Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mac OS Lion Memory Forensics Using IEEE 1394 to Bypass FileVault 2 Full Volume Encryption. Todd Garrison September 18, 2011.

Published bySybil Bailey Modified over 9 years ago

Similar presentations

Presentation on theme: "Mac OS Lion Memory Forensics Using IEEE 1394 to Bypass FileVault 2 Full Volume Encryption. Todd Garrison September 18, 2011."— Presentation transcript:

1 Mac OS Lion Memory Forensics Using IEEE 1394 to Bypass FileVault 2 Full Volume Encryption. Todd Garrison September 18, 2011

2 Copyright © 2011 Todd Garrison. This work is licensed under the Creative Commons Attribution-NonCommercial 3.0 Unported License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/3.0/ or send a letter to Creative Commons, 444 Castro Street, Suite 900, Mountain View, California, 94041, USA.http://creativecommons.org/licenses/by-nc/3.0/

3 Overview Mac OS 10.7 (Lion) includes a full-volume encryption product called FileVault 2. o It is possible to use IEEE 1394/Firewire to extract a user’s password from the RAM of a running system, and in most cases a sleeping system once it has been woken up. o This password can be used to decrypt the volume, or to login to the system. o Using Firewire in this manner is a well-known method of gaining access to an operating system, with published attack methods dating back to 2004. Lion uses a set of countermeasures designed to prevent this attack. o There are weaknesses in the implementation. Default settings allow the protections to be bypassed. o Changing three settings can protect against the attack in most cases.

4 Tools to Extract RAM libforensic1394 o Written by Freddie Witherden and released in 2010. o Available at: https://freddie.witherden.org/tools/libforensic1394/ o Python and C library that works on Linux (JuJu Firewire stack) and Mac OS (IOKit libraries). o Does not supply programs to perform capture, so a Python script was written to perform capture. Available at: http://www.frameloss.org/wp-content/uploads/2011/09/ramdump.py.gz pythonraw1394 o Written by Adam Boileau and released in 2006. o Original website no longer available, mirrored copy at: http://www.frameloss.org/wp-content/uploads/2011/09/pythonraw1394- 1.0.tgz http://www.frameloss.org/wp-content/uploads/2011/09/pythonraw1394- 1.0.tgz o Python and C library that uses raw1394 Linux kernel module (no longer available on most Linux distributions.) Also supplies programs for performing memory capture and more.

5 Applicability The attack is possible in most system states. o The user has logged off of the system. o The system has been locked via the screensaver, “User Switching” is enabled (default setting,) and there is more than one user account on the system. o The system has been booted, but a user has not logged in. Not a default system configuration when FileVault 2 is enabled. Plaintext passwords are not available, SHA2-512 hashes are in RAM. When do the countermeasures apply? o When the screen saver is active and requires a password. Can be bypassed by selecting “Switch User” (if available.) o When the system is requesting authentication to gain access to the full- volume encryption key. Normally this is done at boot time, but can also be configured to work after waking from sleep.

6 Can the System be Imaged?

7 Protecting Against Firewire DMA Several settings are suggested, and should protect against most attempts to gain access: o Disable User Switching feature. o Configure system to store RAM to disk and remove power to memory upon sleep state. o Configure system to remove full-volume encryption key upon sleep. Other settings: o Always use a strong password for every user. Any user’s password can be used to decrypt the volume. o Do not disable screen locking: Set a reasonable time for automatically locking. Configure the system to sleep if it has been idle for a long time.

8 Disable User Switching Can be disabled in “System Preferences,” “Users and Groups,” “Login Options.” o Uncheck the “Show fast user switching menu as...” option.

9 Sleep Options Must be performed as the “root” user from the Unix shell. o Uses the dmset program to change two values: o Example: OptionValueDescription destroyfvkeyonstandby 1Removes the full volume encryption key from RAM when the system is put into sleep mode and is dependent on the value of hibernatemode. hibernatemode 25Forces the system to immediately write RAM to disk and remove power from memory upon sleep.

10 Conclusion Encryption products are designed to protect data when a third party gains physical access to a computer. o Unfortunately, the system is not secure when using the default settings. o It is simple to configure the system in a secure state. It may be possible for Apple to extend the restrictions for Firewire DMA, but for now it is suggested that the recommended configuration options be set on computers containing confidential information. o There are also other interfaces (such as Thunderbolt and SDXC) that may exhibit the same vulnerabilities. o FileVault 2 is new software; it is likely there are other attack vectors available.

11 Bibliography 1394-2008 - IEEE Standard for a High-Performance Serial Bus. (2008). IEEE Standards Association. Apple - OS X Lion - The world’s most advanced OS. (n.d.). Retrieved September 17, 2011, from http://www.apple.com/macosx/http://www.apple.com/macosx/ Apple - Thunderbolt: Next-generation high-speed I/O technology. (n.d.). Retrieved September 17, 2011, from http://www.apple.com/thunderbolt/http://www.apple.com/thunderbolt/ Boileau, A. (2006). pythonraw1394. Dalrymple, J. (2011, July 26). Lion FireWire security issue misleading. Retrieved September 17, 2011, from http://www.loopinsight.com/2011/07/26/lion-firewire-security-issue-misleading/http://www.loopinsight.com/2011/07/26/lion-firewire-security-issue-misleading/ Fleischer, G. (2011, July 12). File Vault in Mac OS X Lion - k3t’s weblog. Retrieved September 3, 2011, from http://fleischer.jp/k3t/blog/2011/07/file-vault-in-mac-os-x-lion.htmlhttp://fleischer.jp/k3t/blog/2011/07/file-vault-in-mac-os-x-lion.html Garrison, T. (2011, September 7). Cracking MacOS Lion Passwords. Retrieved September 17, 2011, from http://www.frameloss.org/2011/09/05/cracking-macos-lion-passwords/http://www.frameloss.org/2011/09/05/cracking-macos-lion-passwords/ Garrison, T. (2011, September 17). Mac OS Lion Forensic Memory Acquisition Using IEEE 1394. Graham, R. (2011, February 24). Errata Security: Thunderbolt: Introducing a new way to hack Macs. Retrieved September 17, 2011, from http://erratasec.blogspot.com/2011/02/thunderbolt- introducing-new-way-to-hack.htmlhttp://erratasec.blogspot.com/2011/02/thunderbolt- introducing-new-way-to-hack.html Hermann, U. (2008, August 14). Physical memory attacks via Firewire/DMA - Part 1: Overview and Mitigation (Update) | Uwe Hermann. Retrieved September 17, 2011, from http://www.hermann- uwe.de/blog/physical-memory-attacks-via-firewire-dma-part-1-overview-and-mitigationhttp://www.hermann- uwe.de/blog/physical-memory-attacks-via-firewire-dma-part-1-overview-and-mitigation Jacob. (2011, July 21). Lion Tips, a Collection | The Tech Bulletin. Retrieved September 17, 2011, from http://www.thetechbulletin.net/2011/07/21/lion-tips-a-collection/http://www.thetechbulletin.net/2011/07/21/lion-tips-a-collection/ Koukoushkina, N. (2011, July 26). Passware Proves Mac OS Lion Insecure Revealing Login Passwords in Minutes. Retrieved from http://www.lostpassword.com/pdf/pr-110726.pdfhttp://www.lostpassword.com/pdf/pr-110726.pdf OS X Lion: About FileVault 2. (2011, July 26). Retrieved September 17, 2011, from http://support.apple.com/kb/HT4790http://support.apple.com/kb/HT4790 pmset(1) Mac OS X Manual Page. (n.d.).Mac OS X Developer Library. Retrieved September 17, 2011, from http://developer.apple.com/library/mac/#documentation/darwin/reference/manpages/man1/pmset.1.html http://developer.apple.com/library/mac/#documentation/darwin/reference/manpages/man1/pmset.1.html Schuster, A. (2008, February). Memory analysis: “Acquisition (5): FireWire” - Computer Forensic Blog. Retrieved September 13, 2011, from http://computer.forensikblog.de/en/2008/02/acquisition_5_firewire.html http://computer.forensikblog.de/en/2008/02/acquisition_5_firewire.html Technical Note TN2124: Technical Note TN2124. (n.d.). Retrieved September 3, 2011, from http://developer.apple.com/library/mac/#technotes/tn2124/_index.htmlhttp://developer.apple.com/library/mac/#technotes/tn2124/_index.html Witherden, F. (2010, September 7). Memory Forensics over the IEEE 1394 Interface. Retrieved from https://freddie.witherden.org/pages/ieee-1394-forensics.pdfhttps://freddie.witherden.org/pages/ieee-1394-forensics.pdf

Download ppt "Mac OS Lion Memory Forensics Using IEEE 1394 to Bypass FileVault 2 Full Volume Encryption. Todd Garrison September 18, 2011."

Similar presentations

automated single login access to Novell storage resources

automated single login access to Novell storage resources
Windows XP Tutorial Securing Windows. Introduction This presentation will guide you through basic security principles for Windows XP.

Windows XP Tutorial Securing Windows. Introduction This presentation will guide you through basic security principles for Windows XP.
Mountain Lion Security Mac OS X 10.8. Strong Passwords Every Mac needs a login name and password Every user on every Mac should have their own account.

Mountain Lion Security Mac OS X Strong Passwords Every Mac needs a login name and password Every user on every Mac should have their own account.
Crack WPA Lab Last Update 2014.06.11 1.0.0 1Copyright 2014 Kenneth M. Chipps Ph.D. www.chipps.com.

Crack WPA Lab Last Update Copyright 2014 Kenneth M. Chipps Ph.D.
Lesson 17: Configuring Security Policies

Lesson 17: Configuring Security Policies
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.

Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,

DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
Guide To UNIX Using Linux Third Edition

Guide To UNIX Using Linux Third Edition
Week:#14 Windows Recovery

Week:#14 Windows Recovery
ENCRYPTION Coffee Hour for August 2014. HISTORY OF ENCRYPTION Scytale Ciphers – paper wrapped around rod, receiver needed same size rod to get the message.

ENCRYPTION Coffee Hour for August HISTORY OF ENCRYPTION Scytale Ciphers – paper wrapped around rod, receiver needed same size rod to get the message.
Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:

Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.

Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.
How to discover ephemeral evidence with Live RAM analysis.

How to discover ephemeral evidence with Live RAM analysis.
Your Interactive Guide to the Digital World Discovering Computers 2012.

Your Interactive Guide to the Digital World Discovering Computers 2012.
Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.

Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.
© 2015 by McGraw-Hill Education. This proprietary material solely for authorized instructor use. Not authorized for sale or distribution in any manner.

© 2015 by McGraw-Hill Education. This proprietary material solely for authorized instructor use. Not authorized for sale or distribution in any manner.
Using the “Setup Assistant” to configure your new Mac Personalizing your new Mac.

Using the “Setup Assistant” to configure your new Mac Personalizing your new Mac.
© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 1 Third Edition Chapter 6 Today’s Windows Windows Vista and Windows 7 McGraw-Hill.

© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 1 Third Edition Chapter 6 Today’s Windows Windows Vista and Windows 7 McGraw-Hill.
Guide to Linux Installation and Administration, 2e1 Chapter 8 Basic Administration Tasks.

Guide to Linux Installation and Administration, 2e1 Chapter 8 Basic Administration Tasks.

Similar presentations

Ads by Google