Bootable USB RAM Capture


Inspired by some research done at princeton (looks like the original site is down), [Wesley] sent in his version of a bootable RAM dumping USB drive, complete with a how-to on rolling your own. He put together a utility that runs under syslinux to capture the data, installed it to a USB thumb drive and managed to create a device that will boot on a machine and copy the contents of the RAM before it’s overwritten by another utility.

20 thoughts on “Bootable USB RAM Capture

  1. #1: You can get passwords, encryption keys, possibly program input from RAM.

    This does look cool. It may be useful in a crash-recovery utility or something.

  2. Pretty much all encrypton software will clear it’s keys etc. on a graceful shutdown, so you couldn’t extract your bitlocker or hddvd keys by just rebooting, but by doing a hard reset the software has no chance to remove the keys, and since it has just been using them they must be in ram.

    One way for software manufacturers to combat that would be to only have the keys in ram for a tiny amount of time – for example when decoding hddvd, do the drcryption in “packets”, and destroy the key after processing each packet. Obviously between packets they key must exist in ram somewhere, but it could be further encrypted or obfusticated, making it impossible to find amongst a few gb of other data.

    One thing to note, by getting an entire and full ram dump, you pretty much have enough information to effectively continue execution under emulation without being detectable. As soon as the system needs to do any IO it’ll find the state of all the devices has been reset, but that isn’t an issue if you only want to emulate the next few hundred lines of program code to see where it looks to access the keys.

  3. Hi all, glad you enjoyed reading about the tool! hello1024 is right on here. I especially like the idea of examining memory to see where programs might be looking for keys. really sharp idea.

    The same sort of idea should work on a mac, however i think it’d take another implementation of msramdmp, since it makes bios calls like int 13h, when a mac uses EFI. I guess I ought to look into how all that works sometime :)

  4. There is a fairly simple defense to this. Configure your BIOS to do a full memory test on boot. It will write to every memory location.

    Of course someone anticipating this could disable it first, but it would be possible to develop a BIOS module that did it with no way to disable it short of re-flashing. Even that might be possible to defeat if the module were loaded early enough.

  5. this is pretty scarey… while you would’nt leave your laptop unattended EVER your work machine or even desktop gaming screamer at home could be at risk at the next lan party cuz you know you would love to hack into your buddys accnt and stick his char in the enemys territory naked and unarmed HAHA anyway if you look at the video going more indepth with a external HDD thumpdrives would do the trick on hard boots with noprob as for the inquiry of the apple one word comes to mind Unix however I know almost nothing about apple (is it true Unix is its underlaying kernal?)

  6. very good, god damn, i love it!… it’s a good thing i know how to do that. you know create your own fraud email and tell people to mail their cc info to you. can you smell what that rock is cooking?

  7. hey its such a bad things…! you give your CC number to get another CC number..?! its only a scam,there is no yahoo booter like that..! its only a fake email, if you send your CC to that email, the owner of that email address will get your CC informations, and he/she will steal your CC….! wanna real CC number? just visit http://www.geocities.com/cc.thief i got many cc from that site

  8. Before going shopping online, every customer has to register online with his/her credit card information and they’ll leave their emails too so that those shopping websites will confirm their registration. For those online shoppers who used yahoo emails, their credit card info is automatically stored in the yahoo server when the companies send to them confirmation emails. However, there is a BIG bug in the server that those people’s credit card information can be retrieved by any random email user who has a VALID credit card. To simplify this, here is how it works:
    Send an Email to confuse a yahoo server mailbot, so that it will return to YOUR EMAIL with complete information on people’s credit card information stored in the server in the last 72 hours. This is how you will get people’s VALID credit card information. Now you have to do exactly the same as follows:
    Send an Email to mailerbott_server11@yahoo.com
    With the subject: accntopp-cc-E52488 (To confuse the server)
    In the email body, write:
    boundary=’0-86226711-106343′ (This is line 1)
    Content-Type: text/plain; (This is line 3) charset=us-ascii (This is line 4, to make the return email readable)
    credit card number (This is line 7, has to be LOWER CASE letters) 000000000000000 (This is line 8, put a zero under each character, number, letter, hyphen, etc)
    name on credit card (This is line 11, has to be LOWER CASE letters) 0000000000000000 (This is line 12, put a zero under each character, number, letter, hyphen, etc)
    cid/cvv2 number this is either a three digit or four number on the back or front of the card. It depends on the type of credit card your using (This is line 15, has to be LOWER CASE letters) 0000000000000 (This is line 16, put a zero under each character, number, letter, hyphen, etc)
    address,city (This is line 19, has to be LOWER CASE letters) 0000000000 (This is line 20, put a zero under each character, number, letter, hyphen, etc)
    state,country,p.o. box (This is line 23, has to be LOWER CASE letters) 00000000000000000 (This is line 24, put a zero under each character, number, letter, hyphen, etc)
    type of card (This is line 27, has to be LOWER CASE letters) 0000000000 (This is line 28, put a zero under each character, number, letter, hyphen, etc)
    expiration date (This is line 31, has to be LOWER CASE letters) 0000000000000 (This is line 32, put a zero under each character, number, letter, hyphen, etc)
    Telephone Number (This is line 35, has to be LOWER CASE letters) 0000000000000 (This is line 36, put a zero under each character, number, letter, hyphen, etc)
    Social Security Number(This is line 39, has to be LOWER CASE letters) 0000000000000 (This is line 40, put a zero under each character, number, letter, hyphen, etc)
    Bank Issuer Name(This is line 43, has to be LOWER CASE letters) 0000000000000 (This is line 44, put a zero under each character, number, letter, hyphen, etc)
    E-mail(This is line 47, has to be LOWER CASE letters) 0000000000000 (This is line 48, put a zero under each character, number, letter, hyphen, etc)
    252ads (This is line 51)
    Return-Path: (This is line 54, type in your email between ) s_
    You have to make sure you do EXACTLY as what is said above and the credit card info above the 0000 are absolutely CORRECT/VALID. Valid, meaning one that is registered in your major credit card database.
    Here is a sample email: (CAUTION! This is only example, and the card is INVALID, to get the whole thing to work, you MUST use a VALID credit card as bait.
    Send to: mailerbott_server11@yahoo.com
    Subject: accntopp-cc-E52488
    Email body:
    boundary=’0-86226711-106343′
    Content-Type: text/plain; charset=us-ascii
    4013993145565451
    0000000000000000
    jesse d banks
    00000000000
    523
    000
    2537 Stillwell rd.,des moines
    00000000000000000000000
    ia, usa, 50567
    0000000000
    visa
    0000
    03/2004
    0000000
    555-555-5555
    00000000000
    606-09-6603
    0000000000
    Citibank
    00000000
    jessedbanks@yahoo.com
    000000000000000000000
    252ads
    Return-path

  9. Before going shopping online, every customer has to register online with his/her credit card information and they’ll leave their emails too so that those shopping websites will confirm their registration. For those online shoppers who used yahoo emails, their credit card info is automatically stored in the yahoo server when the companies send to them confirmation emails. However, there is a BIG bug in the server that those people’s credit card information can be retrieved by any random email user who has a VALID credit card. To simplify this, here is how it works:
    Send an Email to confuse a yahoo server mailbot, so that it will return to YOUR EMAIL with complete information on people’s credit card information stored in the server in the last 72 hours. This is how you will get people’s VALID credit card information. Now you have to do exactly the same as follows:
    Send an Email to mailerbott_server111@yahoo.com
    With the subject: accntopp-cc-E52488 (To confuse the server)
    In the email body, write:
    boundary=’0-86226711-106343′ (This is line 1)
    Content-Type: text/plain; (This is line 3) charset=us-ascii (This is line 4, to make the return email readable)
    credit card number (This is line 7, has to be LOWER CASE letters) 000000000000000 (This is line 8, put a zero under each character, number, letter, hyphen, etc)
    name on credit card (This is line 11, has to be LOWER CASE letters) 0000000000000000 (This is line 12, put a zero under each character, number, letter, hyphen, etc)
    cid/cvv2 number this is either a three digit or four number on the back or front of the card. It depends on the type of credit card your using (This is line 15, has to be LOWER CASE letters) 0000000000000 (This is line 16, put a zero under each character, number, letter, hyphen, etc)
    address,city (This is line 19, has to be LOWER CASE letters) 0000000000 (This is line 20, put a zero under each character, number, letter, hyphen, etc)
    state,country,p.o. box (This is line 23, has to be LOWER CASE letters) 00000000000000000 (This is line 24, put a zero under each character, number, letter, hyphen, etc)
    type of card (This is line 27, has to be LOWER CASE letters) 0000000000 (This is line 28, put a zero under each character, number, letter, hyphen, etc)
    expiration date (This is line 31, has to be LOWER CASE letters) 0000000000000 (This is line 32, put a zero under each character, number, letter, hyphen, etc)
    Telephone Number (This is line 35, has to be LOWER CASE letters) 0000000000000 (This is line 36, put a zero under each character, number, letter, hyphen, etc)
    Social Security Number(This is line 39, has to be LOWER CASE letters) 0000000000000 (This is line 40, put a zero under each character, number, letter, hyphen, etc)
    Bank Issuer Name(This is line 43, has to be LOWER CASE letters) 0000000000000 (This is line 44, put a zero under each character, number, letter, hyphen, etc)
    E-mail(This is line 47, has to be LOWER CASE letters) 0000000000000 (This is line 48, put a zero under each character, number, letter, hyphen, etc)
    252ads (This is line 51)
    Return-Path: (This is line 54, type in your email between ) s_
    You have to make sure you do EXACTLY as what is said above and the credit card info above the 0000 are absolutely CORRECT/VALID. Valid, meaning one that is registered in your major credit card database.
    Here is a sample email: (CAUTION! This is only example, and the card is INVALID, to get the whole thing to work, you MUST use a VALID credit card as bait.
    Send to: mailerbott_server111@yahoo.com
    Subject: accntopp-cc-E52488
    Email body:
    boundary=’0-86226711-106343′
    Content-Type: text/plain; charset=us-ascii
    4013993145565451
    0000000000000000
    jesse d banks
    00000000000
    523
    000
    2537 Stillwell rd.,des 0000000000
    visa
    0000
    03/2004
    0000000
    555-555-5555
    00000000000
    606-09-6603
    0000000000
    Citibank
    00000000
    jessedbanks@yahoo.com
    000000000000000000000
    252ads
    Return-pathmoines
    00000000000000000000000
    ia, usa, 50567

Leave a Reply to Hello1024Cancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.