Building on the Cold Boot research that was released in February of 2008, Tom Liston and Sherri Davidoff of Intelguardians presented “Cold Memory Forensics Work Shop” at CanSecWest 2008. When a system is cold booted, research discovered that the supposed volatility of conventional RAM is a half truth. In many cases memory will continue to hold state for seconds and sometimes even minutes after a system has been powered off.
In a Cold Boot attack, an attacker with physical access to a system reboots the computer and dumps the contents of RAM for forensic analysis, recovering sensitive information (passwords, encryption keys, documents etc). In the Cold Memory Forensics Work Shop, Tom and Sherri discussed their findings in leveraging the Cold Boot techniques to harvest information from systems exposed during penetration testing, as well as their work in developing tools that will help quickly identify passwords that were stored in memory. Their goal is to be able retrieve...
