Very Interesting Data Thief

Today eight colleagues and I are releasing a significant new research result. We show that disk encryption, the standard approach to protecting sensitive data on laptops, can be defeated by relatively simple methods. We demonstrate our methods by using them to defeat three popular disk encryption products: BitLocker, which comes with Windows Vista; FileVault, which comes with MacOS X; and dm-crypt, which is used with Linux. The research team includes J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum, and Edward W. Felten.

Our site has links to the paper, an explanatory video, and other materials.

The root of the problem lies in an unexpected property of today's DRAM memories. DRAMs are the main memory chips used to store data while the system is running. Virtually everybody, including experts, will tell you that DRAM contents are lost when you turn off the power. But this isn't so. Our research shows that data in DRAM actually fades out gradually over a period of seconds to minutes, enabling an attacker to read the full contents of memory by cutting power and then rebooting into a malicious operating system.

Interestingly, if you cool the DRAM chips, for example by spraying inverted cans of "canned air" dusting spray on them, the chips will retain their contents for much longer. At these temperatures (around -50 °C) you can remove the chips from the computer and let them sit on the table for ten minutes or more, without appreciable loss of data. Cool the chips in liquid nitrogen (-196 °C) and they hold their state for hours at least, without any power. Just put the chips back into a machine and you can read out their contents.

This is deadly for disk encryption products because they rely on keeping master decryption keys in DRAM. This was thought to be safe because the operating system would keep any malicious programs from accessing the keys in memory, and there was no way to get rid of the operating system without cutting power to the machine, which "everybody knew" would cause the keys to be erased.
Our results show that an attacker can cut power to the computer, then power it back up and boot a malicious operating system (from, say, a thumb drive) that copies the contents of memory. Having done that, the attacker can search through the captured memory contents, find any crypto keys that might be there, and use them to start decrypting hard disk contents. We show very effective methods for finding and extracting keys from memory, even if the contents of memory have faded somewhat (i.e., even if some bits of memory were flipped during the power-off interval). If the attacker is worried that memory will fade too quickly, he can chill the DRAM chips before cutting power.

There seems to be no easy fix for these problems. Fundamentally, disk encryption programs now have nowhere safe to store their keys. Today's Trusted Computing hardware does not seem to help; for example, we can defeat BitLocker despite its use of a Trusted Platform Module.

See Also Complete Video on this web site http://citp.princeton.edu/memory/

wow, that´s rellay nice to know,

Intel are building some tencology when the computer is stolen the lock it down, but the hard disk still be able to remove it and acess all the files ( if are not protected )

_________________
ZeBong
" что случилось в России - останется в России "
" Россия еще раз"

I believe I read something similar at least one year ago
And I believe this "hack" is only possible if a stolen laptop was using sleep mode but not a real shutdown or hibernate
To avoid such "hacks" just use hibernate on your laptops instead of sleep

_________________
SAN, NAS, RAID, Server, and HDD Data Recovery.

Great stuff, just wondering if you guys are able to defeat LACIE D2 Safe biometric external drives.

This is sonmeone else's research. Nothing new at all!

hmmm biometric finger readers are crackable in more than one way ;o) You just need to be M15 or FSB trained for this lol

The hack they talk about is typical when a potential criminal suspects house is raided and he/she switches off his/her laptop/desktop.

_________________
All went well until I plugged the drive in.

I've done these CBA's for fun on my own computers long ago. Pretty easily done via usb and linux flash drive, or similar, but the main problem is that you have to have access to the computer within a short period of time for contents of ram to be preserved well enough. Of course their are workarounds, and even ways to aquire a desktop live from work site, and bring into your lab without ever losing power, etc. (see Wtech's live acquisition HW, etc), but none of this helps you if you are given a laptop hd, or system that has NOT had power for any appreciable period of time, which is 99% of the cases we get. SOMETIMES we are called onsite to a live system, but 99% of the time the system is already compromised from a security standpoint and the techniques avail nothing. If someone can gain access to my server and pull the plug on it and remove the RAM or run boot disk, etc, then my security needs tightening. From a DR perspective, it would/could be useful to acquire a company's data in certain situations, but usually, we get bare drives or systems that have been powered off for long periods of time.

_________________
http://pcrecoveryllc.com