A joint group of people from Princeton have recently managed to prove the fact that RAM chips, when cooled to a very low temperature, can continue to retain the contents of RAM for up to several minutes after they have been physically removed from a computer.
The group then built their own tools and programs to read off the contents of the memory after the computers were rebooted – proving that disk encryption technologies (such as Truecrypt for instance) can be defied.
Q. What can users do to protect themselves?
A. The most effective way for users to protect themselves is to fully shut down their computers several minutes before any situation in which the computers’ physical security could be compromised. On most systems, locking the screen or switching to “suspend” or “hibernate” mode does not provide adequate protection.
Following up on this, according to Ivan Krstic, director of security architecture at OLPC (One Laptop per Child), the recently announced MacBook Air is resistant to what is now known as the “Cold-Boot Encryption Attack” simply because the machine’s DDR2 RAM (2gb) is soldered on and cannot be physically removed.
Microsoft also reacted to this regarding their BitLocker technology in Vista. The most secure method to use BitLocker is in hibernate mode and with multi-factor authentication.
A question directed to Digital Forensic experts – Is this a blessing in disguise? What’s your take on it?