d i g i t a l i n v e s t i g a t i o n 6 ( 2 0 1 0 ) 9 5 – 1 0 3
a v a i l a b l e a t w w w . s c i e n c e d i r e c t . c o m
j o u r n a l h o m e p a g e : w w w . e l s e v i e r . c o m / l o c a t e / d i i n
Using a software exploit to image RAM on an
embedded system
J.R. Rabaiotti*, C.J. Hargreaves
Centre for Forensic Computing and Security, Cranfield University, Shrivenham, UK
a r t i c l e i n f o
Article history:
Received 15 December 2009
Received in revised form
8 January 2010
Accepted 19 January 2010
Keywords:
Memory imaging
Live forensics
Exploits
Games consoles
Xbox
* Corresponding author.
E-mail addresses: [email protected]
1 Microsoft did eventually supply some
completed. None of the information provide
1742-2876/$ – see front matter ª 2010 Elsevi
doi:10.1016/j.diin.2010.01.005
a b s t r a c t
The research in this paper is the result of a court case involving copyright infringement,
specifically, a request for expert evidence regarding the proportion of copyrighted data
present in the RAM of a games console. This paper presents a novel method to image the
memory of an embedded device (a games console) where normal software and hardware
memory imaging techniques are not possible. The paper describes how a buffer overflow
exploit can be used in order to execute custom code written to create an image of the
console’s memory. While this work is concerned with the Microsoft Xbox, the principles of
vulnerability enabled data acquisition could be extended to other embedded devices,
including other consoles, smart phones and PDAs.
ª 2010 Elsevier Ltd. All rights reserved.
1. Introduction (such as a pirated game) that would otherwise be prevented
This paper describes research conducted as a result of a case
at the Court of Appeal involving the sale of ‘modchips’ for
games consoles, specifically the original Microsoft Xbox, the
Sony PlayStation 2 and the Nintendo GameCube. One aspect
of the case was concerned with whether a modchip counted
as a ‘device for circumventing an Effective Technological
Measure’ (ETM) within the meaning of Section 296ZA of the
Copyright, Designs and Patents Act 1988 (as amended), which
makes it a criminal offence to sell such devices. This was not
clear-cut, since the modchips did not enable the production of
a physical copy of a console game from its original protected
optical disc onto another permanent storage medium.
However, the Crown argued at the original trial that the
modchip caused an infringing copy to be made in the
console’s RAM since it permitted the execution of a program
.uk (J.R. Rabaiotti), c.j.har
technical information ab
d is included in this pape
er Ltd. All rights reserved
from executing by the ETM. This point was disputed by the
appellant, and so the court asked for expert evidence, specif-
ically concerning the proportion of the contents of a game disc
that would typically be copied into RAM during the execution
of a game.
In many cases of t.
Secret of Intel Management Engine by Igor SkochinskyCODE BLUE
Intel Management Engine ("ME") is a dedicated microcontroller embedded in all recent Intel motherboard chipsets. It works independently from the main CPU, can be active even when the rest of the system is powered off, and has a dedicated connection to the network interface for out-of-band networking which bypasses the main CPU and the installed OS. It not only performs the management tasks for which it was originally designed, but also implements features such as Intel Identity Protection Technology (IPT), Protected Audio-Video Path, Intel Anti-Theft, Intel TPM, NFC communication and more. There is not much info available about how exactly it works, and this talk aims to fill the gap and describe the low-level details.
Igor Skochinsky
Igor Skochinsky is currently one of the main developers of the world-famous Interactive Disassembler and Hex-Rays Decompiler. Even before joining Hex-Rays in 2008 he had been interested in reverse engineering for a long time and had brief periods of Internet fame after releasing a dumper for DRM-ed iTunes files (QTFairUse6) and hacking the original Amazon Kindle. He spoke previously at Recon, Breakpoint and Hack.LU.
Pwning Windows Mobile applications by Ankit GiriOWASP Delhi
Mobile Platform Operating Systems
Windows Phone Overview
What we can test?
Challenges
Approach & Prerequisites
Methodology
Application File Structure
Tools for Penetration Testing
Security Features
The opening address for the Windows Embedded & Robotics European Campus Tour. This presentation provides an overview of the Embedded Windows technology available and lots of examples of its use.
ASSIGNMENT2 Computer Architecture and Imaging So you’re telling .docxedmondpburgess27164
ASSIGNMENT2: Computer Architecture and Imaging “So you’re telling me an exact replica of ZeroBit’s concept drawing has shown up on the cover of Apex’s product development brochure? What are the chances of that? … Unless somebody here at ZeroBit is leaking information…. I’ll get my best investigator on it.” “Thanks for coming by. I wanted to talk with you face to face. I just spoke with our VP for External Relations, and it looks like we may have a major security breach on our hands. How quickly can you image this USB stick?” “Our suspect has access to a live system here at Headquarters, as well as a networked computer at our remote location. We’ll need to examine both of them. You should be able to slip into his office and acquire his RAM and swap space while he's at training this afternoon. But while you’re waiting, check your email for a message from Legal.” When you open the message from the ZeroBit Counsel, you see four questions that need to be answered in preparation for any possible legal challenge. As you’re answering the fourth one, a notification pops up reminding you that the suspect’s training session is about to start...that’s your cue that it will soon be safe to log in to the suspect’s computer. You run your program, acquiring the RAM and swap space from the live system. Then you log out, leaving the suspect’s office and computer as you found them. Your colleagues have left for the day, but you’ve stayed behind to image the suspect’s remote computer after hours. You log on to the system and have no problem using netcat to transfer a copy of his remote hard drive to your workstation at Headquarters. You lean back in your chair and smile. You’ve imaged all of the suspect’s known devices. Tomorrow you’ll compile your analyses into a final forensic report. Who knows? You may even be asked to present your report in court!
Digital forensics involves processing data from many different types of devices, ranging from desktops to laptops, tablets to smartphones, servers to cloud storage, and even devices embedded in automobiles, aircraft, and other technologies. In this project you will focus on the architecture and imaging of desktop and laptop computers. You will be working in the VM to image and verify the contents of the following:
1. a USB stick
2. the RAM and swap space of a live computer
3. a networked computer hard drive
\ In the final step, you compile all of the previous lab notes and reports into one comprehensive report. The final assignment in this project is a forensic imaging lab report that can be presented in a court of law.
Before you can begin imaging the USB drive provided by your supervisor, you need to review your technical manual in order to prepare a statement of work to give to your company's legal team. Are you ready to get started?
When you submit your project, your work will be evaluated using the competencies listed below. You can use the list below to self-check your work before submission.
· 1.1: Or.
NYC4SEC - An Introduction to the Microsoft exFAT File System (Draft 2.01)overcertified
As investigators and information security professionals, we have to constantly be aware of changing file systems to track data changes and accurately apply attribution to system changes.
In 2006 Microsoft released a successor to the FAT32 file system named the Extended FAT file system - labeled exFAT for short. exFAT was initially released for the Windows CE handheld device and in 2008 a version of exFAT was released for Microsoft Desktop and Server operating systems. Today exFAT is licensed and supported on many devices and systems, including Unix/Linux systems. The SD card association, with the release of the Secured Digital Extended Capacity (SDXC) memory card, has adopted exFAT as the standard file system for SDXC media which is used in cameras, cell phones and other consumer electronics.
exFAT is implemented in a different file system organization than the legacy predecessor FAT family file systems such as FAT12/16/32, and the forensics investigator will be required to know and understand this new format as forensics examinations are conducted using this new file system.
Robert Shullich, Enterprise Security Architect at Tower Group Companies, will give a great overview of the exFAT file system and the implications for investigators.
exFAT topics to be covered in the session:
• History
• Features
• File System Limits
• Advantages/Disadvantages
• Relevance to forensics computing and digital investigation
• Hiding places to look out for – where criminals can hide things
File System Layout and Internals
XPDS16: Xenbedded: Xen-based client virtualization for phones and tablets - ...The Linux Foundation
This talk presents a new client virtualization platform that allows Xen to be used on mobile phones and tablets. These embedded devices require special consideration, particularly in the context of client virtualization. We will outline the technical challenges of virtualizing common tablet devices, including the touchscreen, audio, webcam, accelerometer, Wi-Fi, cellular, and display devices. TrustZone implications will also be discussed.
We will present the current project status and what it took (or will take) to get NVIDIA's Jetson TX1 development board and Google's Pixel C tablet running multiple Android instances. We will provide an overview of the platform’s build toolchain and source trees. Finally, we will open up discussions on the future of the platform and the challenges associated with improving Xen adoption on mobile ARM devices.
Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu...Nicolas Collery
Full Disk Encryption (FDE) may be rather useful as a defense mechanism against potential theft of a computer system. However, when the system is compromised and requires careful forensic analysis, FDE can be quite painful to forensic analysts. Unless you deal with standard and widely supported encryption such as LUKS, Bitlocker, TrueCrypt or few others, it might really hard to get through the layers of crypto code in proprietary software.
This presentation delivered at HTCIA (HIGH TECHNOLOGY CRIME INVESTIGATION ASSOCIATION - Singapore) highlights few techniques to let a remote analyst perform investigations.
https://htcia.org
Let Me Pick Your Brain - Remote Forensics in Hardened EnvironmentsNicolas Collery
Full Disk Encryption (FDE) may be rather useful as a defense mechanism against potential theft of a computer system. Usually such protections comes with some levels of hardening like removing administrative rights. However, when the system is compromised and requires careful forensic analysis, FDE and hardening can be quite painful to forensic analysts. This presentation delivered at IIC-SG-2018 (Infosec In the City - Singapore) and at Div0 (Division0 local security meetup) highlights few techniques to let a remote analyst perform investigations.
https://www.infosec-city.com
https://www.meetup.com/div-zero/
Speaker: Omer S. Coskun
Language: English
While there has certainly been valuable interesting research of blackbox security assessments techniques presented on different conferences, it exclusively has almost focused on application layer of iOS. The recent disclosures on surveillance programs suggests that mobile users also being targeted not only by cyber criminals but also spy agencies. The level of skill and effort to prevent such an attack requires a reproducible threat model - a REDteam exercise.
This talk appeals to hands-on iOS hackers looking to dive into iOS Security Architecture, Sandbox mechanism, ARM64 assembly and Security APIs while being firmly accompanied with always overlooked penetration testing techniques and the ways of how to automate them. The talk will cover dynamic memory reversing and how to tackle cryptography on an assessment so that participants will understand how to quantitatively and qualitatively carry an offensive penetration testing or forensic examination of iOS environment.
CONFidence: http://confidence.org.pl/pl/
Exam Questions1. (Mandatory) Assess the strengths and weaknesse.docxtheodorelove43763
Exam Questions:
1. (Mandatory) Assess the strengths and weaknesses of Divine Command Theory. Give a strong, well-supported argument in favor of (or opposed to) DCT for ethical decision-making.
1. (Mandatory) Explain the ethical theory of Thomas Hobbes, David Hume,
or
Immanuel Kant, primarily concerning morality and justice. Include contextual/background factors that shaped the theory. Also, tell why you agree or disagree with it, providing a present-day illustration to support your position.
Choose
either
3 or 4:
1. Analyze the strengths and weaknesses of Utilitarianism and Ethical Egoism. Provide an argument in favor of (or opposed to) either Utilitarianism or Ethical Egoism, using an illustration from history or personal experience.
2. Compare and contrast rationalism and empiricism, including one or more key figures representing each perspective. Focus primarily on the impact of these knowledge theories on ethical thinking (Christian or otherwise), both in the liberal arts and Western culture.
Each question must be answered with 250-300 words. Make sure to write as clearly and specifically as possible. Use your own words and include in-text citation, and provide references
.
Evolving Leadership roles in HIM1. Increased adoption of hea.docxtheodorelove43763
Evolving Leadership roles in HIM
1. Increased adoption of health information technology is opening innovative leadership pathways for HIM professionals. Four areas of opportunity based on the HIT roadmap created by the Office of the National Coordinator for Health Information Technology include privacy and security, adoption of information technology, interoperability, and collaborative governance. Choose one of these to explore, listing the challenges and opportunities for HIM professionals.
2. Take one of the challenges you presented and address it by using the 3 I’s Leadership Model for e-HIM that AHIMA adapted.
3. Postulate how earning an AHIMA credential can prepare you for leadership opportunity.
AHIMA. 2016a. e-HIM Overview and Instructions. AHIMA Leadership Model. http://library.ahima. org/xpedio/groups/public/documents/ahima/bok1_042565.pdf
AHIMA. 2016b. Why Get Certified. Certification. http://www.ahima.org/certification/whycertify Zeng, X., Reynolds, R., and Sharp, M. 2009. Redefining the Roles of Health Information Management Professionals in Health Information Technology. Perspectives in Health Information Management. (6). http://perspectives.ahima.org/redefining-the-roles-of-health-information-managementprofessionals-in-health-information-technology/#.VfWxFNJVhBc
.
More Related Content
Similar to d i g i t a l i n v e s t i g a t i o n 6 ( 2 0 1 0 ) 9 5 – 1 .docx
Secret of Intel Management Engine by Igor SkochinskyCODE BLUE
Intel Management Engine ("ME") is a dedicated microcontroller embedded in all recent Intel motherboard chipsets. It works independently from the main CPU, can be active even when the rest of the system is powered off, and has a dedicated connection to the network interface for out-of-band networking which bypasses the main CPU and the installed OS. It not only performs the management tasks for which it was originally designed, but also implements features such as Intel Identity Protection Technology (IPT), Protected Audio-Video Path, Intel Anti-Theft, Intel TPM, NFC communication and more. There is not much info available about how exactly it works, and this talk aims to fill the gap and describe the low-level details.
Igor Skochinsky
Igor Skochinsky is currently one of the main developers of the world-famous Interactive Disassembler and Hex-Rays Decompiler. Even before joining Hex-Rays in 2008 he had been interested in reverse engineering for a long time and had brief periods of Internet fame after releasing a dumper for DRM-ed iTunes files (QTFairUse6) and hacking the original Amazon Kindle. He spoke previously at Recon, Breakpoint and Hack.LU.
Pwning Windows Mobile applications by Ankit GiriOWASP Delhi
Mobile Platform Operating Systems
Windows Phone Overview
What we can test?
Challenges
Approach & Prerequisites
Methodology
Application File Structure
Tools for Penetration Testing
Security Features
The opening address for the Windows Embedded & Robotics European Campus Tour. This presentation provides an overview of the Embedded Windows technology available and lots of examples of its use.
ASSIGNMENT2 Computer Architecture and Imaging So you’re telling .docxedmondpburgess27164
ASSIGNMENT2: Computer Architecture and Imaging “So you’re telling me an exact replica of ZeroBit’s concept drawing has shown up on the cover of Apex’s product development brochure? What are the chances of that? … Unless somebody here at ZeroBit is leaking information…. I’ll get my best investigator on it.” “Thanks for coming by. I wanted to talk with you face to face. I just spoke with our VP for External Relations, and it looks like we may have a major security breach on our hands. How quickly can you image this USB stick?” “Our suspect has access to a live system here at Headquarters, as well as a networked computer at our remote location. We’ll need to examine both of them. You should be able to slip into his office and acquire his RAM and swap space while he's at training this afternoon. But while you’re waiting, check your email for a message from Legal.” When you open the message from the ZeroBit Counsel, you see four questions that need to be answered in preparation for any possible legal challenge. As you’re answering the fourth one, a notification pops up reminding you that the suspect’s training session is about to start...that’s your cue that it will soon be safe to log in to the suspect’s computer. You run your program, acquiring the RAM and swap space from the live system. Then you log out, leaving the suspect’s office and computer as you found them. Your colleagues have left for the day, but you’ve stayed behind to image the suspect’s remote computer after hours. You log on to the system and have no problem using netcat to transfer a copy of his remote hard drive to your workstation at Headquarters. You lean back in your chair and smile. You’ve imaged all of the suspect’s known devices. Tomorrow you’ll compile your analyses into a final forensic report. Who knows? You may even be asked to present your report in court!
Digital forensics involves processing data from many different types of devices, ranging from desktops to laptops, tablets to smartphones, servers to cloud storage, and even devices embedded in automobiles, aircraft, and other technologies. In this project you will focus on the architecture and imaging of desktop and laptop computers. You will be working in the VM to image and verify the contents of the following:
1. a USB stick
2. the RAM and swap space of a live computer
3. a networked computer hard drive
\ In the final step, you compile all of the previous lab notes and reports into one comprehensive report. The final assignment in this project is a forensic imaging lab report that can be presented in a court of law.
Before you can begin imaging the USB drive provided by your supervisor, you need to review your technical manual in order to prepare a statement of work to give to your company's legal team. Are you ready to get started?
When you submit your project, your work will be evaluated using the competencies listed below. You can use the list below to self-check your work before submission.
· 1.1: Or.
NYC4SEC - An Introduction to the Microsoft exFAT File System (Draft 2.01)overcertified
As investigators and information security professionals, we have to constantly be aware of changing file systems to track data changes and accurately apply attribution to system changes.
In 2006 Microsoft released a successor to the FAT32 file system named the Extended FAT file system - labeled exFAT for short. exFAT was initially released for the Windows CE handheld device and in 2008 a version of exFAT was released for Microsoft Desktop and Server operating systems. Today exFAT is licensed and supported on many devices and systems, including Unix/Linux systems. The SD card association, with the release of the Secured Digital Extended Capacity (SDXC) memory card, has adopted exFAT as the standard file system for SDXC media which is used in cameras, cell phones and other consumer electronics.
exFAT is implemented in a different file system organization than the legacy predecessor FAT family file systems such as FAT12/16/32, and the forensics investigator will be required to know and understand this new format as forensics examinations are conducted using this new file system.
Robert Shullich, Enterprise Security Architect at Tower Group Companies, will give a great overview of the exFAT file system and the implications for investigators.
exFAT topics to be covered in the session:
• History
• Features
• File System Limits
• Advantages/Disadvantages
• Relevance to forensics computing and digital investigation
• Hiding places to look out for – where criminals can hide things
File System Layout and Internals
XPDS16: Xenbedded: Xen-based client virtualization for phones and tablets - ...The Linux Foundation
This talk presents a new client virtualization platform that allows Xen to be used on mobile phones and tablets. These embedded devices require special consideration, particularly in the context of client virtualization. We will outline the technical challenges of virtualizing common tablet devices, including the touchscreen, audio, webcam, accelerometer, Wi-Fi, cellular, and display devices. TrustZone implications will also be discussed.
We will present the current project status and what it took (or will take) to get NVIDIA's Jetson TX1 development board and Google's Pixel C tablet running multiple Android instances. We will provide an overview of the platform’s build toolchain and source trees. Finally, we will open up discussions on the future of the platform and the challenges associated with improving Xen adoption on mobile ARM devices.
Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu...Nicolas Collery
Full Disk Encryption (FDE) may be rather useful as a defense mechanism against potential theft of a computer system. However, when the system is compromised and requires careful forensic analysis, FDE can be quite painful to forensic analysts. Unless you deal with standard and widely supported encryption such as LUKS, Bitlocker, TrueCrypt or few others, it might really hard to get through the layers of crypto code in proprietary software.
This presentation delivered at HTCIA (HIGH TECHNOLOGY CRIME INVESTIGATION ASSOCIATION - Singapore) highlights few techniques to let a remote analyst perform investigations.
https://htcia.org
Let Me Pick Your Brain - Remote Forensics in Hardened EnvironmentsNicolas Collery
Full Disk Encryption (FDE) may be rather useful as a defense mechanism against potential theft of a computer system. Usually such protections comes with some levels of hardening like removing administrative rights. However, when the system is compromised and requires careful forensic analysis, FDE and hardening can be quite painful to forensic analysts. This presentation delivered at IIC-SG-2018 (Infosec In the City - Singapore) and at Div0 (Division0 local security meetup) highlights few techniques to let a remote analyst perform investigations.
https://www.infosec-city.com
https://www.meetup.com/div-zero/
Speaker: Omer S. Coskun
Language: English
While there has certainly been valuable interesting research of blackbox security assessments techniques presented on different conferences, it exclusively has almost focused on application layer of iOS. The recent disclosures on surveillance programs suggests that mobile users also being targeted not only by cyber criminals but also spy agencies. The level of skill and effort to prevent such an attack requires a reproducible threat model - a REDteam exercise.
This talk appeals to hands-on iOS hackers looking to dive into iOS Security Architecture, Sandbox mechanism, ARM64 assembly and Security APIs while being firmly accompanied with always overlooked penetration testing techniques and the ways of how to automate them. The talk will cover dynamic memory reversing and how to tackle cryptography on an assessment so that participants will understand how to quantitatively and qualitatively carry an offensive penetration testing or forensic examination of iOS environment.
CONFidence: http://confidence.org.pl/pl/
Exam Questions1. (Mandatory) Assess the strengths and weaknesse.docxtheodorelove43763
Exam Questions:
1. (Mandatory) Assess the strengths and weaknesses of Divine Command Theory. Give a strong, well-supported argument in favor of (or opposed to) DCT for ethical decision-making.
1. (Mandatory) Explain the ethical theory of Thomas Hobbes, David Hume,
or
Immanuel Kant, primarily concerning morality and justice. Include contextual/background factors that shaped the theory. Also, tell why you agree or disagree with it, providing a present-day illustration to support your position.
Choose
either
3 or 4:
1. Analyze the strengths and weaknesses of Utilitarianism and Ethical Egoism. Provide an argument in favor of (or opposed to) either Utilitarianism or Ethical Egoism, using an illustration from history or personal experience.
2. Compare and contrast rationalism and empiricism, including one or more key figures representing each perspective. Focus primarily on the impact of these knowledge theories on ethical thinking (Christian or otherwise), both in the liberal arts and Western culture.
Each question must be answered with 250-300 words. Make sure to write as clearly and specifically as possible. Use your own words and include in-text citation, and provide references
.
Evolving Leadership roles in HIM1. Increased adoption of hea.docxtheodorelove43763
Evolving Leadership roles in HIM
1. Increased adoption of health information technology is opening innovative leadership pathways for HIM professionals. Four areas of opportunity based on the HIT roadmap created by the Office of the National Coordinator for Health Information Technology include privacy and security, adoption of information technology, interoperability, and collaborative governance. Choose one of these to explore, listing the challenges and opportunities for HIM professionals.
2. Take one of the challenges you presented and address it by using the 3 I’s Leadership Model for e-HIM that AHIMA adapted.
3. Postulate how earning an AHIMA credential can prepare you for leadership opportunity.
AHIMA. 2016a. e-HIM Overview and Instructions. AHIMA Leadership Model. http://library.ahima. org/xpedio/groups/public/documents/ahima/bok1_042565.pdf
AHIMA. 2016b. Why Get Certified. Certification. http://www.ahima.org/certification/whycertify Zeng, X., Reynolds, R., and Sharp, M. 2009. Redefining the Roles of Health Information Management Professionals in Health Information Technology. Perspectives in Health Information Management. (6). http://perspectives.ahima.org/redefining-the-roles-of-health-information-managementprofessionals-in-health-information-technology/#.VfWxFNJVhBc
.
Evolution of Terrorism300wrdDo you think terrorism has bee.docxtheodorelove43763
Evolution of Terrorism
300wrd
Do you think terrorism has been on the rise over the past few years?
Why do you think so?
Analyze and explain how contemporary terrorism is different from historical terrorism. Explain this with a focus on how terrorist groups have adapted their methods to take advantage of modern advancements, such as the Internet and modern modes of transportation.
Can you think of any other modern developments that have been utilized by terrorists?
Analyze and explain why people become and remain involved in a terrorist movement?
What do they hope to achieve?
Define terrorism and explain in your own words how it is practiced. Elucidate if you think terrorism is a criminal act or an act of war. Support your answers with appropriate research and reasoning.
Briefly describe a terrorist incident (Orlando Florida night club shooting jun12 2016) from the past five years (from anywhere in the world). Describe the act and explain how those responsible for this act were identified. Analyze if the goal of the terrorist or the terrorist group was achieved.
.
Evidence-based practice is an approach to health care where health c.docxtheodorelove43763
Evidence-based practice is an approach to health care where health care professionals use the best evidence possible or the most appropriate information available to make their clinical decisions. Research studies are gathered from the literature and assessed so that decisions about application can be done so with as much insight as possible. Not all research is able to be taken into the clinical practice that is why assessing the literature and determining if it is possible to carry out in a safe and effective manner is important. The steps that make up the evidence-based practice is first to ask a question which pertains to your clinical practice, then search for research and literature that will help solve your question. Third step is to evaluate the evidence and determine if it can be used safely and effectively in your clinical practice, then you must apply the information to your clinical experience and with your patient’s values. Finally, you must evaluate the outcome and determine if the desired effect is being reached. (LoBiondo-Wood, 2014)
The nursing process is drilled into our education as nurses and with good reason. The nursing process is used countless times throughout our practice. I was taught the acronym ADPIE which stands for assessment, diagnosis, planning, implementation, and evaluation. When assessing it is important to gather as much information on the patient whether it be subjective or objective findings. After we make a nursing diagnosis based on our assessment and then we plan on how to best care for our patient, and what our goals and their goals are for their care. Once the plan is made and the patient consents to the care plan then we can implement the plan. After we implement, we evaluate whether our goals and the patient’s goals are being reached. If not, we begin the nursing process all over again. (LoBiondo-Wood, 2014) In my own practice I use the nursing practice on every patient and even do it multiple times. When a patient enters the emergency room they are immediately being assessed and then once the physical and interview assessments are done the nurse creates a nursing diagnosis. The nurse creates a care plan that is based on evidence-based practice and goes over it with patient to gain consent.
The difference between these two processes is how they begin. The nursing process begins by gathering as much information as possible to then give a nursing diagnosis. While evidence-based practice begins by posing a question first and then gathering as much information as possible. They do have similarities especially when it comes to the end of the processes. Evaluating whether the care plan is working in the nursing process or whether the research and literature brought out a successful new take on the clinical practice. They both need to make the outcomes are as expected and if they are not it is back to the beginning of the process.
References
LoBiondo-Wood, G., & Harber, J. (2014). Nursing Research. St.
Evidence-Based EvaluationEvidence-based practice is importan.docxtheodorelove43763
Evidence-Based Evaluation
Evidence-based practice is important in the field of public health. Discuss the connection between evidence-based practice and program evaluation. Using the Capella Library, find two articles using
evidence-based
as key words. Use the two articles you found and discuss evidence-based practices in public health, explaining how the evidence was obtained. Discuss the population that benefited from the program or project mentioned in the articles.
.
Evidence Table
Study Citation
Design
Method
Sample
Data Collection
Data Analysis
Validity
Reliability
TECHEDGE CASE STUDY WRITE-UP - OUTLINE 1
DESIGN AND IMPLEMENTATION OF PERFORMANCE MANAGEMENT SYSTEMS,
KPIs AND RESPONSIBILITY CENTRES
CASE WRITE-UP – OUTLINE
LAURA MATTOS | SHRUTI KODANDARAMU | ASHA BORA
Ottawa University EMBA | Organizational Behavior Theory
TECHEDGE CASE STUDY WRITE-UP - OUTLINE 2
Our consulting team, RAL Consulting, was hired by TechEdge to evaluate its current
organization structure and behavior, identify areas of needed improvement, point out a list of
actionable items for the company to improve its performance and how to implement those. This
case outlines our team’s consulting process to produce a final case write-up.
CASE OUTLINE
1. Introduction (at least 1 but no more than 2 pages)
Overview and history of TechEdge (one or two paragraphs)
TechEdge offered technology consulting service to other business, in a B2B business model.
According to Prabhu & Hedgei, the company structure was divided into sales, consulting,
support and services, back office operations, finance and software. All these departments were
led by vice presidents who reported to the CEO. The VPs assisted the managers, who led their
teams independently in their departments.
TechEdge: Main Organizational Behavior issues (half - 1 page)
The case presented a summarized list of challenges faced by TechEdge. (For next assignment,
List 5 major reasons listed on the case on page 5). Our consulting team identified a few
behaviors that might be driving these 5 major issues. These are:
§ HR v. VP responsibilities
o HRs responsibilities limited to recruiting while VPs were managing, training and
evaluating performance of the employees.
o HR not assisting with people management issues.
§ Team leader v. VP responsibilities
o Team leaders were responsible for team performance, but each team member
reported to their respective VP.
TECHEDGE CASE STUDY WRITE-UP - OUTLINE 3
o Lack of unity and shared objectives
§ Group v. Team structure.
o Different departments working together as temporary teams without a clear
common objective. Each department was more focused on their own tasks.
§ General sense of unaccountability between teams:
o All teams felt they didn’t receive adequate support from the operations
department
o Dissatisfaction from Operations VP: Complaints about overload of work,
dependency on external factors, and not enough time to fulfil other teams’
expectations
o Finance team complained about not having enough funds due to bad performance
of the sales team
§ General feeling that the company was understaffed
§ HR team couldn’t hire the best employees offering low wages
Among all items listed, our consulting team considers the following the m.
Evidence SynthesisCritique the below evidence synthesis ex.docxtheodorelove43763
Evidence Synthesis
Critique the below evidence synthesis exemplar to address the following.
Patient falls with injury and fall prevention remain complex phenomena in the acute care setting as well as a major challenge for healthcare professionals (Gygax Spicer, 2017). Patient falls are considered one of the leading adverse events occurring in acute care settings such as hospitals and nursing homes, with the detrimental impact to the patient ranging from mild to severe bruising, fractures, trauma, and even death (de Medeiros Araújo et al., 2017). Falls are common phenomena in older adults, with roughly one out of three people age 65 years and older who suffers from at least one fall per year due to multiple factors including environmental, social, and physiological factors either alone or in conjunction (Gygax Spicer, 2017). The etiology is that patients are attempting to get out of bed without assistance from nursing staff. Several of the causative factors include illness, impulsiveness, urgency, medications, or being in an unfamiliar environment. Lastly, there has been an increase in the amount of turnover in staffing, thus reducing the amount of available nursing staff in the practice setting.
Does the author clearly identify the scope of the evidence synthesis? Explain your rationale.
Are strong paraphrased sentences included that are supported by contemporary sources of research evidence? Explain your rationale.
Are the facts related to the practice problem presented in an objective manner? Explain your rationale.
Does the author use sources to support ideas and claims, and not the other way around? Explain your rationale.
Based on your appraisal, is this exemplar a true synthesis of the evidence? Or is it a summary of the evidence? Explain your rationale.
Instructions:
Use an
APA 7 style and a minimum of 250 words
. Provide
support from a minimum of at least three (3) scholarly sources.
The scholarly source needs to be: 1) evidence-based, 2) scholarly in nature, 3) Sources should be no more than five years old (
published within the last 5 years), and 4) an in-text citation.
citations and references are included when information is summarized/synthesized and/or direct quotes are used, in which
APA style
standards apply.
• Textbooks are not considered scholarly sources.
• Wikipedia, Wikis, .com website or blogs should not be used.
.
Evidence Collection PolicyScenarioAfter the recent secur.docxtheodorelove43763
Evidence Collection Policy
Scenario
After the recent security breach, Always Fresh decided to form a computer security incident response team (CSIRT). As a security administrator, you have been assigned the responsibility of developing a CSIRT policy that addresses incident evidence collection and handling. The goal is to ensure all evidence collected during investigations is valid and admissible in court.
Consider the following questions for collecting and handling evidence:
1. What are the main concerns when collecting evidence?
2. What precautions are necessary to preserve evidence state?
3. How do you ensure evidence remains in its initial state?
4. What information and procedures are necessary to ensure evidence is admissible in court?
Tasks
Create a policy that ensures all evidence is collected and handled in a secure and efficient manner. Remember, you are writing a policy, not procedures. Focus on the high-level tasks, not the individual steps.
Address the following in your policy:
§ Description of information required for items of evidence
§ Documentation required in addition to item details (personnel, description of circumstances, and so on)
§ Description of measures required to preserve initial evidence integrity
§ Description of measures required to preserve ongoing evidence integrity
§ Controls necessary to maintain evidence integrity in storage
§ Documentation required to demonstrate evidence integrity
Required Resources
§ Internet access
§ Course textbook
Submission Requirements
§ Format: Microsoft Word (or compatible)
§ Font: Times New Roman, size 12, double-space
§ Citation Style: APA
§ Length: 2 to 4 pages
Self-Assessment Checklist
§ I created a policy that addressed all issues.
§ I followed the submission guidelines.
.
Everyone Why would companies have quality programs even though they.docxtheodorelove43763
Everyone: Why would companies have quality programs even though they cost money to implement?
Everyone: Define and explain three of the iPhone features in measurable terms.
Everyone: Referring to the leading causes of death, explain how you would develop an action plan.
#2. Explain how you would measure quality when buying a car wash.
.
Even though technology has shifted HRM to strategic partner, has thi.docxtheodorelove43763
Even though technology has shifted HRM to strategic partner, has this change resulted in HRM losing sight of its role towards employee resource and support? While companies are seeing the value in moving to a technological based business, how might HRM technology impact the "human" side of "human resource"?
.
Even though people are aware that earthquakes and volcanoes typi.docxtheodorelove43763
Even though people are aware that earthquakes and volcanoes typically occur in consistent regions, many make their homes in these locations. Unfortunately, history shows that it is only a matter of time before the next occurrence.
Perform some research on earthquake and volcano incidents that had a negative effect on people in a region. Select a disaster event where, despite the loss of life and property, the residents choose to rebuild rather than abandon the region.
For your initial post:
In your initial post, address the following:
Describe the event you selected, including:
the type and magnitude of the event
where it occurred
when it occurred
the various ways in which people were affected
whether that type of disaster affects the region repeatedly
State your opinion regarding the following questions:
Why do you think people continue to make the known dangerous area their home?
Should governments allow people to live in known risk areas?
Should insurance companies allow claims for damages incurred in known risk areas?
.
Evaluative Essay 2 Grading RubricCriteriaLevels of Achievement.docxtheodorelove43763
Evaluative Essay 2 Grading Rubric
Criteria Levels of Achievement
Content 70% Advanced 90-100% (A) Proficient 70-89% (B-C) Developing 1-69% (< D) Not present
Analysis
30 points 30 to27 points
o Thesis statement provides a clear, strong analysis, responding to the topic prompt.
o Paper demonstrates exceptional critical thinking skills.
o Logical presentation of information, body supports the thesis statement.
26 to 21 points
o Thesis statement is clear but could be stronger.
o Paper demonstrates good critical thinking skills.
o Logical presentation with good connections, but could be stronger.
OR
o Thesis statement does not provide a clear analysis.
o OR Thesis statement is evident but misplaced (located somewhere other than the end of the introduction).
o Evidence of critical thinking skills, but analysis could be stronger or more evident.
o Weak logic, or missing connections.
20 to 1 points
o Missing thesis statement.
o Focus of paper is more informative than analytical, with details focusing on the what rather than the why or how.
0 points
o Does not meet minimum requirements for the assignment.
**See instructor feedback for specifics.
Support
30 points 30 to 27 points
o Draws from assigned sources for supporting details.
o Provides specific, detailed support.
o Clear connections are made throughout the writing to show how supporting documents prove the main argument.
o No outside sources were consulted or used.
26 to 21 points
o Draws from assigned sources for supporting details, but support could be more specific.
o Connections are made between supporting details and main argument, but these could be more clear.
OR
o Supporting details are provided but connections are largely missing between the supporting details and the main argument.
20 to 1 points
o To include any of the following:
o Supporting details drawn primarily from textbook/lectures, instead of assigned sources.
o OR
o Supporting details merely informative and do not show clear connection to the thesis.
o OR
o Outside sources used in support.
0 points
o Does not meet minimum requirements for the assignment.
**See instructor feedback for specifics.
Biblical Evaluation
10 points 10 to 9 points
o Clear, Biblical evaluation provided, drawing from specific Scripture for support.
8 to 7 points
o Biblical evaluation is evident, and some use of Scripture is given for support.
OR
o Attempt at Biblical evaluation is provided, but support could be stronger.
6 to 1 points
o Christian worldview is evident in the writing, and some examples or details may be given, but a specific Biblical evaluation is not evident/clear.
o No Scriptural support
o OR
o Scripture included but connections to evaluation are not evident.
o 0 points
o Does not meet minimum requirements for the assignment.
**See instructor feedback for specifics.
Structure 30% Advanced 90-100% (A) Proficient 70-89% (B-C) Developing 1-69% (< D) Not present
.
Evaluation Title Research DesignFor this first assignment, .docxtheodorelove43763
Evaluation Title: Research Design
For this first assignment, you will analyze different types of research. To begin, please read and view the following materials:
Rice University. (2017).
2.2 Approaches to research (Links to an external site.)Links to an external site.
. in,
Psychology
. OpenStax. [Electronic version]
University of Minnesota Libraries Publishing. (2010).
2.2 Psychologists use descriptive, correlational, and experimental research designs to understand behavior (Links to an external site.)Links to an external site.
. In Introduction to Psychology. [Electronic version]
Select one research design from column A
and
column B.
Describe the design.
Discuss the strengths and weaknesses of the design.
Give an example of a study completed using this design.
This information is all available in the Unit 1 Learning Content. There are also resources available online to further your understanding.
Your assignment should be typed into a Word or other word processing document, formatted in APA style. The assignment must include:
Running head
A title page with Assignment name
Your name
Professor’s name
Course
.
Evaluation is the set of processes and methods that managers and sta.docxtheodorelove43763
Evaluation is the set of processes and methods that managers and stakeholders use to determine whether the program is successful. Success is determined by multiple parameters such as financial viability of the program as well as the administrative and clinical impact of the program on the community’s or organization’s mission. Today’s programs are also expected to proactively address healthcare disparities and inequities in all levels of communities and demonstrate measureable reductions in inequities in diverse patient/client populations.
For this milestone, you will create an evaluation plan that will include the financial aspects of your proposed program as well as your evaluation methods. In your submission, be sure to include the following:
Proposed Program :to establish a department in IGM to facilitate holistic care of pediatric patients. This holistic care will require patients to be monitored before, during, and after a clinical procedure. The program will be flexible to ensure that each patient receives customized care at a subsidized fee.
Financial Aspects
o What specific resources would you suggest for use in your program? For example, what staffing and equipment suggestions would you make?
Be sure to explain your rationale.
o What is the impact on the community’s or organization’s current budget? In other words, will the program fit into the existing budget, or willconcessions need to be made?
o What recommendations would you make for ensuring the program is financially sustainable? Are there measurable expense reductions for the community/organization that cover the costs of the program? Does the program create new sources of revenue for the community or organization to offset the costs of the program?
Evaluation
o What will you measure (such as benchmarks, patient outcomes, or other measurable data) in order to evaluate the effectiveness of the program implementation? Focus on both administrative and clinical measures. Include multiple levels of measurement, including the patients/clients served, populations of patients/clients served, and community environmental measures.
o What tools will you use to measure the effect of your program on reducing the incidence of healthcare disparities?
o How will these evaluation tools tell you whether the program is successful?
o To what extent will the program help ensure healthcare equity across diverse populations? Be sure to justify your reasoning.
Guidelines for Submission: Your paper for this milestone must be submitted as a 2- to 3-page Microsoft Word document with double spacing, 12-point Times New Roman font, one-inch margins, and proper APA formatting. Include at least three peer-reviewed, scholarly resources.
.
Evaluation Plan with Policy RecommendationAfter a program ha.docxtheodorelove43763
Evaluation Plan with Policy Recommendation
After a program has been created, it must be evaluated in order to determine its success. For this assignment, complete the following:
Incorporate the changes to address the feedback received.
Use the feedback from your instructor to address pertinent sections for errors or insufficiencies. Implementing this feedback will help you draft this assignment and your course project.
Discuss the program to be introduced to the selected population to address the specific public health problem or issue.
Assess population needs, assets, and capacities that affect communities' health through epidemiological records and literature reviews. Explain activities and resources to be introduced and used for this program to change behaviors and health outcomes and why they are selected.
Describe the projected goals for the program.
Based on past studies and available data, analyze the projected expected effects of the program.
Identify the engaged stakeholders.
Describe those involved, those affected, and the primary intended users.
Gather credible evidence to substantiate the need for the program.
Identify past programs similar to the proposed program and the outcomes for those past programs.
Explain past study results and epidemiological data for similar programs implemented.
Justify conclusions on the past programs and provide lessons learned for implementing this program.
Analyze how data will be collected from program participants and other relevant stakeholders to determine program effectiveness.
Identify what instruments will be used to collect data, such as surveys, focus group interviews, or key informant interviews.
Determine who will analyze the data and how the data will be analyzed.
Propose policy recommendations.
Evaluate policies for their impact on public health and health equity. Discuss multiple dimensions of the policy-making process, including the roles of ethics and evidence.
Discuss dissemination and communication suggestions for the evaluation results both in writing and through oral presentation.
Explain how the results will be shared with key stakeholders and the community.
Identify how the results will inform future programs and how they can improve health outcomes.
View the scoring guide to ensure you fulfill all grading criteria.
Additional Requirements
Length:
A minimum of 10–12 double-spaced pages, not including title and reference pages.
Font:
Arial, 12 point.
References:
Cite at least eight references from peer-reviewed journals.
Format:
Use current APA style and formatting.
Resources
Evaluation Plan with Policy Recommendation Scoring Guide
.
APA Style Paper Tutorial [DOCX]
.
APA Style Paper Template [DOCX]
.
Capella Writing Center
.
Public Health Intervention Plan.
Capella University Library.
State Policy Guide: Using Research in Public Health Policymaking
.
Public Health Masters Research Guide
.
Pub.
Evaluate the history of the Data Encryption Standard (DES) and then .docxtheodorelove43763
Evaluate the history of the Data Encryption Standard (DES) and then how it has transformed cryptography with the advancement of triple DES. You are also required to post a response to a minimum of two other student in the class by the end of the week. You must use at least one scholarly resource. Every discussion posting must be properly APA formatted.
.
Evaluate the Health History and Medical Information for Mrs. J.,.docxtheodorelove43763
Evaluate the Health History and Medical Information for Mrs. J., presented below.
Based on this information, formulate a conclusion based on your evaluation, and complete the Critical Thinking Essay assignment, as instructed below.
Health History and Medical Information
Health History
Mrs. J. is a 63-year-old married woman who has a history of hypertension, chronic heart failure, and chronic obstructive pulmonary disease (COPD). Despite requiring 2L of oxygen/nasal cannula at home during activity, she continues to smoke two packs of cigarettes a day and has done so for 40 years. Three days ago, she had sudden onset of flu-like symptoms including fever, productive cough, nausea, and malaise. Over the past 3 days, she has been unable to perform ADLs and has required assistance in walking short distances. She has not taken her antihypertensive medications or medications to control her heart failure for 3 days. Today, she has been admitted to the hospital ICU with acute decompensated heart failure and acute exacerbation of COPD.
Subjective Data
1. Is very anxious and asks whether she is going to die.
2. Denies pain but says she feels like she cannot get enough air.
3. Says her heart feels like it is "running away."
4. Reports that she is exhausted and cannot eat or drink by herself.
Objective Data
1. Height 175 cm; Weight 95.5kg.
2. Vital signs: T 37.6C, HR 118 and irregular, RR 34, BP 90/58.
3. Cardiovascular: Distant S1, S2, S3 present; PMI at sixth ICS and faint: all peripheral pulses are 1+; bilateral jugular vein distention; initial cardiac monitoring indicates a ventricular rate of 132 and atrial fibrillation.
4. Respiratory: Pulmonary crackles; decreased breath sounds right lower lobe; coughing frothy blood-tinged sputum; SpO2 82%.
5. Gastrointestinal: BS present: hepatomegaly 4cm below costal margin.
Intervention
The following medications administered through drug therapy control her symptoms:
1. IV furosemide (Lasix)
2. Enalapril (Vasotec)
3. Metoprolol (Lopressor)
4. IV morphine sulphate (Morphine)
5. Inhaled short-acting bronchodilator (ProAir HFA)
6. Inhaled corticosteroid (Flovent HFA)
7. Oxygen delivered at 2L/ NC
Critical Thinking Essay
In 750-1,000 words, critically evaluate Mrs. J.'s situation. Include the following:
1. Describe the clinical manifestations present in Mrs. J.
2. Discuss whether the nursing interventions at the time of her admissions were appropriate for Mrs. J. and explain the rationale for each of the medications listed.
3. Describe four cardiovascular conditions that may lead to heart failure and what can be done in the form of medical/nursing interventions to prevent the development of heart failure in each condition.
4. Taking into consideration the fact that most mature adults take at least six prescription medications, discuss four nursing interventions that can help prevent problems caused by multiple drug interactions in older patients. Provide a rationale for each of the inte.
Evaluate the environmental factors that contribute to corporate mana.docxtheodorelove43763
Evaluate the environmental factors that contribute to corporate management’s need to manage corporate earnings to align with market expectations, indicating the potential long-term risks to financial performance and sustainability. Why are these factors important in evaluating the financial performance of an organization?
Please provide one citation or reference for your initial posting that is not your textbook.
.
Biological screening of herbal drugs: Introduction and Need for
Phyto-Pharmacological Screening, New Strategies for evaluating
Natural Products, In vitro evaluation techniques for Antioxidants, Antimicrobial and Anticancer drugs. In vivo evaluation techniques
for Anti-inflammatory, Antiulcer, Anticancer, Wound healing, Antidiabetic, Hepatoprotective, Cardio protective, Diuretics and
Antifertility, Toxicity studies as per OECD guidelines
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...Levi Shapiro
Letter from the Congress of the United States regarding Anti-Semitism sent June 3rd to MIT President Sally Kornbluth, MIT Corp Chair, Mark Gorenberg
Dear Dr. Kornbluth and Mr. Gorenberg,
The US House of Representatives is deeply concerned by ongoing and pervasive acts of antisemitic
harassment and intimidation at the Massachusetts Institute of Technology (MIT). Failing to act decisively to ensure a safe learning environment for all students would be a grave dereliction of your responsibilities as President of MIT and Chair of the MIT Corporation.
This Congress will not stand idly by and allow an environment hostile to Jewish students to persist. The House believes that your institution is in violation of Title VI of the Civil Rights Act, and the inability or
unwillingness to rectify this violation through action requires accountability.
Postsecondary education is a unique opportunity for students to learn and have their ideas and beliefs challenged. However, universities receiving hundreds of millions of federal funds annually have denied
students that opportunity and have been hijacked to become venues for the promotion of terrorism, antisemitic harassment and intimidation, unlawful encampments, and in some cases, assaults and riots.
The House of Representatives will not countenance the use of federal funds to indoctrinate students into hateful, antisemitic, anti-American supporters of terrorism. Investigations into campus antisemitism by the Committee on Education and the Workforce and the Committee on Ways and Means have been expanded into a Congress-wide probe across all relevant jurisdictions to address this national crisis. The undersigned Committees will conduct oversight into the use of federal funds at MIT and its learning environment under authorities granted to each Committee.
• The Committee on Education and the Workforce has been investigating your institution since December 7, 2023. The Committee has broad jurisdiction over postsecondary education, including its compliance with Title VI of the Civil Rights Act, campus safety concerns over disruptions to the learning environment, and the awarding of federal student aid under the Higher Education Act.
• The Committee on Oversight and Accountability is investigating the sources of funding and other support flowing to groups espousing pro-Hamas propaganda and engaged in antisemitic harassment and intimidation of students. The Committee on Oversight and Accountability is the principal oversight committee of the US House of Representatives and has broad authority to investigate “any matter” at “any time” under House Rule X.
• The Committee on Ways and Means has been investigating several universities since November 15, 2023, when the Committee held a hearing entitled From Ivory Towers to Dark Corners: Investigating the Nexus Between Antisemitism, Tax-Exempt Universities, and Terror Financing. The Committee followed the hearing with letters to those institutions on January 10, 202
Normal Labour/ Stages of Labour/ Mechanism of LabourWasim Ak
Normal labor is also termed spontaneous labor, defined as the natural physiological process through which the fetus, placenta, and membranes are expelled from the uterus through the birth canal at term (37 to 42 weeks
Read| The latest issue of The Challenger is here! We are thrilled to announce that our school paper has qualified for the NATIONAL SCHOOLS PRESS CONFERENCE (NSPC) 2024. Thank you for your unwavering support and trust. Dive into the stories that made us stand out!
Acetabularia Information For Class 9 .docxvaibhavrinwa19
Acetabularia acetabulum is a single-celled green alga that in its vegetative state is morphologically differentiated into a basal rhizoid and an axially elongated stalk, which bears whorls of branching hairs. The single diploid nucleus resides in the rhizoid.
Francesca Gottschalk - How can education support child empowerment.pptxEduSkills OECD
Francesca Gottschalk from the OECD’s Centre for Educational Research and Innovation presents at the Ask an Expert Webinar: How can education support child empowerment?
Executive Directors Chat Leveraging AI for Diversity, Equity, and InclusionTechSoup
Let’s explore the intersection of technology and equity in the final session of our DEI series. Discover how AI tools, like ChatGPT, can be used to support and enhance your nonprofit's DEI initiatives. Participants will gain insights into practical AI applications and get tips for leveraging technology to advance their DEI goals.
Executive Directors Chat Leveraging AI for Diversity, Equity, and Inclusion
d i g i t a l i n v e s t i g a t i o n 6 ( 2 0 1 0 ) 9 5 – 1 .docx
1. d i g i t a l i n v e s t i g a t i o n 6 ( 2 0 1 0 ) 9 5 – 1 0 3
a v a i l a b l e a t w w w . s c i e n c e d i r e c t . c o m
j o u r n a l h o m e p a g e : w w w . e l s e v i e r . c o m / l o c
a t e / d i i n
Using a software exploit to image RAM on an
embedded system
J.R. Rabaiotti*, C.J. Hargreaves
Centre for Forensic Computing and Security, Cranfield
University, Shrivenham, UK
a r t i c l e i n f o
Article history:
Received 15 December 2009
Received in revised form
8 January 2010
Accepted 19 January 2010
Keywords:
Memory imaging
Live forensics
Exploits
Games consoles
2. Xbox
* Corresponding author.
E-mail addresses: [email protected]
1 Microsoft did eventually supply some
completed. None of the information provide
1742-2876/$ – see front matter ª 2010 Elsevi
doi:10.1016/j.diin.2010.01.005
a b s t r a c t
The research in this paper is the result of a court case involving
copyright infringement,
specifically, a request for expert evidence regarding the
proportion of copyrighted data
present in the RAM of a games console. This paper presents a
novel method to image the
memory of an embedded device (a games console) where normal
software and hardware
memory imaging techniques are not possible. The paper
describes how a buffer overflow
exploit can be used in order to execute custom code written to
create an image of the
console’s memory. While this work is concerned with the
Microsoft Xbox, the principles of
vulnerability enabled data acquisition could be extended to
other embedded devices,
including other consoles, smart phones and PDAs.
3. ª 2010 Elsevier Ltd. All rights reserved.
1. Introduction (such as a pirated game) that would otherwise be
prevented
This paper describes research conducted as a result of a case
at the Court of Appeal involving the sale of ‘modchips’ for
games consoles, specifically the original Microsoft Xbox, the
Sony PlayStation 2 and the Nintendo GameCube. One aspect
of the case was concerned with whether a modchip counted
as a ‘device for circumventing an Effective Technological
Measure’ (ETM) within the meaning of Section 296ZA of the
Copyright, Designs and Patents Act 1988 (as amended), which
makes it a criminal offence to sell such devices. This was not
clear-cut, since the modchips did not enable the production of
a physical copy of a console game from its original protected
optical disc onto another permanent storage medium.
However, the Crown argued at the original trial that the
modchip caused an infringing copy to be made in the
console’s RAM since it permitted the execution of a program
.uk (J.R. Rabaiotti), c.j.har
technical information ab
d is included in this pape
er Ltd. All rights reserved
4. from executing by the ETM. This point was disputed by the
appellant, and so the court asked for expert evidence, specif-
ically concerning the proportion of the contents of a game disc
that would typically be copied into RAM during the execution
of a game.
In many cases of this nature, the easiest option is to ask the
manufacturers for assistance. However, in this case the
console manufacturers were already acting as expert
witnesses for the respondent, so independent research was
desirable.1 It was therefore necessary to rely on public domain
information and original research.
This paper outlines the research conducted to determine
the amount of data present in memory and focuses on the
challenge of obtaining a memory image from one of the
consoles. This is relatively trivial on a standard PC using one of
many memory imaging techniques, but is very difficult on
[email protected] (C.J. Hargreaves).
out the Xbox, but only after the research described here was
r.
.
5. mailto:[email protected]
mailto:[email protected]
http://www.elsevier.com/locate/diin
d i g i t a l i n v e s t i g a t i o n 6 ( 2 0 1 0 ) 9 5 – 1 0 396
a ‘closed system’ such as a games console. This difficulty is
not necessarily restricted to games consoles and embedded
systems generally present a number of unique challenges for
memory imaging. Firstly, the manufacturers of the embedded
device may allow only pre-authorised and digitally signed
programs to run, which may not include imaging tools.
Secondly, the operating systems of embedded devices may
not include the sort of features which make software-based
memory imaging possible on desktop operating systems.
Thirdly, embedded systems are far less standard in design
than desktop computers, and may have no standardised or
easily-accessible interfaces to allow hardware memory
imaging tools to be attached.
Of the three consoles in question, the Xbox is the most
appropriate to examine for research purposes due to the
6. abundance of public domain information on the console. This
is largely as a result of the development of third-party
operating systems for the console (Steil et al., 2006). While this
paper focuses on the original Xbox, which is now obsolete,
similar techniques to the ones described in this paper are
almost certainly applicable to the other consoles in the case,
to current-generation games consoles such as the Xbox 360
and the Nintendo Wii, and to other embedded devices
(this point is expanded on in Section 6.2).
This paper describes the acquisition of a memory image
from an Xbox console thorough the exploitation of a buffer
overflow vulnerability in a game; this allows arbitrary code to
be executed – in this case, custom memory acquisition code.
The paper includes the technical details of this approach as
well as a discussion of its advantages and disadvantages. The
general principle of using exploits to allow the acquisition of
data may be useful on any system which has an authentica-
tion mechanism to prevent non-manufacturer-approved
7. programs from being executed. As is shown in this research, if
an exploitable vulnerability is discovered within a pre-
approved program then the device’s code authentication
mechanism does not need to be subverted. This is because
code may simply be injected into the vulnerable program
while it is running, after it has already been authenticated.
This paper is organised as follows: firstly background
information is provided about the Xbox, including details of its
code authentication mechanisms. This is followed by
a discussion of related work, including forensic analyses of
Xbox consoles, existing software and hardware memory
acquisition techniques and the reasons why they are not
appropriate in this case. The methodology for the exploit
based approach is then detailed followed by the results.
Finally the results are evaluated and the advantages and
disadvantages discussed, together with potential future work.
2. Background
2.1. Terminology
The term ‘exploit’ is used in this paper to denote a method for
8. using a hardware or software security vulnerability to execute
arbitrary code. Exploits are often used for illicit purposes such
as hacking, spreading malware, or running illegally-copied
software on a games console. On embedded systems exploits
are typically used to circumvent manufacturer-imposed
restrictions. For example, the ‘jailbreaking’ of Apple iPhones
allows unapproved applications to run, since applications for
standard iPhones must be approved and digitally signed by
Apple and downloaded via the official App Store. For further
information on jailbreaking see http://blog.iphone-dev.org/.
Such circumvention is discussed as a possible data acquisition
technique for iPhones in Kubasiak and Morrissey (2009).
2.2. The Xbox
The Xbox was a games console produced by Microsoft and
sold between 2001 and 2006, when it was supplanted by the
Xbox 360. It used an Intel Celeron 733 MHz processor and had
64 MB of RAM. Games were distributed on optical discs
(the format was a variant of DVD9), but the console also
9. possessed an 8 GB internal hard drive. Since the Xbox shared
many architectural similarities with a standard Intel-based
PC, groups of hackers quickly took an interest in it, and soon
organised themselves as the Xbox Linux Project (Steil et al.,
2006) to produce a version of Linux for the Xbox. In order to
do this, the various systems for stopping unapproved
programs had to be circumvented. These security systems are
fully described in Huang (2003) and Steil (2005), but a brief
outline is now presented.
When the console is switched on, a checksum is used to
verify the integrity of the firmware. The firmware contains the
Xbox Kernel in compressed form, and if the verification is
successful, this is decompressed to RAM and begins to
execute. The kernel determines if a genuine game disc is
present in the optical drive, and if so, loads the game program
which then executes. If no game disc is present, a program
called the Dashboard is loaded from the hard drive.
Game programs and the Dashboard are Xbox executables
10. (XBEs), which have the file extension ’.xbe’ and are similar in
structure to Win32 Portable Executable ‘.exe’ files. One of the
differences is that Xbox executables have anti-modification
features. When an XBE file is created, it is signed using a
digital
signature algorithm based on SHA-1 and 2048-bit RSA
(see Robinson, 2005 for the location of the digital signature in
the XBE file header). One half of the RSA key pair is retained
by
Microsoft, and the other half is embedded in every Xbox
kernel. When the Xbox kernel loads an XBE file, it verifies the
digital signature and allows the XBE program to run only if the
signature is correct. Since it is impossible to modify the XBE
file without altering the digital signature, the result is that
only Microsoft-approved programs are allowed to run on an
unmodified console.
XBE programs, when executing, run at the same privilege
level as the kernel code, and only one program may execute at
a time. The program and the kernel share the same ‘virtual
11. address space’ and as on a standard �86 PC, paging is used to
translate between virtual and physical addresses, but the
Xbox does not use disk-based virtual memory and hence there
is no pagefile on the hard drive. Therefore, the ‘memory’ of the
Xbox can refer to either the contents of the physical RAM, or to
the virtual address space. The Xbox kernel, which is mapped
to virtual address 0�80010000 (corresponding to physical
address 0�10000), provides around 360 low-level Application
Programming Interface (API) functions, many of which are
http://blog.iphone-dev.org/
d i g i t a l i n v e s t i g a t i o n 6 ( 2 0 1 0 ) 9 5 – 1 0 3 97
very similar to the Win32 kernel API. Game programs do not
usually call these functions directly; instead, they call func-
tions in a set of libraries which are statically linked into the
XBE file, and the library functions in turn call the low-level
kernel functions. The use of statically-linked libraries has the
side-effect that all programs built with the official Xbox Soft-
ware Development Kit (SDK) contain Microsoft-copyrighted
library code; this is the reason that third-party programs built
with the official Xbox SDK cannot easily be redistributed.
12. The security mechanisms protecting the boot process were
initially compromised when the contents of the hidden boot
ROM was captured by monitoring the bus which it travelled
over to reach the processor (Huang, 2003). Subsequently
a number of other weaknesses were found. Since then
a variety of different sorts of modchip have been developed, as
has an entire third-party replacement firmware known as
Cromwell. Exploitable vulnerabilities in games have also been
discovered, which allow third-party code to run without the
need for any hardware modifications and are therefore known
as ‘softmods’. One of the most significant vulnerabilities can
be found in the 2002 Microsoft Game Studios title ‘MechAs-
sault’, and this is described in detail in Section 4.4.
2 http://www.hex-rays.com/idapro/.
3. Related work
Previous forensic work on the Xbox games console such as
Vaughan (2004), Burke and Craiger (2006), and Collins (2007),
has concentrated largely on the challenges associated with the
imaging and analysis of the hard drive, which in this research is
13. not relevant since only data in memory is of interest.
Publications on forensic memory imaging concentrate on
desktop PCs rather than embedded systems and they can be
discussed in terms of software and hardware approaches. One
software approach is to use a debugger to view memory
contents during the execution of a specific program. Alterna-
tively, on most desktop operating systems the full memory of
the system is exposed as a manipulable device (e.g./dev/mem
in Linux or Device Physical Memory in Windows) which is
accessible using standard API functions. Due to these simple
means of accessing memory, anyone with the necessary skills
and a suitable compiler can write their own memory acqui-
sition software. As a result, software memory imagers for
most desktop systems are widely available.
However, in order to write a program that will run on
a games console it is usually necessary to have the official
SDK, which is normally sold only to established games
programming companies. Also, the digital signatures used on
14. development consoles normally differ from those used in
retail ones, meaning that games in development must be
re-signed before they will run on a normal console. This
makes deploying memory acquisition software for a games
console a significant challenge.
A number of hardware imaging techniques exist for
desktop PCs. For instance, Carrier and Grand (2004) shows
how a dedicated PCI card may be constructed for the purpose.
However, the Xbox does not have an accessible PCI bus and
this is therefore not of use. There is a Low Pin Count (LPC –
see
Intel, 2002) bus which might be used instead, but given that
detailed information about this aspect of the Xbox hardware is
unavailable, excessive amounts of time would be required to
determine the viability of this approach. Another approach
described in Boileau (2006) uses the IEEE-1394 ‘‘FireWire’’
bus
to gain access to physical memory. However, this approach is
limited even on desktop PCs as it requires IEEE-1394 ports to
be
15. present, and these are not ubiquitous. There is no IEEE-1394
port on the Xbox. ‘‘Cold Boot’’ methods as described in
Halderman et al. (2008) are theoretically possible, but are
hampered by the difficulty of removing the soldered-down
Xbox RAM chips and the previously-enumerated difficulties of
running imaging software on the console itself.
The ultimate hardware approach would be to use a logic
analyser, or the sort of custom FPGA-based solution used for
bus monitoring in Huang (2003). This would allow monitoring
of the address and data pins of the RAM chips, allowing all the
data read from and written to each chip to be logged. However,
this approach is hampered by two complicating factors. Firstly,
the number of IO lines on Xbox RAM chips, and the speed at
which it would be necessary to sample them, exceeds the
capabilities of reasonably-priced logic analysers and would
have required expensive or custom-built equipment. Secondly,
an enormous amount of sampled data would be generated and
in order to produce a memory image it would need to be
16. processed extensively. This would involve converting logs of
data transferred in and out of memory into a complete memory
image for a particular point in time. For these reasons, and
given the various time and monetary constraints, this hard-
ware approach is not suitable in this case.
4. Methodology
As a result of the limitations of each of the approaches
described in the previous section, the development of an
original technique is necessary. This section describes the use
of an exploit that uses a buffer overflow in MechAssault’s
savegame file handling code in order execute custom code that
allows access to the memory of the console. It is not known for
certain who originally discovered this vulnerability, but
a presentation given in 2003 by the Xbox Linux Project at the
20th Chaos Communications Congress (Steil et al., 2003)
credits
the discovery to Jeff Mears and also describes similar vulner-
abilities in other games and in the Xbox dashboard program.
This section is structured as follows: first the tools used
17. during this research are briefly described. This is followed by
a description of the initial work that was performed using the
pre-packaged Linux distribution which is part of the
MechInstaller package from the Xbox Linux project.
The limitations of this approach are outlined, followed by the
details of reverse engineering a similar exploit to allow
custom code to be executed. Finally the development of the
bespoke code to perform the acquisition of memory is
described.
4.1. Tools
Software tools used throughout the research include the
debugger/disassembler IDA Pro,2 which is used for all
http://www.hex-rays.com/idapro/
d i g i t a l i n v e s t i g a t i o n 6 ( 2 0 1 0 ) 9 5 – 1 0 398
executable file analysis, along with a hex editor. To discover
exactly how the MechAssault vulnerability is exploited,
a pre-existing exploited savegame file taken from the
‘Krayzie Ndure Installer’ Xbox-Scene News (2006) is ana-
18. lysed. From this, a new exploit is developed and the open
source assembler NASM3 is used for its assembly. The open
source Xbox development kit OpenXDK4 is used to write the
XBE that is used to dump the Xbox kernel; and the Xbox
Linux utility ‘xbedump’5 is used to sign the XBE file allowing
the kernel dump tool to run (the kernel is dumped to allow
analysis of the functions relating to the savegame signature
process).
4.2. Dumping from within Xbox Linux
The first memory imaging method uses the packaged
‘‘MechInstaller’’ exploit provided by the Xbox Linux Project
(Steil et al., 2007) to load a basic Linux kernel called ‘Emer-
gency Linux’, which provides a variety of standard Linux tools,
including dd, which may be used to dump memory contents
from the/dev/mem device in the usual fashion. However, the
output image file from dd needs to be stored somewhere.
Obviously the memory image could be written to a file on the
Xbox hard drive, but due to the security mechanisms in place,
19. the Xbox hard disk is difficult to access from other systems,
i.e. to connect to a PC in order to retrieve the data. Instead the
output of dd is piped into netcat, which sends the data across
the network to a remote machine, which has another running
instance of netcat listening on a specific port, redirecting
received data into a file.
Initial images produced in this way are unsatisfactory
because the process of loading even this minimal version of
Linux overwrites significant portions of the Xbox RAM. The
resulting image file thus contains a jumbled mixture of data
originating from Emergency Linux – such as kernel error
message strings, ROMFS6 filesystem tables, and the boot
messages displayed when Linux loads – and data left over
from the game, such as strings referring to texture and sound
files and portions of the game’s executable header. Aside from
such obvious examples, determining which data definitely
originated from Emergency Linux (and hence the memory
footprint of Emergency Linux) is extremely difficult.
Table 1 – Hex dump from a standard MechAssault
20. savegame file. The file size is stored as 84 18 00 00 and the
digital signature begins 15 41 E1 8C.
4.3. The Krayzie Ndure Installer
While the MechInstaller exploit is heavily obfuscated, other
similar exploits are available that take advantage of the
MechAssault vulnerability. One such exploit is included in the
Ndure Installer from Krayzie (Xbox-Scene News, 2006) which
is a multi-function toolkit which can be used to install
replacement firmware, replacement dashboards, and much
else. One of the methods by which the Ndure Installer may be
loaded is via a MechAssault exploit. This exploit loads and
3 http://www.nasm.us/.
4 http://openxdk.maturion.de/.
5 http://xbox.cvs.sourceforge.net/viewvc/xbox-linux/
xbedump/.
6 ROMFS is a minimal read-only filesystem designed for Linux
boot disks and firmware.
executes any XBE file placed in a specific location, and thus
may be separated from the Ndure Installer and used on its
own to load an arbitrary XBE file. Therefore, if a memory
imaging tool is created as an XBE program, it would be
possible to use this exploit to run the tool. However, this
21. approach has the limitation that, as discussed in Section 2.2,
the Xbox can run only one process at a time and launching
a new process makes significant changes to the contents of
memory. This is therefore unsuitable.
4.4. The MechAssault vulnerability
Despite the exploit from the Ndure Installer not being ideal for
memory imaging, unlike the MechInstaller exploit, it is not
heavily obfuscated. It can thus be examined and used to
determine the nature of the vulnerability in MechAssault and
how it is exploited.
MechAssault stores user-specific settings, including
saved games, in files on the Xbox hard disk. Savegame files
are located on the Xbox hard drive partition ‘E’. The direc-
tory structure on the E partition is standardised (which
allows the dashboard to manipulate saves for multiple
games), and the Microsoft libraries provide a number of
functions for managing saved games and saving game data
to a file. However, the name and contents of the savegame
22. data files themselves are game-specific. MechAssault save-
game files are always called ‘MASave.sav’ and are 6276
bytes in length. The pertinent features of the MechAssault
savegame file are described below and a typical example is
given in Table 1.
The beginning of a MechAssault savegame file consists of
a 24-byte header, comprising a 4-byte little-endian integer
representing the file size (84 18 00 00 ¼ 0�1884 ¼ 6276). This
is followed by a 20-byte HMAC-SHA-1 digital signature of the
savegame file. Both of these features may be seen in Table 1.
The remainder of the file consists of the actual savegame
data; however, it is not necessary to understand the
complete savegame file format in order to understand the
exploit. The savegame file shown in Table 1 is created when
MechAssault is first loaded on an Xbox console, and at first is
empty apart from a single entry (‘StartCampaign’). As
gameplay progresses, more entries are made in the file, the
relevant entries consisting of a fixed record structure, defined
as follows:
23. http://www.nasm.us/
http://openxdk.maturion.de/
http://xbox.cvs.sourceforge.net/viewvc/xbox-linux/xbedump/
http://xbox.cvs.sourceforge.net/viewvc/xbox-linux/xbedump/
d i g i t a l i n v e s t i g a t i o n 6 ( 2 0 1 0 ) 9 5 – 1 0 3 99
struct SAVEGAME_RECORD{
char record_descriptor[64];
char filename[132];
};
The records specify either the names of levels and a file
associated with the level, or the names of movies which
represent the ‘cut scenes’ between each level. Two examples
of movie file records are visible in Table 2.
The movie clip shown at the beginning of the game is
called ‘‘BEGINMOVIE’’ and the associated movie filename is
‘‘OpeningCinema.mgv’’. As gameplay progresses, further
movie sections appear in the savegame file. These filenames
are loaded by MechAssault when the saved game is accessed,
but apparently no length checking is performed on the movie
24. filename strings. This means that strings longer than
132 bytes are still loaded into memory and will overflow the
buffer allocated for the filename. It is therefore possible to
manipulate the string length such that a particular part of
memory is overwritten by data from the savegame file. In this
case, the return address of the currently executing function is
overwritten by data representing an address of the attacker’s
choice (here, the address 0�386448). Table 3, taken from an
exploit savegame file, shows how this is done (note the long
string of 0xFF bytes terminated by the address in little-endian
format). For a full explanation of how buffer overflows may be
used to execute arbitrary code, see AlephOne (1996), which is
the definitive reference on the subject.
In Table 3 it can be seen that the position corresponding to
the movie filename is filled with 140 0xFF bytes. If the
assumption is correct that a properly-formatted record
contains a movie filename of maximum length 132 bytes,
there are 12 extra bytes here (8 of 0xFF, plus the data which
ends up on the stack, overwriting the return address of the
25. executing function). This data, which contains a memory
address is always 0�386448. The address refers to the location
in memory where the savegame data is always copied,
specifically the position in memory where the data stored at
offset 0�200 in the savegame file is copied. This can be seen at
the end of Table 3 (‘‘E8 00 00 00 00 5D’’). This instruction
Table 2 – Two movie description sections from
a savegame created at a more advanced stage.
sequence is known as ‘call-to-pop’ and is a common trick for
getting the address of the current instruction. 0x5D is the
machine code for ‘POP EBP’ which is why, in the code shown
in
Section 4.6, memory addresses are calculated relative to the
value in the EBP register. The effect of loading a savegame
constructed in this way is that the code at offset 0�200 in the
savegame file is copied to memory and starts getting
executed; the execution path of the MechAssault program is
thus subverted. Therefore, whatever code is inserted at offset
0�200 in a similarly-crafted savegame file will be executed
when the savegame is loaded.
4.5. Creating a valid savegame file
While it is possible to construct a savegame file to exploit
26. the vulnerability and execute arbitrary code, in order for the
MechAssault game to successfully load a savegame file, the
savegame file must have a valid digital signature, as seen in
Table 1. If the signature is invalid, MechAssault will present an
error message instead of loading the savegame file. The
signature is calculated using a keyed-hash message authen-
tication code (HMAC), which involves taking an SHA-1 hash of
the savegame data and combining it with a key (see (Krawczyk
et al., 1997) for details of HMAC). The key is 16 bytes in
length
and is generated by the Xbox kernel when the XBE file is
loaded by similarly combining a ‘Title Key’ in the XBE header
with another key from the kernel. In order to sign arbitrary
savegame files, through examination of the MechAssault XBE
program binary and disassembly of the signature functions, it
is relatively straightforward to re-implement these functions
in C and thus create a program that allows arbitrary savegame
files to be signed. With the exploit reverse engineered so that
27. arbitrary code could be executed and a means to digitally sign
the savegame files, the next stage is to write code that will
acquire the memory of the Xbox.
4.6. Creating an image of memory
Since Xbox XBEs run in kernel mode and do not have their
own separate address space, it is possible simply to read
chunks of memory from this virtual address space and copy
them out to files on the Xbox hard disk using the XAPI
CreateFile() and WriteFile() functions. These functions are
statically-linked library functions within the MechAssault
program, and their addresses can be obtained from the
Table 3 – Constructed exploit savegame file.
d i g i t a l i n v e s t i g a t i o n 6 ( 2 0 1 0 ) 9 5 – 1 0 3100
MechAssault XBE disassembly listing. Attempting to access
certain parts of the address space causes the Xbox to crash,
and consequently the imaging needs to proceed in small
chunks at a time, closing each chunk file before moving on to
the next; this means that the entire memory image is not lost
28. if such a crash occurs. Chunks are 1 MB (1 048 576 bytes) in
size, an experimentally-determined figure. Also the Write-
File() function requires the chunk size to be a multiple of 4096.
After dumping is completed, concatenation of the files forms
the complete image file.
This virtual address space memory acquisition is imple-
mented in assembly code. NASM is used to assemble to file in
the correct format for a MechAssault savegame file, with the
code being placed at the offset 0�200 (which gets executed
due to the buffer overflow). A separate program is used to
calculate the HMAC-SHA-1 signature.
Pertinent portions of the assembly code memory imaging
program are given below with explanations. The data items
(variables and string constants) are stored in the savegame file
before the code. The comments in the listing below describe
how variable addresses are calculated.
In this first listing, the sprintf() function is used to create
a filename containing the start address and count of each
chunk. Then the CreateFile() function, which works identi-
29. cally to the Win32 equivalent, is used to create the file
(the addresses of sprintf() and CreateFile() are taken from
MechAssault and defined as NASM constants):
; variables are located before this point
start:
call base
base: pop ebp
; addresses of variables may now be calculated by
; (ebp þ var - base)
; **
; **
main_loop:
make_filename:
; formatstring ¼ ‘‘U:DUMPSdump%04u-%08X.bin’’
; uses sprintf to create filename for current chunk
; first, push address of current chunk
push dword[ebpþbeginning_address-base]
; then current value of counter
push dword[ebp þ counter-base]
; then the formatstring
31. ; GENERIC_READ j GENERIC_WRITE
push 0xC0000000
; lpFileName
lea eax,[ebp þ fnamebuf-base]
push eax
mov ebx,CreateFile
call ebx
cmp eax,0xFFFFFFFF
je createfile_error_place
; save filehandle
mov [ebp þ filehandle-base],eax
The error handling code (which is not shown here) simply
involves setting the Xbox LED to flash on and off, using
different permutations of colours to signify different errors.
For example, in the previous listing the return value from
CreateFile() is checked to ensure it is a valid filehandle. If it is
equal to 0xFFFFFFFF (INVALID_HANDLE_VALUE), the jump
is
taken and the program halts with the LED set to a certain
colour. Otherwise, the filehandle is saved in ‘filehandle’.
32. Next, the address of the current chunk is passed to
WriteFile():
writefile:
xor eax,eax
push eax
; LPOVERLAPPED ¼ NULL
lea eax,[ebpþnumwritten-base]
; NumberOfBytesWritten
push eax
; write increment bytes at a time
push dword[ebp þ increment_size-base]
lea eax,[ebp þ beginning_address-base]
push dword[eax]
; HFile
push dword[ebp þ filehandle-base]
; write the file
mov ebx,WriteFile
call ebx
; abort if an error happens
test eax,eax
33. je writefile_error_place
close:
push dword[ebp þ filehandle-base]
mov ebx,CloseHandle
call ebx
A zero return value from WriteFile() (detected by the
instruction ‘test eax,eax’) results in an error. Finally, the
address is incremented by 0�100000 (the size of each dumped
chunk) and the process repeats:
do_rest:
; get beginning_address in eax
Table 4 – Strings from the MechAssault game.
d i g i t a l i n v e s t i g a t i o n 6 ( 2 0 1 0 ) 9 5 – 1 0 3 101
mov eax,[ebp þ beginning_address-base]
; add increment size to eax
add eax,dword[ebp þ increment_size-base]
; put back in beginning_address
mov [ebp þ beginning_address-base],eax
; check counter < 4096
; 4096 * 0�100 000 ¼ total theoretical address space
; (obviously not all of this will be valid!)
34. mov eax,[ebp þ counter-base]
cmp eax,4096
jnb success
inc eax
mov [ebp þ counter-base],eax
jmp main_loop
As mentioned above, this code is assembled into a save-
game file, signed with the correct key, and placed in a directory
on the Xbox E: partition. The MechAssault game is loaded and
the appropriate savegame selected from the Campaign menu.
This loads the file and causes the above code to be executed due
to the buffer overflow exploit described in Section 4.4.
Table 5 – Strings referencing files stored on the
MechAssault game disc.
5. Results and validation
5.1. Results
The program shown in the previous section successfully
acquired memory between the virtual addresses 0�00000000
and 0�033FFFFF, resulting in a 52 MB image file after concat-
enation. The region from 0�80000000 to 0x8FFFFFFF was also
dumped, resulting in a second image file 256 MB in length. Any
attempt to access other regions of virtual memory caused the
35. Xbox to crash. Obviously, not all of the second image file can
represent actual RAM since as described in Section 2.2 the
virtual address space is larger than physical memory.
Much data obviously originating from the game was
discovered in the first image file, and small samples are given
in Table 4 and Table 5. They show strings which clearly relate
to the game and also strings that specifically reference data
stored on the MechAssault game disc.
5.2. Validation
Validation of the accuracy of any memory dump is a challenge
and is particularly true in this case since multiple methods for
acquisition are not available and therefore results cannot be
compared (e.g. results from dd and firewire on an �86 PC).
However, the correspondence between file offsets in the
acquired image and expected virtual addresses is probably the
best evidence that a reliable image has been created. For
instance, the XBE file could be seen in the memory image at
offset 0�10000. This correlates with the base address 0�10000
in memory where XBE programs are always loaded by the
36. kernel (determined by disassembly of the Xbox kernel). This
can be seen in Table 6.
Likewise, as shown in Table 7, the kernel is always loaded
at virtual address 0�80010000, and it correspondingly appears
in the second memory image (which began acquisition at
virtual address 0�80000000) at offset 0�10000.
Also in the memory dump it was possible to locate a copy
of the savegame containing the exploit used to execute the
memory imaging code. This was located in the memory image
at the offset that corresponded to the offset in memory which
was hard coded into the exploit (0�00386448). This can be seen
in Table 8. This further suggests that the acquired memory
image was accurate.
The exact mapping of virtual to physical addresses needs
further research to determine the differences from that used
by comparable versions of desktop Windows. It has already
been noted that accessing certain areas of the virtual address
space caused crashes, and it is clearly not possible for all of the
data obtained from the imaging process to have originated
37. from physical RAM. It is possible that some pages in the dump
files represent the contents of areas reserved for the use of
memory-mapped hardware (such as the sound or graphics
adapters) and thus do not contain any meaningful data. This
would require further analysis to unravel completely, but this
does not detract from the fact that based on the positions of
known data in the memory dump, it seems that an accurate
mapping of the virtual address space during the execution of
the MechAssault game has been produced.
6. Discussion and conclusions
6.1. Evaluation
It is clear that the goal of producing a memory image during
the execution of an Xbox game has been achieved. However,
as with the use of any software-based memory imaging
technique, changes will be made to the RAM. In this case the
use of the various XAPI library functions will cause modifi-
cations, for example, it is likely that file IO uses RAM buffers.
Table 6 – XBE at virtual address and dump file offset
38. 0310000.
Table 8 – Exploit code at virtual address and dump file
offset 03386448.
d i g i t a l i n v e s t i g a t i o n 6 ( 2 0 1 0 ) 9 5 – 1 0 3102
However, this loss of data is limited to the size of the exploit
and imaging code (up to 6276 bytes) and these IO buffers.
Also, modifying the contents of the hard drive (by writing
the image file portions to it) is not traditionally considered to
be good forensic practice, but in this case, since the hard drive
data is not of interest, this consideration is not relevant. If
necessary, writing to the hard drive could be avoided by
writing the memory data out over an IO bus, but this would be
very much slower. Also, further analysis of the kernel might
allow a USB device to be connected and the imaged data
written to that instead.
A further limitation of this particular imaging code is that
due to the memory management of the Xbox, the virtual
address space has been acquired rather than the physical
RAM. This may or may not be an issue, depending on the
39. interpretation of ‘the memory’ of the Xbox. In addition, since
the Xbox kernel provides functions which translate between
virtual and physical addresses, a more advanced version of
the dumping exploit could be developed to use these to ensure
that only pages in physical RAM are dumped.
The final and most fundamental technical limitation of the
technique discussed above is that it can be used to image only
the memory of the specific game in which the vulnerability
exists. While this was not a problem in this particular case, it
may complicate attempts to generalise this technique. This is
because most modern operating systems generally isolate
processes in their own virtual address space, and special API
calls (and the correct privilege level) are needed to access the
address space of another process.
General disadvantages associated with the use of exploits
for forensic purposes include the fact that programs con-
taining them may be patched, thus rendering the technique
useless for future versions of the program (for instance, later
40. releases of the MechAssault game do not contain the vulner-
ability described in this document). Also, understanding and
Table 7 – Kernel MZ and PE headers at offset 0310000
(virtual address 0380010000) in the second memory
image.
deploying exploit code requires a certain degree of technical
skill, since pre-written exploits are often distributed in binary
form, are possibly obfuscated and are provided without any
explanation as to how they work. Exploits of this form are
obviously not reliable from an evidential point of view and
require the use of reverse engineering techniques such as
those described in this paper so that they are understood in
detail. Finally, exploits are commonly associated with hacking
and software piracy, and it is conceivable that the opposing
counsels could use such associations to try to discredit
evidence obtained via such methods in the minds of judges or
juries. However this paper has shown that if an analyst has
a full understanding of the exploit code, the data obtained is at
least as reliable as that obtained using other common soft-
ware based live acquisition techniques.
41. 6.2. Generalising to other systems and future work
While in this paper the focus has been on the original Xbox
console, as mentioned in the introduction, this approach
could also be applied to other consoles. There are similar
exploits available for the Nintendo GameCube (Belvedere,
2004), the Sony Playstation 2 (BadServo, 2005), as well as
newer consoles such as the Nintendo Wii (Wiibrew,
2009a,b,c)). Additionally, both hardware (Free60 Project,
2009b) and software (Free60 Project, 2009a) exploits have
been discovered for the Xbox 360, although a Microsoft firm-
ware update in 2009 has patched many of these. Unlike the
original Xbox, the current generation of games consoles often
contain features such as web browsers and chat clients, both
of which produce data which is potentially of greater interest
to a forensic analyst. Some of the Nintendo Wii exploits are
open-source, meaning that no reverse engineering is neces-
sary in order to have a full understanding of the effect they
will have on a target system, and making them easier to
42. modify for the purpose of memory acquisition.
In addition to games consoles, this approach could also
apply to other embedded systems that have software
vulnerabilities. This could include smart phones, PDAs,
Internet routers and GPS devices. Finally, this approach could
be used not only to acquire memory of these devices (which
may have limited applications) but also for any other form of
selective data acquisition, e.g. to gain access to data that is
stored in encrypted form on permanent storage, but is avail-
able in decrypted form when the system is running.
6.3. Conclusion
This paper has shown that in cases where hardware approaches
to accessing data on embedded systems are impractical,
d i g i t a l i n v e s t i g a t i o n 6 ( 2 0 1 0 ) 9 5 – 1 0 3 103
software based vulnerabilities can be exploited to execute
arbitrary code and avoid any security restrictions imposed by
the device manufacturer. Code can then be written to perform
the necessary acquisition procedure and executed using an
43. exploit. This has been demonstrated by acquiring data from the
memory of an Xbox console during the execution of a game.
6.4. Postscript
Although the memory images that were eventually produced
did provide evidence that certain parts of the game disc were
copied into memory, the appeal was dismissed for other
reasons and the technical evidence produced was not
considered (although a portion of the memory image was
printed out as a Section 9 statement and given to the judges at
the trial).
r e f e r e n c e s
AlephOne. Smashing the stack for fun and profit. Phrack(49),
http://insecure.org/stf/smashstack.html, 1996;7 [accessed 04.
12.09].
BadServo. EXPLOITSTATION.Com FAQ. Web site,
http://www.
exploitstation.com/index.php?page¼faq; 2005 [accessed 15
12 09].
Belvedere M. The gamecube ‘‘Phantasy Star Online’’ exploit.
Club
MyCE. Website, http://club.myce.com/f98/gamecube-
phantasy-star-online-exploit-94781/; 2004 [accessed 15.12.09].
Boileau A. Hit by a bus: physical access attacks with firewire.
44. In:
Presentation at Ruxcon; 2006.
Burke PK, Craiger P. Xbox forensics. Journal of Digital
Forensic
Practice 2006;1:275–82.
Carrier BD, Grand J. A hardware-based memory acquisition
procedure for digital investigations. Digital Investigation 2004;
1:50–60.
Collins D. XFT–a forensic analysis tool for the microsoft Xbox
game console. In: Proceedings of the 6th annual security
conference, April 11–12, 2007, Las Vegas, NV.
Free60 Project. Run code. Wiki page,
http://www.free60.org/Run_
Code; 2009a [accessed 06.01.10].
Free60 Project. SMC hack. Wiki page, http://www.free60.org/
JTAG_Hack; 2009b [accessed 06.01.10].
Halderman JA, Schoen SD, Heninger N, Clarkson W, Paul W,
Calandrino JA, et al. Lest we remember: cold boot attacks on
encryption keys. In: 17th USENIX security symposium; 2008.
Huang A. Hacking the Xbox. No Starch Press; 2003.
Intel. Intel low pin count (LPC) interface specification, revision
1.1.
Tech. Rep.. Intel Corporation; 2002
Krawczyk H, Bellare M, Canetti R. RFC 2104: keyed-hashing
for
message authentication. Tech. Rep. Network Working Group,
http://www.ietf.org/rfc/rfc2104.txt; 1997 [accessed 07.12.09].
45. Kubasiak RR, Morrissey S. Mac OS X, iPod, and iPhone
forensic
analysis DVD toolkit. Ch. 15(Forensic Acquisition of an
iPhone). Syngress; 2009:355–95.
Robinson A. XBE file format 1.1. Tech. Rep.,
http://www.caustik.
com/cxbx/download/xbe.htm; 2005 [accessed 15.12.09] – this
page is undated, but the Xbox Linux Wiki page containing
the same information (http://www.xbox-linux.org/wiki/XBE_
File_Format) was first published on 13th July 2005.
Steil M. 17 Mistakes microsoft made in the Xbox security
system.
In: Proceedings of the 22nd chaos communication congress;
2005.
Steil M, Jilli D, Esser S, Lehner F, Mears J, Hucek E. Xbox
software
hacking. In: Presentation given at 20th chaos
communications congress, http://sourceforge.net/projects/
xbox-linux/files/Presentations/
20thC%haosCommunicationCongress/20C3-Xbox_Software_
Hacking.pdf/download; December 2003 [accessed 18.12.09].
Steil M, Pye D, et al, 2006. The Xbox linux project FAQ. Wiki
article, http://www.xbox-linux.org/wiki/FAQ, page last
updated 6th February 2006, [accessed 15.12.09].
Steil M, Pye D, et al, 2007. Software method HOWTO. Xbox
Linux
Wiki entry, http://www.xbox-linux.org/wiki/Software_
Method_HOWTO, last updated 17th December 2007 [accessed
15.12.09].
Vaughan C. Xbox security issues and forensic recovery