Forensic implications of using the firewire memory exploit with Microsoft Windows XP

Authors

Andrew Woodward, Edith Cowan UniversityFollow
Peter Hannay, Edith Cowan UniversityFollow

Document Type

Conference Proceeding

Publisher

CSREA Press

Faculty

Faculty of Computing, Health and Science

School

School of Computer and Information Science / Centre for Security Research

RAS ID

5879

Comments

Woodward, A., & Hannay, P. (2008). Forensic Implications of Using the Firewire Memory Exploit with Microsoft Windows XP. In Security and Management (pp. 593-597). Available here

Abstract

This paper examined the forensic implications of using the FireWire direct memory access function with Windows XP. If a direct connection can be made to a computer running Windows XP, then the password can be bypassed and direct access to files on the computer can be gained. It was found that EFS protected files could not be viewed after running the tool. In addition, a console can be opened with high level privileges to run other commands. The tool used for this procedure also allows for a memory dump to be taken. Circumventing passwords is of benefit to forensic investigators as it saves time. The memory dump has potential to reveal keys or other passwords that may protect encrypted data. There may be issues in terms of admissibility of any information gained using the memory dump as there is no effective way to hash the memory.