[Noisebridge-discuss] Cold Boot Attacks on Disk Encryption
Jacob Appelbaum
jacob at appelbaum.net
Tue Mar 4 18:39:29 UTC 2008
Kristian Erik Hermansen wrote:
> On Tue, Mar 4, 2008 at 10:18 AM, Jacob Appelbaum <jacob at appelbaum.net> wrote:
>> Using the linux kernel is a bad idea. If you're using it to do forensics
>> on a linux system it becomes clear why this is so...
>>
>> Give a linux system a reboot into single user mode and cat /dev/mem
>> after a population of memory. You'll see your string but you probably
>> won't see a lot of kernel memory from the previous boot...
>
> Good points. How many bytes did your custom utilities consume? Did
> you have some special algorithm/method of loading the utilities to
> minimize RAM usage or choose perhaps a location which would likely be
> untouched by the previous booted OS? Were all the utils written in
> pure asm to get the greatest efficiency in mem usage? I look forward
> to hearing the reply...
For the paper, we implemented a SYSLINUX program much like the one
linked to previously in this thread. However, recently, we've taken that
up a step and have something much smaller. For the size of the USB
dumper, it's on the order of 8K. It can be made smaller if we strip all
strings and unneeded functions out of the payload.
Writing things in assembler was required but not for the entire program,
only for specific things. C is just fine for the main component of the
scraper.
-jake
More information about the Noisebridge-discuss
mailing list