Cold Boot attack in Digital Forensics

In 2008, a team of students and researchers from Princeton University, Wind River Systems and the Electronic Frontier Foundation published a research paper [3] examining the phenomena of computer memory remanence.
That paper has confirmed what had long been theorized by computer security practitioners: the volatile memory of computer systems is less volatile than expected.


What is Cold Boot Attack?

Cold boot attack is a type of side channel attack (2) in which an attacker with physical access to a computer performs a memory dump of a computer’s random access memory by performing a hard reset of the target machine.

Typically, cold boot attacks are used to retrieve encryption keys from a running operating system: the attack relies on the data remanence property (1) of DRAM and SRAM to retrieve memory contents that remain readable in the seconds to minutes after power has been removed, cold-booting the machine and booting a lightweight operating system from a removable disk to dump the contents of pre-boot physical memory to a file.

Since cold boot attacks target random access memory, full disk encryption schemes, even with a trusted platform module installed are ineffective against this kind of attack, because the problem is fundamentally a hardware: insecure memory!


How it works?

DIMM memory modules gradually lose data over time as they lose power, but do not immediately lose all data when power is lost: depending on environmental temperature, memory modules can potentially retain some data for up to 90 minutes after power loss.

With certain memory modules, the time window for an attack can be extended to hours or even weeks by cooling them with freeze spray, allowing also the ‘transplant’ of the memory module on a new machine:

Obviousle, the ability to execute the cold boot attack successfully varies considerably across different systems, types of memory, memory manufacturers and motherboard properties.

Researchers also published a set of tools useful to perform the attack. [6]


Cold boot in forensic analysis

A cold boot attack may be used in digital forensics to forensically preserve data contained within memory as criminal evidence.

When it is not practical to preserve data in memory through other means or where a system is secured and it is not possible to access the computer , a cold boot attack may be used to perform a dump of the data contained in random access memory.

For example, a cold boot attack is used in situations when an hard disk is encrypted with full disk encryption: this technique allows in facts the extraction of encryption keys from memory.

In this speech at Chaos Communication Congress, Robin Bradshaw shows some usage of cold boot attack, both for forensics and malicious purposes:

Furthermore, in this video, Olle Segerdahl & Pasi Saarinen demonstrate how to break BitLocker using cold boot attack:

The cold boot attack can be adapted and carried out in a similar manner on Android smartphones.
Since Android smartphones securely erase encryption keys from memory when the phone is locked, a cold boot can be performed by disconnecting the phone’s battery to force a hard reset.
The smartphone is cold down and then reflashed with an operating system image that can perform a memory dump.

In the paper “Cold Boot Attack On Cell Phones, Cryptographic Attacks“, Ranbir Bali from Concordia University College of Alberta explains this technique.


References

  1. Data remanence – Wikipedia
  2. Side-channel attack – Wikipedia
  3. Lest We Remember: Cold Boot Attacks on Encryption Keys | Center for Information Technology Policy
  4. The Chilling Reality of Cold Boot Attacks – F-Secure Blog
  5. Cold Boot Attack On Cell Phones, Cryptographic Attacks
  6. Memory Research Project Source Code | Center for Information Technology Policy

Related posts

  1. Load Value Injection (CVE-2020-0551): a new Side-Channel attack affects Intel’s CPUs
  2. RECmd: command line tool for Windows Registry analysis
  3. Some thoughts about smartphones data extraction