Paper: “Forensic implications of using the FireWire memory exploit with Microsoft Windows XP”

Title: Forensic implications of using the FireWire memory exploit with Microsoft Windows XP

Authors: Andrew Woodward, Peter Hannay

Abstract
This paper examined the forensic implications of using the FireWire direct memory access function with Windows XP. If a direct connection can be made to a computer running Windows XP, then the password can  be bypassed and direct access to files on the computer can be gained. It was found that EFS protected files could not be viewed after running the tool. In addition, a console can be opened with high level privileges to run other commands. The tool used for this procedure also allows for a memory dump to be taken. Circumventing passwords is of benefit to  forensic investigators as it saves time. The memory dump has potential to reveal keys or other passwords that may protect encrypted data. There may be issues in terms of admissibility of any information gained using the memory dump as there is no effective way to hash the memory.

Files: Full Paper (PDF)

This entry was posted in forensics, paper. Bookmark the permalink.