better. All tools leave traces and potentially destroy certain
evidence. The less this occurs, the better.
3. Portability. Memory dumping tools must be portable
and ready to run from an investigator-provided device (e.g.
USB flash drive or a network location). Tools requiring
installation are inadmissible for obvious reasons.
4. Read-only access. Finally, any sane forensic tool would
never write anything onto the disk of the computer being
analyzed, will not create or modify Registry values, etc.
Consequences of Choosing the Wrong Tool
Many types of computer games, chat rooms, encryption
programs, and malware are known to use some sort of
anti-dumping protection. In mild scenarios (e.g. commercial products and games), an attempt to read a protected
memory area will simply return empty or garbage data
instead of the actual information.
Memory dumping tools must be portable
and ready to run from an investigator-
In worst-case scenarios, an anti-debugging system detecting
an attempt to read protected memory areas may take measures
to destroy affected information and/or cause a kernel mode
failure, locking up the computer and making further analysis
impossible. This is what typically happens if a user-mode volatile memory analysis tool is used to dump content protected
with a kernel-mode anti-debugging system.
The Fire Wire Attack
One technique in particular allows capturing the computer’s
RAM without running anything foreign on the system. This
technique works even if a computer is locked, or if no user
is logged on. The Fire Wire attack method1 is based on a
known security issue that impacts Fire Wire / i.LINK / IEEE
1394 links. One can directly acquire the computer’s operating memory (RAM) by connecting through a Fire Wire link.
What makes it possible is a feature of the original
Fire Wire/IEEE 1394 specification allowing unrestricted access to PC’s physical memory for external Fire Wire devices
via Direct Memory Access (DMA). As this is DMA, the
exploit is going to work regardless of whether the target PC
is locked or even logged on. There’s no way to protect a
PC against this except explicitly disabling Fire Wire drivers.
The vulnerability exists as long as the system is running.
Multiple tools are available to carry on this attack.
Note that the use of this technique has certain requirements. The technique either requires that the computer
has a Fire Wire port and working Fire Wire drivers are
installed (and not disabled) in the system, or makes use of
a hot-pluggable device adding Fire Wire connectivity to
computers without one. For example, a PCMCIA/Cardbus/
ExpressCard slot in a laptop can be used to insert one of
the popular Firewire add-on cards. There is a high probability that the operating system will automatically load
the driver for that card, allowing the attacker to use the
card for performing a FireWire attack.
Some sources even describe techniques using an iPhone
as a FireWire capturing device! 3
The “Freezer Attack” on Scrambled Smartphones
An ordinary household freezer has been successfully used
to attack encrypted smartphone’s memory content after the
phone has been turned off. 2
After the release of Android 4.0, smartphones running
the new OS gained the ability to encrypt (scramble) data
stored on user partitions. This security feature protects users’ information against attacks bypassing screen locks.
Disk decryption keys are stored in the phone’s volatile
memory and can be retrieved by performing a cold boot,
as demonstrated by German researchers. The idea is that
cooling the smartphone to a low temperature (about - 15
degrees Celsius) slows down the process by which RAM
contents fade away. Cooled down phones are then reset
into “fastboot” mode, then connecting the phone to a
PC with custom-developed FROST “fastboot” software
installed. The software allows searching for volume decryption keys, performing a RAM memory dump, and cracking
screen lock keys (4-digit PINs only).
Tools for Analyzing Memory Dumps
At this time, no single forensic tool can extract all possible
artifacts from a memory dump. Different tools are used to
analyze chat remnants, lists of running processes, or extract
decryption keys for encrypted volumes mounted at the
time of the capture.
1. The Fire Wire attack method existed for many years, but for some
reason it’s not widely known. This method is described in detail
in many sources such as www.securityresearch.at/publications/
windows7_firewire_physical_attacks.pdf or www.hermann-uwe.
2. FROST: Forensic Recovery Of Scrambled Telephones www1.
3. Physical memory attacks via Firewire/DMA - Part 1: Overview
and Mitigation (Update) | Uwe Hermann www.hermann-uwe.
Yuri Gubanov is the Founder and CEO of Belkasoft. Yuri
is also the author of f-interviews.com, a blog where he takes
interviews with key persons in the digital forensics and security
Oleg Afonin is Belkasoft’s sales and marketing director. He is
an expert and consultant in computer forensics.