- Joined
- Oct 28, 2017
Full conversation here:
Cherries:
- - - Auto-Merged Double Post - - -
View attachment 201748
Cherries:
Yes!
Modern SDRAM is based on tiny capacitors. They lose their charge fairly rapidly and thus lose the contents of the memory they were storing, this is why the computer needs to constantly refresh the charge in the capacitors (which is why it's called "dynamic ram"). Normally the data will decay in an amount of time that is too small to be useful in an attack, but if you cool the RAM to below freezing then you can significantly extend that time. This is called a Cold Boot Attack. The basic premise being that you have physical access to a running computer, then you cool the ram on the computer, turn off the computer, remove the ram and transfer it to a computer or device that you have control over. The charges in the capacitors and thus the data in the RAM will be maintained which you can then read out. By booting to another media (such as a USB stick), this can also be managed on the same computer, assuming the option is available.
Any encryption system that retains keys in plain text in memory is thus extremely vulnerable to such an attack.
Yes, but if the contents of the hard drive are encrypted, this will do little good. One of the reasons for using the cold boot attack is to recover encryption keys from RAM. In order to decrypt the contents of the hard drive, one would need the encryption key, this key is trypically entered once by the user and then stored in RAM.
That's the reason why whole disk encryption has become popular to begin with, to deny the benefit of physical access. Which is an enormously serious concern in part due to the popularity of laptops in business.
Modern disk encryption systems are hardened against cold boot attacks (storing the encryption keys in the CPU's cache only, for example), though it's still a bit of a cat and mouse game.
am not an expert in this subject, but this paper appears to answer the question.
Abstract Contrary to popular assumption, DRAMs used in most modern computers retain their contents for seconds to minutes after power is lost, even at operating temperatures and even if removed from a motherboard. Although DRAMs become less reliable when they are not refreshed, they are not immediately erased, and their contents persist sufficiently for malicious (or forensic) acquisition of usable full-system memory images. We show that this phenomenon limits the ability of an operating system to protect cryptographic key material from an attacker with physical access. We use cold reboots to mount attacks on popular disk encryption systems — BitLocker, FileVault, dm-crypt, and TrueCrypt — using no special devices or materials. We experimentally characterize the extent and predictability of memory remanence and report that remanence times can be increased dramatically with simple techniques. We offer new algorithms for finding cryptographic keys in memory images and for correcting errors caused by bit decay. Though we discuss several strategies for partially mitigating these risks, we know of no simple remedy that would eliminate them.
In addition to the technique /u/rocketsocks described, there's a secondary (much less useful) technique that is possible. It is much less useful because it is very "noisy" (the data recovered will be somewhat corrupted), and it doesn't necessarily recover the most recent data in RAM. It is also most useful on SRAM, I'm not sure how applicable it would be to DRAM; I've never read of it being used on DRAM.
Modern devices have wearout mechanisms that affect an SRAM cell (most notably Bias Temperature Instability). If a cell is held for a long time in one particular state, it creates an imbalance in the 6-transistor bit cell that persists even when power is removed. It is possible to use this imbalance to read out the "preferred" state of the cell when it is powered back up and thereby infer the contents. But that will mostly tell you the contents that cell has held for the longest time, not the most recently. And if the SRAM information is swapped out a lot, it will most likely just result in noise, since the balance of 0/1 should be close to 50:50.
Obviously, exploiting such a mechanism is going to give results that are difficult to make a lot of practical uses of. It has been done in the lab, but I don't know if it has ever been used in a real-world scenario.
- - - Auto-Merged Double Post - - -
View attachment 201748