Hello folks, and especially those who are all about memory forensics.
I just noticed (ok, so it was on Slashdot) a paper from some Princeton students titled Cold Boot Attacks on Encryption Keys (http//
I'm not sure how practical spraying canned air or liquid nitrogen into laptops is (not that you need to do that) but the information on locating keys in memory and error correction is sound and very well researched.
Hope you also find it interesting.
Tom
Wow that's some great research and it's extremely comprehensive. It would be great if they'd release some code.
Hmmm, wonder how much a case of compressed air is?
We've got WDE running on some test laptops. This could be interesting.
Yes saw that as well….
Very informative video and supporting paper (.pdf published today 21/02/08) from Princeton University
1) Basically, switch off computer,
2) open cover to reveal RAM,
3) using a multipurpose duster spray (upsidedown) spray on RAM, will cool RAM to -50c
4) all RAM memory could remain for upto 10-mins after switch off computer using this method
4) extract physical RAM and insert into another reader
5) Use a reading app recovers all sorts of things
6) additional method shows recovery of encryption keys Vista, TrueCrypt and Linux
I like the fact that they had also taken some trouble to identify why some RAM may not return positive results
"If you don’t see any copies of the pattern, possible explanations include (1) you have ECC (error-correcting) RAM, which the BIOS clears at boot; (2) your BIOS clears RAM at boot for another reason (try disabling the memory test or enabling “Quick Boot” mode); (3) your RAM’s retention time is too short to be noticeable at normal temperatures. In any case, your computer might still be vulnerable — an attacker could cool the RAM so that the data takes longer to decay and/or transfer the memory modules to a computer that doesn’t clear RAM at boot and read them there."
check out the blog on their website for feedback (some more useful than others)
I have not gotten a chance to read the research yet, but I've seen the video they put together. I guess the next question is…Has anyone other than these students successfully tested this process? And could we potential use this for computer forensic purposes?
Some issues I see are
We could potential cause damage to the original machine by spraying the RAM chips and board with liquid nitrogen, and the process would not be repeatable, the data can not be verified, etc.
Seems brilliant … If we can cool chips remove them from a system and image them completely on another machine, there is a real possibility that we can get an exact image e.g. one that hasn't been altered in any way by forensic tools used to image memory …
Memory dumps are allready non-repeatable so that bit would have little impact, so long as it can be shown to have been done properly …
Issue
Carrying around a thermos flask of liquid nitrogen along with your write blockers !
Computers are quite routinely run in supercooled environments, so I doubt that this would be likely to cause much damage. (See http//
So long as you steer clear of the disk, I don't see how we are likely to be worse off, even if the memory is made non-functional in the process …
I tend to think the PXE image idea is one of the more viable solutions that *could* be used in forensics. Unfortunately for us if something is protected by full disk encryption it's pretty much illegal to capture memory in the manner they are or by using the methods they suggest, especially given the current case involving this very thing.
I noted in the video that one of the screens there was "ram2usb"… I thought I could be on to something here, but didn't find anything searching Google…
Greetings,
Here's another approach, through the Firewire port
http//
-David