Firewire 😉
Yea, the firewater port, that's what I meant.
I'm going to go do something involving a great deal of precision right now since I appear to be on a roll….
-David
P.S. I edited my previous message so this'll not make too much sense.
especially given the current case involving this very thing
Hi hogfly, which case are you referring to?
Cheers,
Jamie
Jamie,
The one from the FF front page a few days ago
http//
I can't remember if I got this link from ForensicFocus or if it was something I dug up somewhere else, but the Guillotine method has been around for a little while and relies on the same "persistence" properties of data in memory.
"Guillotine Method" for RAM Acquisition.
http//
Guillotine Steps and Conditions
http//
It may be more practical at the moment than the Princeton method (and not require unreleased software).
Guillotine + FTK to carve out strings to use when cracking passwords would be my current approach. Although liquid nitrogen would be fun to play with in the lab… 😯 😯 😯
SANS ISC is keeping tabs on what whole disk encryption products are/may be exposed
http//
Enjoy!
Jim
Anyone here got any suggestions for an extremely low ram footprint linux distro we could use to capture the ram after this or the Guillotine Method ?
ie something with USB, Fat Drivers, DD and anything else essential but nothing else..
Thanks
Mialta
Hi all! I'm dropping by here since this is one of the places that popped up when I was reading about the Princeton guys' techniques of dumping RAM. They haven't released their dumper, so I took it upon myself to write one very similar to it as a weekend project.
http//
This is much lower profile than you could ever get a linux (or other OS) distro. It runs as a com32 executable from the SysLinux bootloader, so the footprint is measured on the order of kilobytes, rather than megabytes. The gotchas are that it really needs something that can boot from USB (or transfer memory after blasting it with r-134a to something that does), and it's not the most user-friendly thing in the world. It's also a bit slower than the princeton researchers' one, but at least you can get this one now.
Hope you enjoy! I'll definitely be lurking/posting here more, now that I've found it.
Hi Wesley, welcome to the forums -)
I haven't had a chance to test your work out yet (frustratingly, all the systems at my disposal have more RAM than my largest USB drive, and I don't fancy taking some out to test right now!), but it looks very interesting and the instructions you've included look very comprehensive.
Thank you for sharing this publically, I'm sure a lot of people around will find it very useful! I'll attempt to test it myself soon…
Cheers,
Tom
Welcome Wes I was actually coming here to post about your tool
Good work.. I'm in the process of trying to borrow a laptop to test this out.. my toughbook doesnt allow booting from a usb device unfortunately