论文信息 - BMCLeech: Introducing Stealthy Memory Forensics to BMC

BMCLeech: Introducing Stealthy Memory Forensics to BMC

Abstract Several system management technologies have been introduced that leverage additional devices on the main board to asynchronously access and control the host's computing resources. One such prominent technology for server systems is the Baseboard Management Controller (BMC), a co-processors with some firmware that allows an administrator to monitor and administer a server remotely. This paper introduces BMCLeech, the first software that brings forensic memory acquisition onto the BMC which makes it very useful for incident response teams. BMCLeech is based on the open source BMC implementation OpenBMC and internally leverages the power of PCILeech, a well-known framework for memory acquisition via DMA.

Felix C. Freiling | Tobias Latzo | Julian Brost

[1] Peter G. Neumann,et al. Thunderclap: Exploring Vulnerabilities in Operating System IOMMU Protection via DMA from Untrustworthy Peripherals , 2019, NDSS.

[2] Joe Grand,et al. A hardware-based memory acquisition procedure for digital investigations , 2004, Digit. Investig..

[3] Felix C. Freiling,et al. Evaluating atomicity, and integrity of correct memory acquisition methods , 2016 .

[4] Felix C. Freiling,et al. A universal taxonomy and survey of forensic memory acquisition techniques , 2019, Digit. Investig..

[5] Felix C. Freiling,et al. Correctness, atomicity, and integrity: Defining criteria for forensically-sound memory acquisition , 2012, Digit. Investig..

[6] Michael Cohen,et al. Anti-forensic resilient memory acquisition , 2013 .

[7] Felix C. Freiling,et al. Styx: Countering robust memory acquisition , 2018, Digit. Investig..

[8] Gil Neiger,et al. Intel ® Virtualization Technology for Directed I/O , 2006 .

[9] Lorenzo Martignoni,et al. Live and Trustworthy Forensic Analysis of Commodity Production Systems , 2010, RAID.