domingo, 9 de marzo de 2008

McGrew Security RAM Dumper - Creating bootable USB drives for capturing the contents of memory

McGrew Security RAM Dumper: Herramienta para Captura de Información en Memoria .

Creating bootable USB drives for capturing the contents of memory

Overview
A short while back, a paper was published by researchers at Princeton University, in which they talk about the process of recovering encryption keys out of memory after a cold boot. This was surprising to many people, as most just assume that, since RAM is volatile storage, it is erased when power is removed. This is an incorrect assumption.
When the idea of memory retaining state for a short time was first brought to my attention a little over a year ago, I ran a few experiments similar to this one, just to prove it to myself. The desktop machines I tried would hold state for anywhere between 5 and 10 seconds without power, whereas my laptop, with no battery or wall power, would maintain state for an amazing 10 minutes. I used a Linux bootable CD to get an image of memory from a Windows to data carve, and found some interesting things. The footprint for the Linux OS was huge, though, and this interfered with my ability to capture as much memory from the previously running operating system as possible.
The Princeton researchers applied this method to the recovery of encryption keys, with great results. They also cooked up a way to image the contents of RAM with a very small footprint, only overwriting a small amount of memory in the process. Unfortunately, at the time of writing this, their tool, ram2usb, hasn't been released. I decided that it wouldn't be hard to go ahead and implement one myself, based off their paper and youtube video posted above, so that I (and others) can go ahead and start having fun.
So, as a small side project, I've written "msramdmp", the McGrew Security RAM Dumper. Enjoy!

Download
  • msramdmp.tar.gz - The compiled com32 executable, ready for use with SysLinux. Also, the C source code is included, along with some things needed to compile and link it properly.
    This version fixes a bug where the first section of memory wasn't being dumped correctly. Redownload if you downloaded this before 2:00PM March 5th, 2008.

  • syslinux-3.61.tar.gz - This is the exact version of SysLinux that I'm using here. You'll need this to prepare a USB drive for capturing RAM, and to compile modifications to the msramdmp source.

Mas Informacion...

Publicado por el
Etiquetas:

No hay comentarios:

Publicar un comentario

Suscribirse a: Enviar comentarios (Atom)