Title: Forensic implications of using the FireWire memory exploit with Microsoft Windows XP
Authors: Andrew Woodward, Peter Hannay
This paper examined the forensic implications of using the FireWire direct memory access function with Windows XP. If a direct connection can be made to a computer running Windows XP, then the password can be bypassed and direct access to files on the computer can be gained. It was found that EFS protected files could not be viewed after running the tool. In addition, a console can be opened with high level privileges to run other commands. The tool used for this procedure also allows for a memory dump to be taken. Circumventing passwords is of benefit to forensic investigators as it saves time. The memory dump has potential to reveal keys or other passwords that may protect encrypted data. There may be issues in terms of admissibility of any information gained using the memory dump as there is no effective way to hash the memory.
Files: Full Paper (PDF)