Title: Firewire Forensics in Modern Operating Systems
Authors: Peter Hannay, Andrew Woodward
This research looked at whether the FireWire direct memory access function tool would work with three modern Windows operating systems. The tool requires local access to the PC and allows the logon to be bypassed, and also allows for memory dumping to be performed on the target computer. It was found that Windows XP allowed for full access and memory dumping, while Windows Vista and Windows 7 allowed for memory dumping only. The inability to unlock the two newer operating systems appears to be a product of a change in memory location of the target data, rather than a fix. This has implications for digital forensics in that keys to some encryption programs can be found in memory.
Files: Full Paper (PDF)