The purpose of this technical memorandum is to examine the technical characteristics behind the cold boot attack technique and to understand when and how this technique should be applied to the field of computer forensic investigations. Upon thorough examination of the technique, the authors highlight its advantages, drawbacks, applicability and appropriateness for use in the acquisition of computer memory contents. The original cold boot attack paper, as conducted by a team of students and researchers in 2008, demonstrated the usefulness of computer memory remanence and how this phenomenon could be used to defeat popular disk encryptions tools and other data hiding techniques necessary for the safe storage of secret data and information. However, the technique is not a panacea and has many drawbacks dictated by the laws of physics, which cannot be overcome by the technique. The authors believe that a thorough understanding of this phenomenon will empower computer forensic investigators to take advantage of it when appropriate but also aim at dispelling various distortions surrounding it.
Computer forensics, Memory acquisition, Cold boot attack, Software memory acquisition, Hardware memory acquisition, Flash freeze, Platform reset attack, Cold ghosting attack, Iceman attack
Richard Carbone ([email protected])
PDF Document Link