BHDC11 - De-anonymizing Live CDs through Physical Memory Analysis

coderman coderman at
Tue Jan 11 12:21:13 PST 2011

does anyone know more about the methods to be discussed by Andrew Case
next week?

the memory analysis of Tor seems interesting.

(do Tor Live CDs need a new kexec target for memtest sweeps / ram
zeroisation? :)
Traditional digital forensics encompasses the examination of data from
an offline or bdeadb source such as a disk image. Since the filesystem
is intact on these images, a number of forensics techniques are
available for analysis such as file and metadata examination,
timelining, deleted file recovery, indexing, and searching. Live CDs
present a large problem for this forensics model though as they run
solely in RAM and do not interact with the local disk. This removes
the ability to perform an orderly examination since the filesystem is
no longer readily available and putting random pages of data into
context can be very difficult for in-depth investigations. In order to
solve this problem, we present a number of techniques that allow for
complete recovery of a live CDbs in-memory filesystem and partial
recovery of its previously deleted contents. We also present memory
analysis of the popular Tor application as it is used by a number of
live CDs in an attempt to keep network communications encrypted and
To unsubscribe, send an e-mail to majordomo at with
unsubscribe or-talk    in the body.

----- End forwarded message -----
Eugen* Leitl <a href="">leitl</a>
ICBM: 48.07100, 11.36820
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

More information about the cypherpunks-legacy mailing list