Copyright 2011 by Gamma Group International, UK
Date 2011-08-17
Release information
Version / Date / Author / Remarks1.0 / 2010-04-22 / mjm / Initial version
1.1 / 2010-04-30 / pk / Review
1.2 / 2010-06-28 / Pk / Laptop Specifications
1.3 / 2010-09-24 / Pk / Final Version for FinFireWire 1.3 Release
1.4 / 2010-09-26 / mjm / Review
1.5 / 2010-09-27 / Pk / Review
1.6 / 2011-08-17 / Pk / Review
Table of Content
1 Overview 4
2 Capabilities 5
2.1 Supported Operating Systems 5
2.2 Multiple Connection Options 6
2.3 Disable Password Validity Check 7
2.4 Restore System to Original State 8
2.5 Customized Device Names 9
2.6 Generate a Memory Dump 9
2.7 Auto Detection 9
2.8 Benchmark Test 9
3 Components 10
4 Limitations 12
4.1 Overview 12
5 Updates & Support 13
1 Overview
FinFireWire is a tactical kit that enables the operator to quickly and covertly bypass the password-protected Login-Screen or Screensaver. No modifications are done on the actual Target System and no reboot is required so all essential forensic evidence can be recovered live from the running system.
This document describes the full capabilities, included hard- and software, limitations and the support and update system.
2 Capabilities
2.1 Supported Operating Systems
FinFireWire currently supports the following target Operating Systems:
§ Microsoft Windows XP Clean / SP1 / SP2 / SP3
§ Microsoft Windows Vista Clean / SP1 / SP2 / SP3 (32/64bit)
§ Microsoft Windows 7 Clean / SP1 (32/64bit)
§ Mac OSX (x64) / 10.6.3 - 10.6.8 (without FileVault)
§ Backtrack 4 final (KDE)
§ Ubuntu 9.04 / 9.10 / 10.04 (Gnome)
§ Free BSD 7.2 / 8 (Gnome)
§ SuSE 11.1 (KDE4)
2.2 Multiple Connection Options
For the operation, the FinFireWire notebook needs to be connected to the Target System.
The system can be connected directly through a FireWire IEEE1394 port or through the Express Card and PCMCIA adapter cards:
FireWire port onboard FireWire PCMCIA / Express Card
2.3 Disable Password Validity Check
After connecting the FinFireWire notebook via FireWire to the Target System the actual unlocking is started. This is done through the graphical user interface where the operator configures the Target:
§ Operating System: Windows, Mac OS, Linux, BSD
§ Version: XP, Vista, Ubuntu … (optional)
§ Physical RAM: 512MB, 2GB, 4GB … (optional)
When launching the process, FinFireWire scans the RAM of the Target System for the known locations of the password validity function and patches them so that any password will be accepted and no further verification is done.
The duration of the patching process depends on the amount of physical RAM being scanned and the detailed information about the exact Operating System being available.
After patching the function, the following logins can be bypassed:
§ Windows: Logon-Screen, Password-protected Screensaver, Network Shares
§ Linux: Password-protected Screensaver
§ OSX: Password-protected Screensaver
Example Windows Login Screens:
Example Linux Login Screens:
2.4 Restore System to Original State
After the operation is completed and no more access is required by the operator, the Target System’s password validity check can be automatically re-activated feature in the software.
After the Target System has been re-locked, only the real password allows access to the system.
2.5 Customized Device Names
When being connected to a Target System, FinFireWire is concealed as a regular and common FireWire device. For each connection, a customized device name can be assigned to the interface to ensure that no easy fingerprinting of the device and the attack is possible.
Some example device names:
§ Western Digital Harddisc
§ Apple iPod
§ Seagate Harddisc
§ MATSHITA DVD-RAM
§ …
2.6 Generate a Memory Dump
FinFireWire can be used to dump a pre-defined or customized Memory Range into an output file. This output file can be loaded into a Forensic Toolkit.
The output file can be split into smaller files / pieces.
A benchmark test and auto detection feature to detect the installed memory size can be used.
2.7 Auto Detection
FinFireWire can try to identify the Operating System and size of installed memory. This feature is only available on newer Systems ( > 2009).
Note: This could freeze or crash a Target PC, especially older Systems.
2.8 Benchmark Test
A Benchmark Test is integrated and can be used to identify the average transfer speed between the Target- and the FinFireWire System (e.g. result = 1 min / GB ).
The performance depends on the Target System and which Adapter / Card, Bios, Operating System and driver is used.
3 Components
Component / Details1 Tactical Notebook
/ Lenovo T410i
Ø Processor: Intel Core i3-330M Processor (2.13GHz, 3MB L3, 1066MHz FSB)
Ø Display type: 14.1 WXGA TFT, w/ LED Backlight
Ø System graphics: Intel Graphics Media Accelerator 5700MHD - AMT
Ø Total memory: 2 GB PC3-8500 DDR3 SDRAM 1067MHz SODIMM Memory (1 DIMM)
Ø Keyboards: Keyboard UK English
Ø Hard drive: 250 GB Hard Disk Drive, 5400rpm
Ø Optical device: DVD Recordable 8x Max Dual Layer, Ultrabay Slim (Serial ATA)
Ø Battery: 4 cell Li-Ion Battery
Ø Power cord: Country Pack United Kingdom with Line cord & 65W AC adapter
1 FinFireWire GUI
/ FinFireWire - Graphical User Interface
Pre-installed on Notebook
1 Express Card Adapter
/ Express Card
2x 1394 FireWire Ports (6pin)
1 PCMCIA Adapter
/ PCMCIA Card
2x 1394 FireWire Ports (6pin)
2 FireWire Cables + Adapters
/ Model: Hama universal FireWire IEEE1394 cable
Ø Length: 2m
Ø Add-On: FireWire Adapter
Ø Supported connections:
o 4pin to 4pin (FireWire 400)
o 4pin to 6pin (FireWire 400)
o 6pin to 6pin (FireWire 400)
o 6pin to 9pin (FireWire 800)
1 Case
/ Peli 1495 Laptop Case!
Documentation
/ FinFireWire User Manual
FinFireWire Specifications
4 Limitations
Following sections describe the limitations of FinFireWire.
4.1 Overview
Limitation / DescriptionFull Hard-Disk Encryption / A few products for full hard-disk encryption are known to prevent FinFireWire from unlocking the System.
Known products that prevent the attack are:
Safedisk "Protect Drive"
Safeguard Enterprise
Windows Domain Account / User Accounts which are registered and used in a “Windows Domain” Environment cannot be bypassed!
MAC OS FileVault / FileVault uses encrypted file systems that are mounted when the user logs into the system. If this function is used, bypass fails!
OS Auto Detection / Only Linux and Windows Operating System can be detected at the moment. No OS Version could be specified and must be selected manually!
RAM Auto Detection / This function could freeze or crash the Target System.
Biometric Authentication / Some biometric identification products replace or patch system standard authentication functions and cannot be bypassed.
Unsupported Target System - Crashes / In case the Operating System in its installed patch-level is unsupported and more RAM than actually available has been specified in FinFireWire, the Target System might crash during the operation.
Unsupported Operation System Version / Even though dozens of different patch-levels have been tested for each Operating System, no guarantee can be given that the Target System patch level is already included in the database.
Connection Support / If the Target System does not have a connection for either FireWire IEEE1394 or Express Card or PCMCIA the FinFireWire system cannot be connected and the screen cannot be unlocked.
5 Updates & Support
The software has a built-in update feature that pulls updates automatically from the Gamma Update server at configured time intervals. In case the system it not connected to the Internet, download locations are provided on request so the updates can be manually downloaded from other systems.
Every update is done through a secure encrypted link to ensure integrity of the transferred update files.
The amount of updates per year depends on the changes in the IT Intrusion field and the requirement of bug-fixes and new features. At least two major feature updates are provided per year per product.
Additional to the updates, all customers have access to an after-sales website that gives the customers the following capabilities:
§ Download product information (latest user manuals, specifications, training slides)
§ Access change-log and roadmap for products
§ Report bugs and submit feature requests
§ Inspect frequently asked questions (FAQ)
Furthermore support is provided via telephone and E-Mail.