Archive for July, 2008

What They Didn’t Teach You in Graduate School

Tuesday, July 15th, 2008

graudate.png

I am enjoying a book called “What They Didn’t Teach you in Graduate School”, by Paul Gray and David Drew. The book is about how to have a successful career in academia as a professor. It is written in the form of short pieces of advice that recommend or warn against something.

Paul Gray is one of the pioneers of the field of Information Systems and he has a lot of great insights and suggestions to share about academia in general. You can read an excerpt of the book here.

Here’s an excerpt on the value of reviewing:

Do, however, serve as a reviewer for journals, particularly top journals. Treat this job seriously. You will see much junk being submitted and appreciate why some journals reject 80 percent or more of their submissions. You will develop an aesthetic for what is good and what is not. You will correspond with some powerful people. When you do get a good paper to review, you will receive much earlier knowledge of an important new development. And the information gained is worth more than the time you take reviewing.

Posted in academics | 1 Comment »

Demonstrating Memory Remanence with OS X

Saturday, July 5th, 2008

In my forensics class this Monday I will talk about the disk encryption attack that Princeton researchers published in April of this year. The attack exploits the fact that data remains in RAM for up to several minutes after power to the computer is turned off. Rather than all memory being erased immediately, data in RAM quickly decays as time goes on. The Princeton research team showed that sensitive information such as passwords and disk encryption keys can be recovered from RAM after a machine is powered off. You can see a video of this attack here.

To demonstrate this attribute of RAM to my class, I will follow the simple experiment described here, but adapted to OS X:

1. Unlike other versions of Unix, as of the Intel processor switch OS X no longer has a device file for physical RAM. However, the kernel still supports such a device file. To reenable the device file for physical RAM, pass this kernel option to the boot loader as follows:

sudo nvram boot-args="kmem=1"

To verify that this kernel option was passed, type:

nvram -p | grep boot-args

You should see the following line:

boot-args	kmem=1

Note: to later remove this boot argument, type:

sudo nvram boot-args=""

2. Reboot your machine and verify that you now how a /dev/mem device file.

3. Open a terminal window, type “python” to enter the Python interpreter and enter these commands:
ram = ""
while True: ram += "MYPASSWORD"

4. The Python interpreter will run until physical RAM is so full that it cannot contain one more “MYPASSWORD” string. You can visually show students that RAM is filling up by showing the RAM pie chart in Activity Monitor. After waiting a few minutes after initiating the python command, immediately shutdown the computer by holding down the power button.

5. Wait a few seconds or minutes, depending on how much RAM decay you want to allow.

6. Turn the computer back on, open a terminal window, and type this command:

sudo cat /dev/mem > /tmp/ramdump.txt

This step will take a minute or two depending on how much RAM you have installed. Eventually the file will be as large as the amount of RAM installed. In my case, this command yields a 2 GB file.

The command will terminate with this error:

cat: /dev/mem: Bad address

This indicates that all of the contents of RAM have been copied to the /tmp/ramdump file.

7. Type the command,

grep -a MYPASSWORD /tmp/ramdump.txt

This command should then display many instances of the string “MYPASSWORD”, demonstrating that some data has remained in RAM even after power to the computer was turned off.

Posted in forensics | No Comments »