Twitter
Feb
27
A joint group of people from Princeton have recently managed to prove the fact that RAM chips, when cooled to a very low temperature, can continue to retain the contents of RAM for up to several minutes after they have been physically removed from a computer.
The group, then built their own tools and programs to read off the contents of the memory after the computers were rebooted - proving that disk encryption technologies (such as Truecrypt for instance) can be defied. This is demonstrated in a video posted on youtube (see extended body of article)
The concept can also be also easily demonstrated following a simple experiment outlined on the groups page here.
Following up this, according to Ivan Krstic, director of security architecture at OLPC (One Laptop per Child) - the recently announced MacBook Air is resistant to what is now known as the "Cold-Boot Encyption Attack" simply because the machines DDR2 RAM (2gb) is soldered on and cannot be physically removed. In addition, if Apple release an EFI firmware upgrade to zero the contents of the RAM at every boot, then the MacBook
(source)
Microsoft also reacts to this vis-a-vis their BitLocker technology in Vista. Ryan Naraine reports on this here.
The Register also has their views on this...BitLocker, meet BitUnlocker.
A question directed to Digital Forensic experts - Is this a blessing in disguise? What's your take on it?
Update: More information on the discussion can be found here
The group, then built their own tools and programs to read off the contents of the memory after the computers were rebooted - proving that disk encryption technologies (such as Truecrypt for instance) can be defied. This is demonstrated in a video posted on youtube (see extended body of article)
The concept can also be also easily demonstrated following a simple experiment outlined on the groups page here.
Q. What can users do to protect themselves?
A. The most effective way for users to protect themselves is to fully shut down their computers several minutes before any situation in which the computers’ physical security could be compromised. On most systems, locking the screen or switching to “suspend” or “hibernate” mode does not provide adequate protection. (Exceptions exist; some systems may not be protected even when powered off. Check with the developer of your disk encryption software for further guidance.)
Following up this, according to Ivan Krstic, director of security architecture at OLPC (One Laptop per Child) - the recently announced MacBook Air is resistant to what is now known as the "Cold-Boot Encyption Attack" simply because the machines DDR2 RAM (2gb) is soldered on and cannot be physically removed. In addition, if Apple release an EFI firmware upgrade to zero the contents of the RAM at every boot, then the MacBook
"...would become one of the only—if not the only—mainstream laptop featuring full-disk encryption that's highly-resistant to the troublesome Princeton attack."
(source)
Microsoft also reacts to this vis-a-vis their BitLocker technology in Vista. Ryan Naraine reports on this here.
Microsoft suggests that the most secure method to use BitLocker is in hibernate mode and with multi-factor authentication.
According to Robert Hensing, a software engineer in Microsoft's SWI (Secure Windows Initiative) team, this class of attack is not new and was actually raised at the 2006 Hack in the Box conference in Kuala Lumpur, Malaysia.
The Register also has their views on this...BitLocker, meet BitUnlocker.
A question directed to Digital Forensic experts - Is this a blessing in disguise? What's your take on it?
Update: More information on the discussion can be found here
