[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

BHDC11 - De-anonymizing Live CDs through Physical Memory Analysis

does anyone know more about the methods to be discussed by Andrew Case
next week?

the memory analysis of Tor seems interesting.

(do Tor Live CDs need a new kexec target for memtest sweeps / ram
zeroisation? :)

Traditional digital forensics encompasses the examination of data from
an offline or “dead” source such as a disk image. Since the filesystem
is intact on these images, a number of forensics techniques are
available for analysis such as file and metadata examination,
timelining, deleted file recovery, indexing, and searching. Live CDs
present a large problem for this forensics model though as they run
solely in RAM and do not interact with the local disk. This removes
the ability to perform an orderly examination since the filesystem is
no longer readily available and putting random pages of data into
context can be very difficult for in-depth investigations. In order to
solve this problem, we present a number of techniques that allow for
complete recovery of a live CD’s in-memory filesystem and partial
recovery of its previously deleted contents. We also present memory
analysis of the popular Tor application as it is used by a number of
live CDs in an attempt to keep network communications encrypted and
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/