hello everyone,
just a quick question for you all,
i was talking with my collegues about this topic and since it's something that may accour during a forensic investigation i was wondering how would ypu procede if you have the suspect that a full disk encryption using truecrypt is running on a system that is locked and with wich you can't interact?
i've heard about tools that are able to perform a physical ram dump of a live system if it's equipped with a firewire port..
i googled around a bit but except of winlockpwn, wich simply breaks throught the lock screen on a winxp machine, i've found nothing more.
are you aware of similar tools that can be ysed to perform a ram dump on other oses like mac or linux?
all apple systems are equipped with firewire so it might be very useful if you resume a locked apple computer to dump the physical memory just in case it's using filevault.
http//
thx for thelink, but if i undersood it right, it's all related to winxp…
is there anything for apple or linux?
If you are law-enforcement, send an email or PM to me and I may be able to point you in the right directions. Unfortunately, I am not at liberty to discuss it openly.
My understanding is that FireWire DMA doesn't work on XP SP3 and higher. I haven't tried it on LINUX or an apple however.
You might be interested in the DFRWS 2009 paper by Carsten Maartmann-Moe on cryptographic key recovery from RAM. If you're just testing, you might want to try a reset/reboot approach, perhaps using a boot CD with a small footprint OS. According to his figures, he had a 29% success rate recovering cryptographic keys from rebooted systems that were using full-disk encryption - although I don't remember what he said his methodology to do that was.
Also, because resets don't leave memory time to degrade, you may want to carve the memory dump for text strings and dump those into a password dictionary (or just scan through them if you have a couple of hours to kill ) )
http//
http//
Then there's the "Turkish" approach… cry
http//
well, about crypto keys i'm nearly giving up since in the latest version of truecrypt (6.0a?) the key is fragmented across different memory areas to prevent a cold boot attack.
actually i'm studying hard on memory forensics and it looks like the best approach is to dump the ram on the live system using win3ddd or similar software for different architectures.
some ppl suggest to dump the ram using the "force unhandled exception" tecnique to force the OS to generate a ram dump on the disk.
but i'm not that much into it since even in the volatility order the ram seems to be of higher priority, using such an approach would destroy evidences on a stable memory such deleted but not overwritten HD files.
@ecophobia, i'm not actually in the law-enforcement but i strictly work in pair with them.
i mean that i'm a forensic consultant that works for the LE.
if it's an issue to share the informations with me directly or you need a proof for it, i can tell someone in my office to contact you directly with an official LE email address.
thx for thelink, but if i undersood it right, it's all related to winxp…
is there anything for apple or linux?
You mean something like Maclockpick?
http//
It has an OS X keychan extractor, and a lot more..
The first version could extract from a sleeping mac,
if that's what you're looking for.
Roland