An in-depth analysis of the cold boot attack – Can it be used for sound forensic memory acquisition?

PDF

Authors
  1. Carbone, R.
  2. Bean, C.
  3. Salois, M.
Corporate Authors
Defence R&D Canada - Valcartier, Valcartier QUE (CAN)
Abstract
The purpose of this technical memorandum is to examine the technical characteristics behind the cold boot attack technique and to understand when and how this technique should be applied to the field of computer forensic investigations. Upon thorough examination of the technique, the authors highlight its advantages, drawbacks, applicability and appropriateness for use in the acquisition of computer memory contents. The original cold boot attack paper, as conducted by a team of students and researchers in 2008, demonstrated the usefulness of computer memory remanence and how this phenomenon could be used to defeat popular disk encryptions tools and other data hiding techniques necessary for the safe storage of secret data and information. However, the technique is not a panacea and has many drawbacks dictated by the laws of physics, which cannot be overcome by the technique. The authors believe that a thorough understanding of this phenomenon will empower computer forensic investigators to take advantage of it when appropriate but also aim at dispelling various distortions surrounding it.

Il y a un résumé en français ici.

Keywords
Iceman attack;Cold ghosting attack;Platform reset attack;Flash freeze;Software memory acquisition;Hardware memory acquisition;Forensic analysis;Computer forensics
Report Number
DRDC-VALCARTIER-TM-2010-296 — Technical Memorandum
Date of publication
01 Jan 2011
Number of Pages
118
DSTKIM No
CA034800
CANDIS No
534323
Format(s):
Electronic Document(PDF)

Permanent link

Document 1 of 1

Date modified: