this is for holding javascript data
Igor.Korkin renamed 2.2.5. Hardware Approaches.tex to Hardware Approaches.tex
over 9 years ago
Commit id: b80bfe131a27a5db5b81280cab4d2fe16c0c8711
deletions | additions
diff --git a/Hardware Approaches.tex b/Hardware Approaches.tex
new file mode 100644
index 0000000..117d2f0
--- /dev/null
+++ b/Hardware Approaches.tex
...
\subsubsection{Hardware Approaches}
F. Davies in [46] mentions that with I/O Memory Management Unit technology (IOMMU) by AMD and Virtualization Technology for Directed I/O (VT-d) by Intel software approaches to memory acquisition will show poor performance if compared with hardware approaches. Therefore let us focus on hardware approaches to memory dump [47].
Capabilities of DMA devices such as PCI (PCIe) were used in the following tools: Tribble PCI Card by B.Carrier and J.Grand [48, 49], Co-Pilot by Komoku and Microsoft [31, 50], CaptureGuard PCIeCard by WindowsScope [51], RAM Capture Tool by BBN Technologies [50]. Capabilities of FireWire bus to acquire RAM memory were described by A.Boileau [52]. The applicability of hardware interfaces USB, eSATA, DisplayPort, Thunderbolt and others for accessing physical memory is described by R.Breuk and A.Spruyt [53]. These devices have a similar structure and are hardware boards, which are connected to a PC and designed for memory forensics.
Standard equipment can also be used to memory dump acquisition. For instance, usage of Graphics Address Remapping Table (GART) is described by N.Lawson, D.Goldsmith and T.Ptacek [54]. Y.Bulygin designed DeepWatch for memory dump acquisition with the help of the Northbridge integrated controller [55, 56].
It is essential to point out that malware can prevent memory dump acquisition even by hardware approaches. For example, External Access Protection technology by AMD is able to shadow memory pages from peripherals [57]. J.Rutkowska describes how to hide memory areas from peripheral access by reprogramming the Northbridge controller. Modifications in address dispatch tables in the Northbridge controller can hide physical memory regions [58].
Despite the fact that hardware approaches are resistant to common ways of hidden malicious software, they are only applicable under laboratory conditions, because of applicability and replication inconvenience.
