Researchers release 'cold boot' attack utilities
A way around disk encryption
The security researcher who demonstrated the 'cold boot' attack has released the source code for the hack. The attack, first demonstrated in February, uses a set of utilities to lift crypto keys from memory even after a reboot.
A boon for hackers and computer forensics experts alike, the approach created a means to circumvent disk encryption simply by powering off a target machine which has been left hibernating or screen-locked, and quickly re-booting it to an external hard drive loaded with customised software. The attack worked because DRAM chips used by modern computers retain data for seconds or even minutes after being powered down, contrary to popular opinion. Cooling the chips wasn't absolutely necessary but aided the process in some cases.
Once the data is recovered utilities are needed to make sense of the information and perform functions such as correcting errors caused by bit decay.
The approach was pioneered by researchers from the Electronic Frontier Foundation, Princeton University and Wind River. One of the researchers involved in the celebrated hack, Jacob Appelbaum, released source code for the utilities used for it at the Hackers on Planet Earth (HOPE) conference in New York last weekend. It's hoped the release of the utilities will spur the development of countermeasures as well as raising awareness about the risks posed by the original attack.
A research paper on the attack along with explanatory video and code for the utilities can all be found here. ®
it only counts in blocks not every address,
easier to 'pop rivet' the case shut
BIOS full memory scan maybe no solution
I'm no expert, but what is the default BIOS mode?
If it's full scan, ok. But if it's not, then being in Full-scan is certainly not a workaround.
The security agency just needs to reset the BIOS.
And contrary to what has been said above by Pheet, it's futile to expect that "Hopefully the time it takes to open the machine and physically reset the BIOS means there's insufficient key material left in the RAM."
The basic hypothesis here is that the people coming it to get you have access to the computer while it's still turned on.
You can't seriously expect that they'll turn it off, then open the machine.
They will just open the machine, and when they have their screwdriver 1 inch from the BIOS reset button, ready to go, then they'll turn off, reset BIOS and turn on. 5 seconds lost, at most.
BIOS can be bypassed, so all Mem Checks are off
Here's a nice trick that works with certain Mobo vendors and corresponding CMOS/BIOS Writers:
Put new firmware on a floppy!
I've had to do this before when a friend of mine bricked his BIOS. Basically, you just make a Windows boot floppy, put the BIOS flasher and new BIOS (With Mem Test disabled or even missing from the binary) on it, and put the commands to flash it in the AUTOEXEC.BAT.
Apparently, you pull out a jumper, put in the disk, and it doesn't even do a BIOS check, it just runs the disk and Flash's the BIOS (Don't know specifics, would need to check some hardware I'd think). Works on a LOT of MSI hardware.
Now, with enough recon, you could figure out the mobo maker, and download a BIOS update. End result - Owned.
Sidenote: If your HDD encryption relies on your Windows password, your HDD encryption is S**t. Stick some something safe, like TrueCrypt (And it's Bootloader).