Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[TOOL] McGrew Security RAM Dumper

from [SecuriTeam] Network Security [Permanent Link]
Subject: [TOOL] McGrew Security RAM Dumper
Date: 3 Mar 2008 16:06:56 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  McGrew Security RAM Dumper
------------------------------------------------------------------------


SUMMARY



DETAILS

Overview:
A short while back, a  <http://citp.princeton.edu/memory/> paper was 
published by researchers at Princeton University, in which they talk about 
the process of recovering encryption keys out of memory after a cold boot. 
This was surprising to many people, as most just assume that, since RAM is 
volatile storage, it is erased when power is removed. This is an incorrect 
assumption.

When the idea of memory retaining state for a short time was first brought 
to my attention a little over a year ago, Wesley McGrew ran a few 
experiments similar to this one, just to prove it to myself. The desktop 
machines Wesley McGrew tried would hold state for anywhere between 5 and 
10 seconds without power, whereas my laptop, with no battery or wall 
power, would maintain state for an amazing 10 minutes. Wesley McGrew used 
a Linux bootable CD to get an image of memory from a Windows to data 
carve, and found some interesting things. The footprint for the Linux OS 
was huge, though, and this interfered with my ability to capture as much 
memory from the previously running operating system as possible.

The Princeton researchers applied this method to the recovery of 
encryption keys, with great results. They also cooked up a way to image 
the contents of RAM with a very small footprint, only overwriting a small 
amount of memory in the process. Unfortunately, at the time of writing 
this, their tool hasn't been released. Wesley McGrew decided that it 
wouldn't be hard to go ahead and implement one myself, based off their 
paper and youtube video posted above, so that I (and others) can go ahead 
and start having fun.

So, as a small side project, I've written "msramdmp", the McGrew Security 
RAM Dumper. Enjoy!


ADDITIONAL INFORMATION

The information has been provided by  <mailto:wesley@mcgrewsecurity.com> 
Wesley McGrew.
To keep updated with the tool visit the project's homepage at:  
<http://mcgrewsecurity.com/projects/msramdmp/> 
http://mcgrewsecurity.com/projects/msramdmp/



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [TOOL] McGrew Security RAM Dumper, SecuriTeam <=
Previous by Date:  [UNIX] Ghostscript Buffer Overflow (Exploit), SecuriTeam
Next by Date:  [NT] SMSGate Denial of Service, SecuriTeam
Previous by Thread:  [UNIX] Ghostscript Buffer Overflow (Exploit), SecuriTeam
Next by Thread:  [NT] SMSGate Denial of Service, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]