…Firewire.
Kind of like the RAM remanence phenomenon that I wrote msramdmp to utilize, this is also something that I thought people already knew about. Firewire devices have direct access to the main memory of hosts that they are connected to, and you can use this access to dump sections of memory from computers you have temporary physical access to.
Metistorm has written up a nice post and script describing this technique, and is very modest about it. He’s been sitting on the script for 2 years, and also thought this was something everyone else already knew 
It’s something else to add to your forensic/incident-response bag of tricks
Recent Comments