Memory Forensics over the IEEE 1394 Interface
The IEEE 1394 “FireWire” interface provides a means
for acquiring direct memory access. We discuss how this can be
used to perform live memory forensics on a target system. We also
present libforensic1394 an open-source software library
designed especially for this purpose. Passive and active
applications of live memory forensics are analysed. Memory imaging
techniques are discussed at length. It is demonstrated how the
interface can be used both to dump the memory of a live system and
to compromise contemporary operating systems.
The following paper was written in August 2010 to serve as a
complete, up to date, reference on 1394 memory forensics.
While investigating the IEEE 1394 interface it quickly became
apparent that existing libraries were unsuitable for performing
memory forensics. The author therefore
specifically for the purpose.
Common Questions and Misconceptions
In the course of conducting preliminary research into the topic
several common misconceptions were identified, especially among
- The USB interface can also be used for forensics.
- The USB bus provides no means for acquiring direct memory
access to the host system. This is not to say that
specific implementations of the interface can not be
exploited. As with any piece of software it is possible that a
USB stack will contain code which can be exploited by a malicious
device. The difference is that these exploits are bugs
as opposed to design features.
- Once an attacker has physical access to a system “all bets
- This is not and should not be the case; countermeasures
such as local logon passwords and disk encryption exist for
this very reason! While it is true that securing a system
against physical access attacks is more difficult it is by no
- 2010-09-07 Public release
- Squished a few minor typos.
- 2010-09-04 Second public draft
- Enhanced benchmarks; expanded conclusion; added
acknowledgements; improved code listings. Minor typographical
- 2010-08-28 First public draft
- Mostly complete although the conclusion could be expanded
Typeset in LaTeX using the article class from the KOMA-Script
bundle. The text font is Times Roman; the heading font is
Helvetica, both from the txfonts package; Inconsolata is
used as the code font. All of the figures/illustrations were
produced using TikZ.