Shostack + Friends Blog Archive


Time To Rethink The Efficacy Of That Hard Drive Crypto

As we love to say, if you have physical access to a machine, then you have access to all the data on it. Today Ed Felten et al. proved that yet again when they released a paper describing cold boot attacks on encryption keys [link to no longer works]. In it, they DRAM can be stripped (even after a full shutdown) of passwords and encryption keys. It turns out that DRAM doesn’t lose it’s memory immediately even after losing power. As a result, they have been able to successfully extract keys for Bitlocker (Vista), TrueCrypt (multiplatform open source) and FileVault (OS X). They can even take the DIMMS out of the target computer move them to another machine then find the keys without interference from the original host OS. How cool is that? I imagine it won’t be long before this gets implemented in forensics software and/or hacking tools.
[Via Boing Boing]