IEEE 1394 Firewire DMA memory notes for Apple OS X 10.x.x

TODO:

* Find something useful in memory to overwrite for code execution
* Find and replace jpg, tif, and png images in memory (goatse?)
* Find more static password references: Mail.app, iTunes, etc

Magic Strings:

'shouldunmount' - user info structure
'Home_Dir_Mount_Result' - user info structure
'passphraseX' - plist file for FileVault?

External Links:

http://c0re.23.nu/c0de/pyfw/pyfw-20041111.tar.gz
http://www.codeangel.org/article/crack_a_mac_with_firewire
https://www-s.acm.uiuc.edu/wiki/space/EOH+2007
http://www.securityfocus.com/archive/1/488930
http://blog.juhonkoti.net/2008/02/29/automated-os-x-macintosh-password-retrieval-via-firewire
http://lists.apple.com/archives/macos-x-server/2007/Nov/msg00763.html

Data Carving tools:
http://foremost.sourceforge.net/

Notes:

• on some 10.4.11 systems I've seen shouldunmount truncated near the location of the userinfo
• on some systems, you get locked up hard