Imaging Memory After a Cold Boot
I’m taking a very short break from my Ph.D. preliminary exam to write a short post about this, because it’s so cool :) .
The Center for Information Security Policy at Princeton has published a very interesting paper on recovering encryption keys by imaging memory after a computer has been forcibly shut down:
Modern RAM chips hold state for longer than most people expect after power has been removed. I became aware of this a while back, and after testing it out, found that the time varied wildly between computers. When I did this, I used a minimal linux boot CD to write a known string to memory over and over again, filling it up. Then I’d pull power, leave it off for a short while, then boot back up and see if I could find the string in memory again. On the desktop machine I tested it on, the string would stay in memory for a few seconds with the power off. Amazingly, with my Latitude C400 laptop, it would stay in memory for a good 10 minutes (with no battery or wall power).
It’s really fun stuff, and it’s nice to see it fleshed out way better than my own limited experiments.
[...] Information Security Blog and News « Imaging Memory After a Cold Boot [...]