Most of peoples believe that, in situations like during power failure in modern computers, at room temperature and even when DRAM is removed from its motherboard, DRAMs will retain their contents for few seconds. But DRAMs are not so reliable because hackers can retrieve usable full-system memory images and important contents of DRAMs when DRAMs are not immediately erased/when they are not refreshed. Surprisingly, researches made by the Researchers of Princeton University have clearly shown that the contents of RAM in modern computers remain undamaged after the system BIOS or boot code has finished running, and these can be exploited. To explain this, at the beginning we need to switch off the system and then we will try to capture and analyze the memory of DRAMs.
We can capture memory dumps from Intel x86-64 based PC system by using this proposed project. We can get complete benefit of RAM persistence by using software and hardware mechanisms. But we can make use of RAM persistence by willingness and expertise to obtain the particular information. The obtained information that will be not necessarily in human readable form and prevent that information from reading by other persons.
What Is Cold Boot Attack?
A Cold Boot Attack is an attack in which an attacker who accesses the computer will be able to retrieve user’s specific sensitive information from a running operating system by using a cold reboot method. A method which is used to restart the machine from a completely “off” state is called cold reboot method. Cold boot attack normally concentrates more on retrieving the memory contents of DRAM and SRAM which can be readable for few seconds to minute after power failure in the computer.
In 1970s, people know that contents of DRAM can be readable up to few minutes at room temperature and by cooling method we can extend that retention time. After experiment done in 1978 it is clearly get to know that, when a DRAM is not refreshed and cooled with liquid nitrogen it will not lose its data up to a week.
The machines using older memory technologies takes more time to total decay than the machines using newer memory technologies. But even in computers which uses new technologies also most of attacks happen by attackers in very less interval of time.
Launching an Attack:
Step 1: Powering Off the Machine:
There are various types of system reboot, they are described below. A simple attack is an attack which configures the BIOS to boot an imaging tool by restarting the computer system. A warm boot will provide software an opportunity to clear the sensitive data of user before shutdown of computer system. This method is based on computer system’s restart procedure. A cold boot attack is an attack by the attacker happens when computer system is restarted and its power is removed. It will decay user’s sensitive information on the basis of the memory’s retention time.
Step 2: Fetching the Contents of the RAM:
We can fetch the RAM contents either we can place the DRAM in other computer system and then start this system or by keeping RAM in a computer system which is attached with a bootable USB flash drive and then reboot that computer system. Before doing this we need to set boot priority of the system to ‘External USB Drive’ for preventing rebooting of system to its native Operating System. After doing this, the memory dump which is present on the RAM will be fetched in to USB Drive by the memory-imaging tool or scrapper in USB Drive.
Step 3: Making the Memory Dump Readable:
Then, we can analyze the memory dump of the RAM which is stored in the USB drive. Either by examining the memory dump’s data in same place or dumping it in to a flat-file using ‘dd’ we can make data in the memory dump readable. In this project we dumped data in to a flat file.