![]() A cold boot attack may also be necessary when a hard disk is encrypted with full disk encryption and the disk potentially contains evidence of criminal activity. For example, a cold boot attack is used in situations where a system is secured and it is not possible to access the computer. ![]() For example, when it is not practical to preserve data in memory through other means, a cold boot attack may be used to perform a dump of the data contained in random-access memory. In certain cases, a cold boot attack is used in the discipline of digital forensics to forensically preserve data contained within memory as criminal evidence. Uses Ĭold boots attacks are typically used for digital forensic investigations, malicious purposes such as theft, and data recovery. Using the high-speed expansion port can short out, or physically damage hardware in certain cases. A cold boot attack may be preferred in certain cases, such as when there is high risk of hardware damage. Further analysis can then be performed against the data dumped from RAM.Ī similar kind of attack can also be used to extract data from memory, such as a DMA attack that allows the physical memory to be accessed via a high-speed expansion port such as FireWire. In cases where it is not practical to hard reset the target machine, an attacker may alternatively physically remove the memory modules from the original system and quickly place them into a compatible machine under the attacker's control, which is then booted to access the memory. Īttackers execute cold boot attacks by forcefully and abruptly rebooting a target machine and then booting a pre-installed operating system from a USB flash drive, CD-ROM or over the network. While the focus of current research is on disk encryption, any sensitive data held in memory is vulnerable to the attack. The ability to execute the cold boot attack successfully varies considerably across different systems, types of memory, memory manufacturers and motherboard properties, and may be more difficult to carry out than software-based methods or a DMA attack. Consequently, an attacker can perform a memory dump of its contents by executing a cold boot attack. Furthermore, as the bits disappear in memory over time, they can be reconstructed, as they fade away in a predictable manner. With certain memory modules, the time window for an attack can be extended to hours or even weeks by cooling them with freeze spray. Depending on temperature and environmental conditions, memory modules can potentially retain, at least, some data for up to 90 minutes after power loss. Liquid nitrogen, freeze spray or compressed air cans can be improvised to cool memory modules, and thereby slow down the degradation of volatile memoryĭIMM memory modules gradually lose data over time as they lose power, but do not immediately lose all data when power is lost. However, malicious access can be prevented by limiting physical access and using modern techniques to avoid storing sensitive data in random-access memory. ![]() This is because the problem is fundamentally a hardware (insecure memory) and not a software issue. Since cold boot attacks target random-access memory, full disk encryption schemes, even with a trusted platform module installed are ineffective against this kind of attack. An attacker is then free to analyze the data dumped from memory to find sensitive data, such as the keys, using various forms of key finding attacks. Īn attacker with physical access to a running computer typically executes a cold boot attack by cold-booting the machine and booting a lightweight operating system from a removable disk to dump the contents of pre-boot physical memory to a file. The attack relies on the data remanence property of DRAM and SRAM to retrieve memory contents that remain readable in the seconds to minutes following a power switch-off. Typically, cold boot attacks are used for retrieving encryption keys from a running operating system for malicious or criminal investigative reasons. In computer security, a cold boot attack (or to a lesser extent, a platform reset attack) is a type of side channel attack in which an attacker with physical access to a computer performs a memory dump of a computer's random-access memory (RAM) by performing a hard reset of the target machine. Means of compromising computer security by restarting the computer
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |