwares are running on the target system, more exactly specific "kernel-mode anti-debugging systems".

The theory is of course perfectly fine Smile .

In practice one has to see which of the three possible scenarios you are into:
  1. "normal" scenario (no anti-dumping tool running)
  2. "mild" scenario (e.g. commercial products and games that will at most prevent access to an "own" memory area)
  3. "worst-case" scenario (special kernel mode anti-debugging tool taking destructive measures)
it is likely that (just faked percentages Shocked ) "normal" scenario #1 accounts for 95% of cases, while "mild" scenario #2 accounts for 4.99999% of them and "worst case" scenario represents 0.00001% of cases and user OPA-KUP never found in his experience anything differing from the "normal" scenario, or maybe even a "mild" scenario was experienced but was not detected as such.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: RAM memory imaging through FireWire attack

Post Posted: Thu Feb 13, 2014 3:39 pm

- jaclaz
It seems to me like you are mixing together two (different) things Confused :
  • Memory dump
  • Memory dump through "firewire attack"
jaclaz


No. I understand there are different techniques when it comes to memory acquisition, I was just wondering if anyone would do memory capture through firewire attacks these days. But anyway thanks for the useful info Smile  

Okti
Newbie
 
 
  

Re: RAM memory imaging through FireWire attack

Post Posted: Thu Feb 13, 2014 4:38 pm

To be clear, the firewire attack is actually DMA attack, as the same as the "firewire attack" can be used through PCMCIA or Thunderbolt connection.  

jhup
Senior Member
 
 
  

Re: RAM memory imaging through FireWire attack

Post Posted: Mon Feb 17, 2014 4:46 am

- Okti
No. I understand there are different techniques when it comes to memory acquisition, I was just wondering if anyone would do memory capture through firewire attacks these days. But anyway thanks for the useful info Smile

I was one of the authors of that Belkasoft article. I must say I know of no free tools using the FireWire acquisition method other than those mentioned in the original article. However, there are commercial solutions available, most of which are parts of larger forensic acquisition and analysis tools.

The acquisition techqnique is still valid, with some exceptions. Still works 100% for all Windows systems including Windows 8 (Microsoft seems reluctant to address the issue, although a KB article exists in TechNet desribing the issue and recommending disabling FireWire drivers if security becomes an issue).

Computers running Apple OS X now disable FireWire automatically when the computer is locked (e.g. after a certain inactivity period), so FireWire acquisition only works on non-locked computers (in which case a different, non-FireWire based tool can also be used).
_________________
Digital Evidence Extraction Software
belkasoft.com 

Belkasoft
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 2
Go to page 1, 2  Next