finfirewire - wikileaks · web viewdump memory information into a file for forensic analysis....

FinFireWire / User Manual

1


2

Copyright 2011 by Gamma Group International, UK

Date 2011-08-04

Release information

Version Date Author Remarks

1.0 2010-09-27 Pk Draft release

1.1 2010-09-27 mjm Review

1.2 2011-08-04 Pk Update for FinFireWire 2.2 Release


3

Table of Content

1 Overview.............................................................................................................................................4

2 Requirements......................................................................................................................................5

2.1 Agent Operating System..............................................................................................................5

2.2 Target Operating System.............................................................................................................5

3 Software Installation............................................................................................................................6

4 Usage...................................................................................................................................................7

4.1 Menu Panel..................................................................................................................................8

4.2 Updates.......................................................................................................................................9

4.3 License.......................................................................................................................................10

4.4 About.........................................................................................................................................11

4.5 Main Panel.................................................................................................................................12

4.5.1 Welcome Screen & Initialization........................................................................................12

4.5.2 Device Name......................................................................................................................13

4.5.3 Connect..............................................................................................................................14

4.5.4 Operation Selection...........................................................................................................15

4.5.5 Unlock - Target Configuration............................................................................................16

4.5.6 Unlock – Auto Detect Feature............................................................................................17

4.5.7 Unlock - Advanced Configuration.......................................................................................18

4.5.8 Unlock - Summary / Start...................................................................................................19

5 Quick Step-by-Step Introduction.......................................................................................................22

5.1.1 RAM Dump Information - Configuration............................................................................23

5.1.2 RAM Dump Information - Summary / Start........................................................................25

6 Support..............................................................................................................................................26


4

1 OVERVIEWFinFireWire is a tactical kit that enables the operator to quickly and covertly bypass the password-protected Login-Screen or Screensaver. No modifications are done on the actual Target System and no reboot is required so all essential forensic evidence can be recovered live from the running system.

The following topics are covered within this document:

Installation Configuration Usage Updates / Support


5

2 REQUIREMENTS

2.1 Agent Operating System FinFireWire can be installed on the following Operating System(s):

Ubuntu Linux 9.10 / 10.04

2.2 Target Operating SystemFinFireWire supports the following Target Operating Systems:

Microsoft Windows XP Microsoft Windows Vista Microsoft Windows 7

Mac OSX (without FileVault)

Backtrack 4

Ubuntu

Free BSD

SuSE


6

3 SOFTWARE INSTALLATIONFinFireWire is pre-installed on the delivered Laptop. If you must install FinFireWire by yourself, insert the CD-ROM and start the “FinFireWire-VERSION.ggi” - Installer.

Copy the installer “FinFireWire.X.X.ggi” to /tmp:

via CDROMsudo mount /media/cdrom0cp /media/cdrom0/FinFireWire.X.X.ggi /tmp

OR

via USB- Stick (only FAT32 file system is supported!) sudo mkdir /mnt/usb sudo mount /dev/sdb1 /mnt/usb (/dev/sdb1 could be different!) cp /mnt/usb/FinFireWire.X.X.ggi /tmpsudo umount /mnt/usb

Start the installer with:sudo chmod 700 /tmp/FinFireWire.X.X.ggisudo /tmp/FinFireWire.X.X.ggi

The installer writes files into the following directory:/usr/local/finfirewire

Figure 1: Welcome Screen Figure 2: Installation Completed


7

4 USAGEThis chapter describes the handling and layout of FinFireWire software.

2

1


8

In this chapter:

1 – Menu Panel 2 – Main Panel


9

4.1 Menu PanelFigure 3 shows the FinFireWire Menu Panel.

Figure 3: Menu Panel

The left navigation panel contains the following entries:

1. Updates: Change Update settings and check for Updates.2. License: Install a new License or display License information.3. Language: Select Display Language4. About: Display FinFireWire version and EULA.5. Online Help: Visit the FinFisher Support Website.


10

4.2 UpdatesFigure 4 shows all Update settings.

Figure 4: Overview FinFireWire Update

The following Update settings can be configured:

1. Disabled: No Update request will be done automatically.2. At Startup: An update request will be triggered on application start.3. Daily: An update request will be triggered every day. 4. Weekly: An update request will be triggered every week.5. Monthly: An update request will be triggered every month.6. Check now: An update request will be triggered immediately.7. Import: Import Update File for offline Update


11

4.3 LicenseFigure 5: shows all License information. A new license could be imported.

Figure 5: License Information Figure 6: Choose the license file to import

If the license is invalid or not installed, press the “Import License” button to install a new License File.


12

4.4 AboutFigure 7: shows the “About” dialog. The About Dialog displays the Version Number and the EULA.

Figure 7: About Dialog


13

4.5 Main PanelFinFireWire will be controlled with the “MAIN Panel”.

4.5.1 Welcome Screen & InitializationFigure 8 shows the “Welcome screen” of the FinFireWire wizard.

Figure 8: Main Panel – “Welcome” Screen

After FinFireWire was started an initial Setup will be done automatically. FinFireWire tries to:

1. Search for a FireWire Adapter (internal or external adapter).

2. Load all necessary standard FireWire Kernel drivers, to handle the adapter.

3. Load a ROM File, which emulates a FireWire device on your Target System.


14

4.5.2 Device NameFigure 9 shows the 2nd slide of the FinFireWire wizard. In this step, FinFireWire provides the possibility to customize the device name. Maximum 32 characters are supported.

Figure 9: Main Panel – “Change Device Name” Screen

The default Device Name is “GAMMA Hard Disk” and should be changed.


15

4.5.3 ConnectFigure 10 shows the 3rd slide of the FinFireWire wizard. In this step, FinFireWire shows how to connect your FinFireWire system with your Target System.

Before you continue, you should wait a little bit, because the Target System must install a new device and load some drivers. This could take up to 2 minutes!

Figure 10: Main Panel – “Connect” Screen


16

4.5.4 Operation SelectionFigure 11 shows the 4th slide of the FinFireWire wizard. In this step the operation could be selected.

Figure 11: Main Panel – “Select Operation” Screen

Supported Modes are:

1. Bypass a password-protected Login Screen or Screensaver.2. Dump Memory Information into a file for forensic analysis.

1

2


17

4.5.5 Unlock - Target ConfigurationFigure 12 shows how to configure your Target System.

Figure 12: Main Panel – “Target Configuration” Screen

Select the option „Unknown“, if you are unsure. FinFireWire will try all known combinations. This will increase the estimated operational time.

1) Select the Operating System from your Target PC.

2) Select the version of the Operating System from your Target PC.

3) The maximum memory size of your Target PC will be automatically estimated.

1 2

3


18

4.5.6 Unlock – Auto Detect FeatureFigure 13 shows the Auto Detect function, to detect the running Operating System and size of the installed memory.

Figure 13: Main Panel – “Auto Detect” Feature

This function could be used to:

1) Detect Operating System of the Target PC (only Windows / Linux)

2) Detect the size of the installed memory on Target PC.

Limitations:

a) Using Auto Detect could failed or crash/freeze your Target PC!

b) Only Operating Systems (e.g. Windows/Linux) can be identified, no OS Version (e.g. XP/Ubuntu). If this fails, select the OS manually or select Unknown.

c) Sometime the size of Installed Memory cannot be identified. Accept default setting or modify it through the Advanced Configuration.


19


20

4.5.7 Unlock - Advanced ConfigurationFigure 14 shows how to configure advanced RAM settings.

Figure 14: Main Panel – “Advanced Configuration” Screen

Be careful to not exceed the actual existing RAM in the Target PC when configuring the maximum value.

Operating System Default RAM (max) value

Windows XP 256 MB

Windows Vista 512 MB

Windows 7 896 MB

Linux (graphical Interface) 512 MB

Linux (Console) 256 MB

Mac OSX 512 MB

Figure 15: Default (“secure”) RAM – ValuesThese RAM values are based on the minimum system requirements. The system could have more memory installed.


21

4.5.8 Unlock - Summary / StartFigure 16 shows a short summary of your settings.

After pressing the Unlock button, process information about the current unlocking action will be displayed.

Figure 16: Main Panel – “Unlock - Summary / Start” Screen

Pressing the Stop button will interrupt the current unlocking process immediately.


22

Figure 17 shows the Popup Message, which will be shown if the authentication mechanism of the Target PC could be patched. Now, any password will be accepted.

Figure 17: Main Panel – “Restore” Question

à Please verify if you can login into your Target PC. Two options exist:

1. Login was successful. à Answer the question with „YES“. The previous state of the Login function will be restored. The next time when you lock the system, only the original password will be accepted. I you need to login again, restart the unlock process again.

2. Login was unsuccessful. à Answer the question with „NO“. The unlock process will continue and tries to find another combination.


23

Figure 18 shows the Popup Message, if the Target PC couldn‘t be unlocked. We recommend changing the following options (exactly in this order!)

1. Change the Operating System Selection e.g. Linux / Ubuntu à Linux / Unknown

2. If Auto Detect features wasn’t used or failed, increase the RAM (max.) value step by step and continue with step 1 & 2.

Figure 18: Main Panel – “System couldn’t be unlocked”


24

5 QUICK STEP-BY-STEP INTRODUCTIONFigure 19 shows a short overview about the 5 main steps when using FinFireWire.

Figure 19: Step-by-Step Introduction


25

5.1.1 RAM Dump Information - ConfigurationFigure 20 shows how to configure the Memory Dump feature.

Figure 20: Main Panel – “RAM Dump Configuration” Screen

1) Select Output Filename. (Default File Name is: “memdump_DATE_TIME_RAM-Size.dump”)File Splitting is integrated (minimum File Size = 256MB, maximum File Size = 2048MB)

2) Set maximum RAM size. (maximum RAM Size = 4096MB)

1

2

3


26

3) Additional functions:

a) Auto Detect size of installed Memoryb) Run a Performance Scan à Result: Minutes / Gigabyte

Option NotesAuto Detect Using Auto Detect could failed or crash/freeze your Target PC!Benchmark Non-Critical, cannot crash/freeze your Target PC!


27

5.1.2 RAM Dump Information - Summary / StartFigure 21 shows a short summary of your settings.

After pressing the Dump button, process information about the current memory dump action will be displayed.

Figure 21: Main Panel – “RAM Dump - Summary / Start” Screen

Pressing the Stop button will interrupt the current memory dump process immediately.


28

6 SUPPORTAll customers have access to an after-sales website that gives the customers the following capabilities:

Download product information (Latest user manuals, specifications, training slides)

Access change-log and roadmap for products

Report bugs and submit feature requests

Inspect frequently asked questions (FAQ)

The after-sales website can be found at

https://www.gamma-international.de

https://www.gamma-international.de/


29

finfirewire - wikileaks · web viewdump memory information into a file for forensic analysis....

Documents