±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35750
New Yesterday: 1 Visitors: 135

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Live volatile data

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

zikmik
Member
 

Live volatile data

Post Posted: Jul 31, 09 10:43

Hi,
How to collect live volatile data if Computer Locked (The computer is in use and has been locked)
and account is under password?

I don`t thnik that e-fense Live Response cover this situation...  
 
  

benclelland
Member
 

Re: Live volatile data

Post Posted: Aug 03, 09 15:19

Does the computer have firewire that you could use? It's possible to use firewire to make it so that the Windows locked screen doesn't need a password by making a change to the memory.  
 
  

zikmik
Member
 

Re: Live volatile data

Post Posted: Aug 04, 09 12:16

benclelland

Thank you for replying!
Mine question was hypothetical but I am trying to be preper for such situation.
I find a way with RemoteUnlock but trick works only if locked PC is already LAN connected.
It will be nice if you describe your approach with Firewire IEEE 1394 Port
and making change in memory.  
 
  

benclelland
Member
 

Re: Live volatile data

Post Posted: Aug 04, 09 13:19

We have used it successfully before on machines, as far as I remember it just changes the memory as the firewire has direct access to memory. You can then get in using no password and on system reboot it will need a password again (because it isn't changing the actual password).

The project can be found here with the script that you need.

You basically connect a computer via firewire to the target machine and then run the script to modify the memory and then you will get in. We have tried it on various different Windows machines without a problem.

Here is a link on Youtube showing how easy it actually is when you have things setup - www.youtube.com/watch?...amp;fmt=18  
 
  

keydet89
Senior Member
 

Re: Live volatile data

Post Posted: Aug 04, 09 16:14

 
  

zikmik
Member
 

Re: Live volatile data

Post Posted: Aug 04, 09 16:42

Thank you again!
It will take some time for me to test it Rolling Eyes ...

I find Winlockpwn to support Vista and XP SP3
forums.remote-exploit....#post98201  
 

Page 1 of 1