>> In the previous lecture, we introduced several memory acquisition and analysis tools.
在上节课中,我们介绍了几种内存获取和分析工具。
In this video, I want to show you one interestingand unconventional memory dump approach called boot attack.
在这个视频中,我想向您展示一种有趣的非传统内存转储方法,称为引导攻击。
In the scenario of a live suspect machine with a full disk encryption,if you do not have the passphrase to log into the system,there's no way to start an investigation.
在使用完整磁盘加密的活动可疑计算机的场景中,如果没有登录到系统的密码,就无法启动调查。
Since the system is still on, can we dump out it's memory without logging into the system,then possibly extract the encryption keys from the memory?
由于系统还在运行,我们是否可以在不登录系统的情况下转储它的内存,然后可能从内存中提取加密密钥?
To do that, we try to cold boot the running computer and possibly reboot the machinefrom a USB to dump out memories to USB.
为此,我们尝试冷启动正在运行的计算机,并可能重新启动机器从USB,转储内存到USB。
Cold booting refers to turning the computer power off and then on again quickly,without letting the operating system shut down cleanly.
冷启动是指在不让操作系统完全关闭的情况下,快速地关闭计算机电源,然后再重新打开。
Will that work?
会操作吗?
Researchers from Princeton university foundthat RAM isn't completely erased when it no longer has power.
普林斯顿大学(Princeton university)的研究人员发现,当RAM不再具有电力时,它并没有完全消失。
If you use compressed air cans to cool memory modules,some memory contents remained readable for several minutes or even up to a coupleof hours after power has been removed.
如果您使用压缩空气罐来冷却内存模块,一些内存内容在断电后几分钟甚至几小时内仍可读取。
These researchers also developed a toolkit to dump out the memory and extract encryption keys.
这些研究人员还开发了一个工具箱,用于转储内存并提取加密密钥。
A bootable image called a scraper dot bin is used to dump computer memory to a USB.
一个称为刮刀点盒的可引导图像用于将计算机内存转储到USB。
Then a utility called USB Dump will dump the RAM from the USB to your forensics system.
然后一个叫做USB Dump的实用程序会将RAM从USB转储到您的取证系统。
They developed AES key finder and RSA key finder to search for keys from memory.
他们开发了AES密钥查找器和RSA密钥查找器来从内存中搜索密钥。
Here is the USB-based cold boot attack process.
下面是基于usb的冷启动攻击过程。
First, copy the scraper dot bin boot image to your USB.
首先,将scraper . bin引导映像复制到USB。
Use DD command.
使用DD命令。
Then set the suspect machine's BIOS to give a USB boot sequence priority over the hard drive.
然后设置可疑机器的BIOS,使USB引导顺序优先于硬盘驱动器。
Connect your USB drive to the suspect machine you would like to perform a cold boot,then pull and then quickly restore the power.
将您的USB驱动器连接到您想要执行冷启动的可疑计算机,然后拉,然后快速恢复电源。
Once you boot from the USB key, scraper dot bin will start dumping the contentsof RAM to your USB disk.
一旦从USB键启动,scraper dot bin将开始将RAM的内容转储到USB磁盘。
Once it has completed, you can unplug the USB driveand plug the USB to your forensics machine.
一旦它完成,你可以拔掉USB驱动器和USB插入你的取证机器。
Then run the utility USB Dump from your forensic machine to dump the RAM from the USB diskto your local drive on the forensic machine.
然后从取证计算机运行实用程序USB转储文件,将RAM从USB磁盘转储到取证计算机上的本地驱动器。
The following command will assume the USB is mounted on slash dev slash SDBand then we call the memory image as mem dump dot image.
下面的命令将假设USB安装在斜线dev斜线SDB上,然后我们将内存映像称为mem转储点映像。
When we have the memory dump, we can use Volatility or AES key finder or RSA key finderto extract encryption key from mem dump dot image.
当我们有内存转储时,我们可以使用volatile或AES key finder或RSA key finder从mem转储点映像中提取加密密钥。
After recovering the key, you can log into the system and decrypt the encrypted hard drives.Please be aware that if cold boot fails, you will not get any useful memory dump.
恢复密钥后,您可以登录到系统并解密加密的硬盘驱动器。请注意,如果冷启动失败,您将不会得到任何有用的内存转储。
In addition, you will lose all volatile memory information due to the reboot.
此外,由于重新引导,您将丢失所有易失性内存信息。
So, you will only use the cold boot approach if you do not have other viable solutions.
因此,只有在没有其他可行的解决方案时,才会使用冷启动方法。
Remember, you have to document all the actions you take with a forensic machine.
记住,你必须用法医机器记录下你所采取的所有行动。
There are also some memory anti-forensics tools, such as Dementia and Attention Deficit Disorder.
还有一些记忆反取证工具,如痴呆和注意力缺陷障碍。
These tools attempt to taint memory imageto either defeat memory acquisition process or defeat memory analysis.
这些工具试图污染内存映像,以破坏内存获取过程或破坏内存分析。
转载于:https://www.cnblogs.com/sec875/articles/10015670.html
