Direct Memory Access for Bypassing Passwords

This week I talk DMA (direct memory access) exploits as a technique to bypass passwords of a live system to conduct imaging – with legal authority of course.

Show Notes

DMA as a Forensic Helper

Direct Memory Access (DMA) exploitation works over firewire (IEEE 1394), Thunderbolt, Express Card, PC Express Card and other PCI interfaces. Commonly an operating system does protect RAM from perceived malicious processes (i.e. forensic collection tools) however technologies that use DMA may be able to bypass these protections.

Forensic Value

With proper legal authority, if you have a live system that is on but you are locked out (i.e. staring at a login prompt) and you fear the volume is encrypted with bitlocker, FileVault2 (OS X), or other encryption there are some techniques an examiner may use to bypass the password and access the system as if they knew the password. This then allows for logical imaging and RAM extraction for further analysis.

Tools & Techniques Mentioned

DMAhttps://en.wikipedia.org/wiki/Direct_memory_access

Inceptionhttp://www.breaknenter.org/projects/inception/

Mac OS X Filevault2 Password Retreivalhttp://blog.frizk.net/2016/12/filevault-password-retrieval.html?m=1

PCILeechhttps://github.com/ufrisk/pcileech

 

 

 

SDF Training Class of the Week

Learn More

RAM Extraction Fundamentals

Learn the nuances of collecting memory from a live system
Learn More