summaryrefslogtreecommitdiffstats
path: root/wiki/src/security/audits/Blackhat_De-Anonymizing_Live_CDs.mdwn
blob: 8ca4481d5b7b46e14c2366b215fe7d08bee94bc3 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
[[!meta title="Blackhat 2011 DC: De-Anonymizing Live CDs"]]
[[!meta date="Mon, 31 Jan 2011 20:40:19 +0100"]]

During the [2011 DC
edition](http://www.blackhat.com/html/bh-dc-11/bh-dc-11-home.html) of the
Blackhat conference, [Andrew
Case](http://www.blackhat.com/html/bh-dc-11/bh-dc-11-speaker_bios.html#Case) did a
presentation about his research on [de-anonymization of Live
CDs](http://www.blackhat.com/html/bh-dc-11/bh-dc-11-briefings.html#Case) through
forensics techniques applied to the system memory content, which mostly
concerned T(A)ILS itself. Some parts of it were also talking about memory
analysis of Tor itself.

* Slides can be found
[here](https://media.blackhat.com/bh-dc-11/Case/BlackHat_DC_2011_Case_De-Anonymizing%20Live%20CDs-Slides.pdf)
* Full paper can be found
[here](https://media.blackhat.com/bh-dc-11/Case/BlackHat_DC_2011_Case_De-Anonymizing_Live_CDs-wp.pdf)

The disclosure of this attack leads to a better implementation of the
smem feature in Tails, using kexec to ensure every non-kernel bit of
the memory is wiped; this new implementation is shipped in Tails 0.7
and later. Implementation of automatic memory wiping [[!tails_ticket 5687
desc="when the live media is removed"]],
also shipped as of Tails 0.7, also helps defeating it, at least in the
case this attack takes place when someone's home is raided.