下载  >  安全技术  >  网络攻防  > Live Memory Acquisition through FireWire

Live Memory Acquisition through FireWire 评分

动态内存获取,是现在比较先进的取证方法。本问将对比几种取证方法,然后分析基于firewire的内存获取的方法, 以及分析
中国通信cm ina communications they also have many limitations such as need a full tion as a memory acquis ition tool after the initial in- control right of the subject system and have rel troduction as a way to hack into locked systems b tively heavy footprint since they must be loaded into the use of a modified" ipod"[7. in 2005. This the subject system memory and running there. For method can only acquire memory of Limux-based Windows operating systems after Windows 2003 systems until 2006, when Adam boileau first gave a SPl. the\.\ PhysicallMemory device is not avail- method to cheat the target windows-based os to ble in user mode, thus memory acquis ition tools that give the ac quisition tool Direct Memory Access use this device and run in user mode cant work an- right[ 8. This method does not need any pre- instal ymorc. Morcovcr, thesc tools arc bascd on scrviccs lation. Fire Wire ports are equipped with many mod provided by the subject OS, so they could be easily ern computers, even if there is not such a port that cheated by anti-forensic malwares already integrated on the syst therboard. it 2.2 Hardw are-based Ac quisition could be expanded through a PCmcia or PCI ex Hardware-based memory acquisition tools are not press slot. Although this method has emerged and that popular as software ones because they needad- been used by forensic experts for some years,there ditional hardware devices. The hardware device, n are still problems such as weak stability in dealing forms of a PCI expansion card, a dedicated Linux- with Window s-bascd systcms and might run into a based machine or a special-designed hardware is ei- BSoD(Blue Screen of Death)state when try to ac ther very expensive or just not available on general cess the UMA(Upper Memory Area)[ 9] or other markets. These tools, either pre-equipped or post- spaces that were not mapped into system memory installed,could be attached to subject systems and We will discuss methods of how to resolve these dump the system memory in DMA mode. These problems in Section II tools nccd not to run any softwarc agent in the sub ject system and could circumvent the subject sys- l. METHODOLOGIES AND AN MPLE tem Os when they are working. Thus they could MENTATION OF FIREWIRE-BASED MEM hardly be cheated by anti-forensic malwares(But al- ORY ACQUISITION so could be defeated by changing settings of regis ters in the North Bridge[ 5 ])and have relatively Fire Wire-based devices communicate to host comput- light footprint in the subject system memory. There ers through Fire Wire bus by arc typically two diffcrcnt kinds of hardwarc-bas cd ucture of this stack is sh 1g memory acquisition methods, one is through PCI bus, and the other is through Fire Wire ports Device-type specific command sets as to pci bus method. a tool named Tribble e. RBC. SPC-2 L 6 is introduced in February 2004 by Brain Carri Transport protocols e.g., SBP-2 er, et al. This method uses a pre-installed PCi ex OF Hcl pansion card to acquire system memory when inci- dents happen. With a switch being turned on to IEEE 1394 start the dumping process,"Tribble does not in- Fig 1 Protocol stack of Fire Wire-based devices troduce any software to the subject system thus it has a good performance on protecting data integrity The ieEe 1394 protocol mainly specifies the But, the need of pre-installing of the acquis ition card physical layer electrical and mechanical characteris heavily limits its usage tics, and it also defines link layer protocols of Firc Wire began to attract forensic experts atten- Firc Wirc bus. The OHCI (Opcn Host Controller In 80 201012 RESEARCH PAPER 论文集锦 terface) standard specifies the implementation of 0x000100000000 if the Physical Upper bound regis IEEE 1394 protocol in the host computer"side. ter is not implemented, the 48-bit target address will The transport protocols, such as SBP-2 (Serial Bus be explained by the host OHCI controller as a physi- Protocol 2), define the protocol of transferring cal memory address, and then the Ohci controller commands and data over FireWire bus. The device- will perform a direct memory transfer using the type specific command sets, such as RBC (Reduced Phys ical Response Unil inside it. By this way the Block Commands and SPC-2(SCSI Primary Com-"target device could address the host computers mands-2), define the commands that should be im- system memory and perform both phys ical memory plemented by the device read and write transfers. By our testing and reading To achieve best performance, the IEEE 1394 pro- on datasheets of different OHCI controllers, the tocol gives the target device the ability to direct Physical Upper bound register is either unimple access system memory, by this way the host CPu mented or has a default value of all Os, this will could be freed from charging large amount of data cause the OHCi controller to take a default value of transfers to or from system memory. According to 0x000100000000 as physical upper bound. Till now IEEE 1394 protocol, read or write data pac kages are the acquis ition tool already can deal with Linux and transferred from source nodes to destination nodes mac os x based systems but not to windows with a 64-bit destination address contained in these bascd oncs, why? According to OHCI standard, be packages. The destination address consists of two sides the Physical Upper Bound register, there are parts, 16-bit destination ID which consists of 10-bit also another two registers that should be set cor- bus address and 6-bit node address, and 48-bit des- rectly to make the read or write transfers be of tination offset. The structure of a block read re- sense. These two registers are PhysicalRequestFil- quest package is shown in Figure 2 ters Hi and Phys icalRequestFilters Lo. Each bit in The 16-bit destination ID field contains the desti- these two registers is associated with a device node nation bus and node address, the 48-bit destination indicated by the 6-bit node address in the source-D offset is the destination address insidc the target ficld. When the associatcd bit is cleared to 0", the node. The OHCi standard gives an explaining of this OHCi controller will forward the request to the a 48-bit destination offset address. when the 48-bit synchronous Receive request dMa context instead address is below the address stored in the Physical of Phys ical Response Unit, and this request will be Upper Bound register or less than the default value proces sed by the associated device driver and the destination ID table tcode 31 0 MSB sourcc ID destination offset data length entended tcdc header crc Fig2 Block read request pac kage format 201012 81 中国通信cm ina communications destination offset will be explained as virtual memo- system memory- since the length of the system ry address, thus the target device cant get the memory is unknown, the acquisition tool does not actual physical memory contents know when to stop, and this may result into a Fortunately, by the research of Adam Boileau, the BSod state finally when the acquisition tool try to phys ical DMA right could be gained if the"target" reading addresses not mapped into system memory device pretends itself to be an ipod or a hard disk. So the memory length information should be ac By using the configure ROM of an ipod or hard quired before the address runs out of system mem disk, the target" devicc could cheat the host com- ory range to a subject system that n a locked puter to gain the DMA right. But, through our re- statc, the only information availablc is systcm mcm search, this method is not very stable tow ards dif- ory, so the memory length information should be ferent versions of Windows operating systems be- work out from the data stored m system memory cause of different implementations of file system Asto a windows operating system, the system drivers such as disk. sys and partmgr. sys. Sincc the( registr made of a number of binary file system is not implemented in the "target"de- called hives, among these hives there is a special vice, it can't respond to commands sent from host one called hardw are that stores information of hard computer, and to some versions of Windows, this ware detected when the system was booting[ 10_ will cause repeated sending of these commands and These information is only stored in system memory finally result in a bus reset with associated bit in the and thus could be acquired by the firewire-based PhysicalRequestFilterxx registers being cleared to ac quis ition tool. There is a registry vahue named 0",this will prevent the acquisition tool from (rans lated in the location of HKEY_ LOCAL working. To resolve this problem the mandatory MACHME/HRDW ARE/RESOURCEMAP/System commands associated with the device type given in Resources/Phy sical Memory in the hardw are hive the configure ROM should be implemented in the that stores base addresses and lengths of all memo target"device. The mandatory commands needed ry segments. The lese memory segments could be ac- Dy a Simplified direct-access type device using a cessed with no problem because they are mapped command set of rbc are listed in table 2 into truly physical memory. Figure 3 shows an ex ample of the. Trans lated registry value and its con Table 2 Commands must be implemented in tents the physical address column shows the base Simplified direct-access type devices addresses of different memory segments, and the Command name Opcode Referenced command set length colmn shows the length of each memory INQUIRY 12h SPC 2 MODE SELECT 15h SPC-2 segment. As an example,the¨Ox00/000″ in the MODE SENSE SPC-2 Physical Address column is the base address of the READ 28h first memory segment.The“Ox9e000” in the READ CAPACITY 25h RBC length column is the first segment length. So, the START STOP UNIT TEST UNIT READY address space of this memory segment is from VERIFY 2Fh RBC Ox00001000 to Ox000gefff. The first and last 4K WRITE 2Ah RBC bytes of the first 640K bytes system memory below WRITE BUFFER 3Bh SPC-2 UMA are not inc luded in the first memory segment because they are used by system BIOs (Basic In Till now the ac quisition tool could be attached to put/Output System) to place interrupt vectors and the host system and working stably. But, there is data, but they could also be acquired properly. So still anothcr problem to acquire the whole subjcct wc can usc the first memory segment with its range 82201 RESEARCH PAPER 论文集锦 from Ox00000000 to Ox000offff. We will use this should be avoided since this area is not mapped into fixed segment when we start memory acquis ition system memory and may cause bSod problems work because the memory segments information is So, we just have to bypass the UMA space before unknown in this stage. The second memory seg- we find the memory segments information. If we ment begins from the address 0x00100000, between have 4GB(4 Giga bytes)or more memory, the parts the first two segments is the UMA space. This overlapped with the PCI memory range or above space should be circumvented otherwise it may can't be acquired because of the limitation of cause BSoD problem. In traditional computers, the FireWire memory space Ox00f00000-0xofffffff may be used The Translated registry value data that stores in by some Isa cards and does not map into physical physical memory in a binary format is shown in memory, this generates a memory hole. To be com- Figurc 4. So we can cithcr scarch the registry valuc patible with traditional computers, this memory hole data using the character string ".Translated"or we Is maintained by modern operating systems though can use the method provided by L 10 to get this there are no ISA cards in the computer and this registry value data out from system memory space is actually mapped into physical memory. So, thishole can be neglected because it does not ac 1600000440c0000000000F自c00,.D 50 68797969 53 61 AC 20 4D 65 6D 6F 7279 00 Physical Memory tually exist. The next segment begins from B FFFF FE 76 SB CB a0 44 000000 28 DB C0 80.D.(, 0800001c0。2E547261E73EC1 7465640000〔00B8 FF FF FE20c000ted.,,yy Ox01000000 contains all the rest of the physical 000000000030C00000000000035 03 00 000010 C0 00 0000 00 00 E0 memory below the PCI memory range, usually the U31UU聊31000000 030100000c00100000000000FE副, memory segments information is contained in this A8 FFFFFF 6E 3B 20 00 10 96 F2 FA 17 FB CA 01"yyynk, Iou. GE segment Memory access to the pci memory area Fig 4 Binary memory segments information stored in system menory Sources Then, we could use the acquired information to DMA generate base address and length of each memory Channel segment. By this way, we never go into address spaces that arc not mapped into physical mcmor AFfinity Type thus the acquisition tool could work well without causing the target system to crash I Plysical Address Length 00100 Ⅳ. FUTURE WORK 0x00m00 e00 Read/wne I Physical Address Length Although OHCI protocol supports physical DMA in memory range over 4GB by properly setting theP- Device Specilic Dala. hysical Upper bound register, most OHCI control- Reserved Reserved Data Size lers do not support memory address longer than 32 bits because the Physical Upper Bound register is Share Disposition Interface Type. Intenal Undetermined DeviceEsclrive Bu Number. not implemented in the. So the amount of memory Shared Dimer exine Versor Revision 0 that Fire Wire-based acquisition tools can acquire is OK Data no more than 4GB. As for modern computers, the system memory becomes more and more large Fig 3 Memory segments information contained in the Lots of computers have more than 4GB memor Translated registry value oW, and modcrn operatin systcms arc ahre 201012 83 中国通信cm ina communications pable of supporting systems with more than 4GB tion of China(61070163)and Shandong Natural Science Foun- memory. So, how to get the memory over 4(B. dation (2008G35 d how to acquire the memory more rapidly? Firc Wirc is not dcpcndablc bccausc of its limitations. References We have to look for substitute ways to resolve thcsc problems (PCI Express bus a scrial vcrsion of L1] CASEY E. The Impact of Full Disk Encryption on Digital the most popular used parallel PCi bus, has many Forcnsics[ J. ACM SIGOPS Opcrating Systcms Rcvicw 2008,42(3):93-98. new characteristics such as supporting hot-plug and [21 BROWN C LT. Computer Evidence: Collection Preser supporting up to 64-bit memory address. The PCI vation,Hingham. M]. MA: Charles River Media, 2005 Express bus is accessible from outside of a note- [3] RUFF N. Windows Memory Forensics[ J1.Journal book through an Express card slot. Inserting a PCi Computer Virology, 2008, 4(2): 83-100 Express add-in card to a"live"desktop or server [4 HAY B, BISHOP M, NANCE K. Live Analys is: Progress may also be operable. So, we think the PCI Ex and Challenges[ J]. IEEE Security and Privacy, 2009, 7 30-3 press-based memory acquisition tools may be the next step of hardware-based memory acquisition [5 RUTKOWSKA J. Beyond the cpu: Defeating Hardware Based Ram Acquisition Tools(Part I: AMD case)[ER and will become available in the near future. Fur Ol.(2010-3).http:/invisiblethings.org/papers/cheating thermore, because the memory contents keep chan- hardwarc-memoryac quisition-updatcd ppt ging while the acquisition tool is working, the con- [6] CARRIER B, GRAND J. A Hardware-based Memory Ac sis tency of the acquired data is not guaranteed. If quisition Procedure for Digital Investigations[ J ],Digital the target system could be halted before acquisition Investigation, 2004, 1(1): 50-60 work begins, the consistency of memory data will [77 DORNSEIF M. Fire Wire-All Your Memory Are Belong to Us[Eb/oL].http://md.hudora.de/presentations/,mar be protected. So methods of how to halt the target machine deserve further research [8]BOILEAU A. Hit by a Bus: Physical Acccss Attacks with Firewire[ EB/OL].(2010-3). Sec uriLy-AssessmenL com V CONCLUSIONS www.security-assessment.com/files/presentations/ab firewire rux2k6-fmal pdf In this papcr, we discusscd methodologies of L9 VIDSTROM A Upper Memory Area Memory Dumping o- FireWire-based memory acquisition and gave a verFirewire-umaissuesEb/oL1.(2010-3).http:/ntsecu rity. nu/onmyminnd/2006/2006-09-02htm method of how to get memory segment information [10.DOLAN-GAVITT B. Forensic Analysis of the Windows from Windows registry to avoid acccss spaces that Registry in Memory J]. Digital Investigation,2008,5 were not mapped into physical memory. We have (Sl):S26-S32 worked out a proof-of-concept tool based on these methods, and now it can deal with Linux, MAC OS Biographies X. and almost all versions of windows newer than windows XPSPU. But because of the limitations of Zhang Lei, male, received his M S. degree in Control Theory Fire Wire, memory above 4GB can t be acquired, and Control Engineering from School of Control Science and and the acquis ition speed is relatively low. So sub- Technology, Shandong University, in 2005. Currently he is a Re stitute ways such as PCI Express bus should be search Assistant in Shandong Computer Science Center. His re search interests are main ly in information security, computer fo- cons idered in the future work.中情 rensics and hardware-based memory acquis ition Acknowledgements Wang liana, male, Professor in Shandong Computer Science Center, supervisor of master. He is an Outs tanding Contributions This work is supported by the National Natural Sc ience Founda- Expert of Shandong Province and was awarded with special al 84x012 RESEARCH PAPER 论文集锦 lowance from the national government. His research interests Zhang Shuhui, female, received her M.S. degree from Shandong are among information security, live forensics, memory analysis University, now she is a Research Associate in Shandong Com- and mobile forensics puter Science Center. Her research interests are mainly m Com- puter forensics, memory analysis and password deciphering Zhang Ruichao, male, received a Ph. D. m applied mathematics fron Beijing Institute of Technology, now he is an Associate Zhou Yung, male, received his M.S. degree fron Shandong Uni- Professor in Shandong Computer Science Center. His research versity of Science and Technology, now a Research Assistant in interests are among information security, cryptographic algo- Shandong Computer Science Center. His main research areas ithm and computer forensics are: network security, intrusion detection and computer foren- 201012 85

...展开详情
所需积分/C币:1 上传时间:2011-11-28 资源大小:5.83MB
举报 举报 收藏 收藏
分享 分享
ModbusTCP/RTU网关设计

基于UIP协议栈,实现MODBUS联网,可参考本文档资料,有MODBUS协议介绍

立即下载
html+css+js制作的一个动态的新年贺卡

该代码是http://blog.csdn.net/qq_29656961/article/details/78155792博客里面的代码,代码里面有要用到的图片资源和音乐资源。

立即下载
iCopy解码软件v1.0.1.7.exe

解ic,id,hid卡密码破解ic,id,hid卡密码破解ic,id,hid破解ic,id,hid卡破解ic,id,hid卡密码密码卡密码破解ic,id,hid卡...

立即下载
分布式服务框架原理与实践(高清完整版)

第1章应用架构演进1 1.1传统垂直应用架构2 1.1.1垂直应用架构介绍2 1.1.2垂直应用架构面临的挑战4 1.2RPC架构6 1.2.1RPC框架原理6 1.2.2最简单的RPC框架实现8 1.2.3业界主流RPC框架14 1.2.4RPC框架面临的挑战17 1.3SOA服务化架构18 1.3.1面向服务设计的原则18 1.3.2服务治理19 1.4微服务架构21 1.4.1什么是微服务21 1.4.2微服务架构对比SOA22 1.5总结23 第2章分布式服务框架入门25 2.1分布式服务框架诞生背景26 2.1.1应用从集中式走向分布式.26?

立即下载
Camtasia 9安装及破解方法绝对有效

附件中注册方法亲测有效,加以整理与大家共享。 由于附件大于60m传不上去,另附Camtasia 9百度云下载地址。免费自取 链接:http://pan.baidu.com/s/1kVABnhH 密码:xees

立即下载
电磁场与电磁波第四版谢处方 PDF

电磁场与电磁波第四版谢处方 (清晰版),做天线设计的可以作为参考。

立即下载
压缩包爆破解密工具(7z、rar、zip)

压缩包内包含三个工具,分别可以用来爆破解密7z压缩包、rar压缩包和zip压缩包。

立即下载
source insight 4.0.0087 注册机序列号Patched(2017/10/17)

最新的sourceinsight4.0.0087和谐license及和谐文件。真正的4087版本,使用附件中的license文件,替换sourceinsight4.exe

立即下载
Java项目经验汇总(简历项目素材)

Java项目经验汇总(简历项目素材)

立即下载
支付宝转账demo-实现提现功能

支付宝单笔转账,实现提现功能,自己用到,所以分享给大家,希望可以帮到大家。(内有demo实例,望大家多多提意见)

立即下载
算法第四版 高清完整中文版PDF

《算法 第4版 》是Sedgewick之巨著 与高德纳TAOCP一脉相承 是算法领域经典的参考书 涵盖所有程序员必须掌握的50种算法 全面介绍了关于算法和数据结构的必备知识 并特别针对排序 搜索 图处理和字符串处理进行了论述 第4版具体给出了每位程序员应知应会的50个算法 提供了实际代码 而且这些Java代码实现采用了模块化的编程风格 读者可以方便地加以改造

立即下载
游戏物理引擎开发 中文版

这是有关游戏中物理引擎的开发技术,100%中文版,绝对高清

立即下载
最新的微信小程序源码

最新的微信小程序源码70多个很多行业都有加后台

立即下载
数据库系统概念第六版答案(最全)

史上最全的数据库系统概念第六版(机械工业出版社)课本答案

立即下载
XMind 8彻底破解版

XMind 彻底破解可用, XMind破解 XMind破解 XMind破解 XMind破解 XMind破解

立即下载
同济大学线代第六版PDF高清扫描版

同济大学的线代第六版PDF高清扫描版 要考数学3的同学可以下载看下 上传记录里面还有考数3的其他资源 有需要的可以自行下载

立即下载
C++ Primer 中文版(第 5 版) 高清无水印 pdf

这本书在 C++ 领域的权威地位无需多言。无论是初学者入门,或是中、高级程序员提升,本书均为不容置疑的首选。

立即下载
eclipse 网络五子棋

使用eclipse创建的网络五子棋项目,需要在两台电脑上运行,输入对方IP地址后即可开始游戏

立即下载
中国大学MOOC课件爬取(含视频)

实现对中国大学MOOC上的视频、文档、附件进行爬取的Python源码,无GUI、未打包exe,支持多进程、断点续传、文件结构同网页中显示结构。PS:此处为1.5.6版本,欢迎大家加我交流或者提建议(可直接获取最新版本)

立即下载
方方格子注册机

方方格子注册机,适用于方方格子所有的系列,全部系列均可以完美注册

立即下载