Princeton Cold-Boot Memory Forensics Tools Released

Today, Jacob Applebaum is giving a talk at The Last HOPE conference on the tools they have for dumping and retrieving keys from memory after a cold boot.  These are the tools that were demonstrated some months ago, and got everyone interested in the security of whole-disk encryption products.  There was a lot of interest in the memory dumping tool, so since the Princeton tool had not been released, I wrote msramdmp.

The Princeton tools are now available here.

The key-finding code is definitely of interest, and ought to work with msramdmp images as well (although I haven’t tested the code at all, yet).  From what I’m reading of the memory dumping code and docs, if msramdmp is currently suiting your needs, you may not need to change over, especially if you’re taking advantage of the fact that msramdmp will let you dump a few computers before having to pull the images off and reset the partitions.  If, however, you’re wanting to dump more than 4 gigs on a 64-bit machine, dump over a network, or dump an EFI-based machine, the Princeton tools are definitely what you’ll want to start playing with now.

Very cool work, Jacob!  Hope the talk goes well!