Memory Forensics over the IEEE 1394 Interface

The IEEE 1394 “FireWire” interface provides a means for acquiring direct memory access. We discuss how this can be used to perform live memory forensics on a target system. We also present libforensic1394 an open-source software library designed especially for this purpose. Passive and active applications of live memory forensics are analysed. Memory imaging techniques are discussed at length. It is demonstrated how the interface can be used both to dump the memory of a live system and to compromise contemporary operating systems.

The following paper was written in August 2010 to serve as a complete, up to date, reference on 1394 memory forensics.

libforensic1394

While investigating the IEEE 1394 interface it quickly became apparent that existing libraries were unsuitable for performing memory forensics. The author therefore developed libforensic1394 specifically for the purpose.

Common Questions and Misconceptions

In the course of conducting preliminary research into the topic several common misconceptions were identified, especially among bloggers.

The USB interface can also be used for forensics.
The USB bus provides no means for acquiring direct memory access to the host system. This is not to say that specific implementations of the interface can not be exploited. As with any piece of software it is possible that a USB stack will contain code which can be exploited by a malicious device. The difference is that these exploits are bugs as opposed to design features.
Once an attacker has physical access to a system “all bets are off”.
This is not and should not be the case; countermeasures such as local logon passwords and disk encryption exist for this very reason! While it is true that securing a system against physical access attacks is more difficult it is by no means futile.

Revision History

2010-09-07 Public release
Document ID: de4e0555d1274debcdc2ce6a574f2cd5
Squished a few minor typos.
2010-09-04 Second public draft
Document ID: c1c615827b7647933e5a3d00668d6183
Enhanced benchmarks; expanded conclusion; added acknowledgements; improved code listings. Minor typographical enhancements.
2010-08-28 First public draft
Document ID: 624c832fb523888ddfdfcae8d425e00c
Mostly complete although the conclusion could be expanded upon.

Colophon

Typeset in LaTeX using the article class from the KOMA-Script bundle. The text font is Times Roman; the heading font is Helvetica, both from the txfonts package; Inconsolata is used as the code font. All of the figures/illustrations were produced using TikZ.