Direct Memory Access for Bypassing Passwords
This week I talk DMA (direct memory access) exploits as a technique to bypass passwords of a live system to conduct imaging – with legal authority of course.
DMA as a Forensic Helper
Direct Memory Access (DMA) exploitation works over firewire (IEEE 1394), Thunderbolt, Express Card, PC Express Card and other PCI interfaces. Commonly an operating system does protect RAM from perceived malicious processes (i.e. forensic collection tools) however technologies that use DMA may be able to bypass these protections.
With proper legal authority, if you have a live system that is on but you are locked out (i.e. staring at a login prompt) and you fear the volume is encrypted with bitlocker, FileVault2 (OS X), or other encryption there are some techniques an examiner may use to bypass the password and access the system as if they knew the password. This then allows for logical imaging and RAM extraction for further analysis.
Tools & Techniques Mentioned
Mac OS X Filevault2 Password Retreival: http://blog.frizk.net/2016/12/filevault-password-retrieval.html?m=1