Title :
New possibilities for memory acquisition by enabling DMA using network card
Author :
Balogh, Stefan ; Mydlo, Miroslav
Author_Institution :
Inst. of Comput. Sci. & Math., Slovak Univ. of Technol., Bratislava, Slovakia
Abstract :
Direct memory access is one of the techniques used in forensic analysis and rootkit detection. Unfortunately, it can also be misused in various attacks. E.g., the firewire attack enabled bypassing of Windows authorization by reading the user password stored in memory. Thus, for security reasons, firewire port is usually disabled in many computers. This motivates a search for a new ways of enabling direct memory access. Another potential avenue for DMA enabled memory access seems to be the network card. We designed a new solution for direct memory access, based on a custom NDIS protocol driver that can send (on request of the local executable program) the contents of the computer memory over the network. Our new method allows an unexpected type of the direct memory access, which is independent of the processor, and its control capabilities. This is a strong advantage in rootkit detection, because the rootkit cannot take any action to hide itself while the memory is scanned.
Keywords :
authorisation; computer network security; digital forensics; file organisation; network interfaces; DMA enabled memory access; NDIS protocol driver; Windows authorization; computer memory scanning; direct memory access; firewire attack; firewire port; forensic analysis; local executable program; memory acquisition; network card; rootkit detection; user password; Computers; Forensics; IEEE 1394 Standard; Kernel; Protocols; Random access memory; DMA; Forensic analysis; Live Forensics; Memory Acquisition; direct memory access; network card; rootkit detection;
Conference_Titel :
Intelligent Data Acquisition and Advanced Computing Systems (IDAACS), 2013 IEEE 7th International Conference on
Conference_Location :
Berlin
Print_ISBN :
978-1-4799-1426-5
DOI :
10.1109/IDAACS.2013.6663002
