Published on Sep 05, 2023
Contrary to popular assumption, DRAMs used in most modern computers retain their contents for several seconds after power is lost, even at room temperature and even if removed from a motherboard.
Although DRAMs become less reliable when they are not refreshed, they are not immediately erased, and their contents persist suf?ciently for malicious (or forensic) acquisition of usable full-system memory images.
Researchers at Princeton University have shown that there are surprisingly large number of machines where the contents of RAM survive undamaged well after the system BIOS or boot code has finished running, and these can be exploited. To demonstrate this, we will try to capture and analyze the memory content after the system is powered off.
This project is a Proof of Concept(POC) for capturing memory dumps from Intel x86-64 based PC system. RAM persistence can be exploited using both hardware and software mechanisms.
However exploit requires a certain amount of specialized expertise and a willingness and/or opportunity to dissect the obtained information that will be not necessarily in human readable form.
In cryptography, a cold boot attack is a type of side channel attack in which an attacker with physical access to a computer is able to retrieve user's specific sensitive information from a running operating system after using a cold reboot to restart the machine from a completely "off" state.
The attack relies on the data remanence property of DRAM and SRAM to retrieve memory contents which remain readable in the seconds to minutes after power has been removed.
It has been known since the 1970s that DRAM cell contents survive to some extent even at room temperature and that retention times can be increased by cooling. In a 1978 experiment , a DRAM showed no data loss for a full week without refresh when cooled with liquid nitrogen.
Machines using newer memory technologies tend to exhibit a shorter time to total decay than machines using older memory technologies, but even the shorter times are long enough to facilitate most of the attacks.
Simple reboots The simplest attack is to reboot the machine and con?gure the BIOS to boot an imaging tool. A warm boot, invoked with the operating system's restart procedure, provides software an opportunity to wipe sensitive data prior to shutdown. A cold boot, initiated using the system's restart switch or by brie?y removing and restoring power, will result in little or no decay depending on the memory's retention time. Restarting the system in this way denies the operating system and applications any chance to scrub memory before shutting down.
For this , simply place the dram in other machine and start the system, Or alternatively , keep the ram in the same machine , attach the bootable USB flash drive in the USB PORT , and reboot the system . Note that the boot priority of the system must be set to 'External USB Drive' and not to 'Internal hardDrive'. Otherwise the system will reboot again into its native Operating System .
Having done this , the memory-imaging tool or scrapper present on USB Drive starts executing . It fetches the memory dump present on the RAM into the USB Drive.
After taking the memory dump of the RAM in a USB drive. It can now be analysed. For this purpose, the data can be read straight out of the dump either by dumping it to a flat-file using 'dd' or by examining it in-place. For our experiment, we will dump the data to a flat-file. We also extract the human-readable content to a separate file.