Authors: Tobias Latzo (Friedrich-Alexander-Universität Erlangen-Nürnberg (FAU)), Matti Schulze (FAU), and Felix Freiling (FAU)
DFRWS USA 2021
Abstract
The Intel Direct Connect Interface (DCI) provides a JTAG debugging interface which allows to debug Intel x86 CPUs by merely plugging in a slightly modified USB cable without opening the chassis. DCI offers the possibility to halt CPU operations and arbitrarily read and write main memory. We therefore explore the possibility to leverage DCI for the forensic acquisition of main memory. We introduce DCILeech, a tool which allows to acquire system memory with high quality: In contrast to software-based acquisition tools, it does not alter memory contents and therefore guarantees full integrity. Moreover, due to its power to halt the CPU, memory snapshots acquired by DCILeech exhibit no traces of concurrent system activity and therefore can be considered atomic. On the downside, DCI must be enabled on the target system and DCI-based memory acquisition is slow. We therefore also explore other applications of Intel DCI such as its use in practice for digital forensic triage.