ohohlfeld.com : blog
Researchers at Princeton university have released a highly interesting paper on Thursday, which demonstrates that DRAM contents are not immediately lost when the system is turned off. Their paper shows how this property can be used to exploit state-of-the-art hard drive encryption tools, such as TrueCrypt, when the attacker gets physical access to the machine.
The root of the problem lies in an unexpected property of today’s DRAM memories. DRAMs are the main memory chips used to store data while the system is running. Virtually everybody, including experts, will tell you that DRAM contents are lost when you turn off the power. But this isn’t so. Our research shows that data in DRAM actually fades out gradually over a period of seconds to minutes, enabling an attacker to read the full contents of memory by cutting power and then rebooting into a malicious operating system. (…) This is deadly for disk encryption products because they rely on keeping master decryption keys in DRAM. This was thought to be safe because the operating system would keep any malicious programs from accessing the keys in memory, and there was no way to get rid of the operating system without cutting power to the machine, which “everybody knew” would cause the keys to be erased. (Source)
Further information, including images and videos as well as a experimental guide to quickly reproduce these results using Linux, can be found here.
