Beyond The CPU: Defeating Hardware Based RAM Acquisition Tools

Many people believe that using a hardware based acquisition method, like e.g. a PCI card or a FireWire bus, is the most reliable and secure way to obtain the image of the volatile memory (RAM) for forensic purposes.

This presentation is aimed at changing this belief by demonstrating how to cheat such hardware based solutions, so that the image obtained using e.g. a FireWire connection can be made different from the real contents of the physical memory as seen by the CPU. The attack does not require system reboot.

The presented technique has been designed and implement to work against AMD64 based systems, but it does not rely on hardware virtualization extensions.

* Black Hat DC 2007 Presentation (updated) (PPT, 1MB)

* Demo movies (RAR, 33MB)

Joanna Rutkowska, of, will be speaking at FIRST Security Conference in Sevilla. FIRST is the premier organization and recognized global leader in incident response. For more info, visit FIRST's website at