An in-depth analysis of the cold boot attack: Can it be used for sound forensic memory acquisition?

Abstract

The purpose of this technical memorandum is to examine the technical characteristics behind the cold boot attack technique and to understand when and how this technique should be applied to the field of computer forensic investigations. Upon thorough examination of the technique, the authors highlight its advantages, drawbacks, applicability and appropriateness for use in the acquisition of computer memory contents. The original cold boot attack paper, as conducted by a team of students and researchers in 2008, demonstrated the usefulness of computer memory remanence and how this phenomenon could be used to defeat popular disk encryptions tools and other data hiding techniques necessary for the safe storage of secret data and information. However, the technique is not a panacea and has many drawbacks dictated by the laws of physics, which cannot be overcome by the technique. The authors believe that a thorough understanding of this phenomenon will empower computer forensic investigators to take advantage of it when appropriate but also aim at dispelling various distortions surrounding it.

Keywords

Computer forensics, Memory acquisition, Cold boot attack, Software memory acquisition, Hardware memory acquisition, Flash freeze, Platform reset attack, Cold ghosting attack, Iceman attack

Author


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

Richard Carbone (forensicsrichard@gmail.com)

PDF Document Link

/stable/wp-content/uploads/2011/08/cold_boot_attack_for_forensiscs1.pdf

Leave a Comment

Latest Videos

Latest Articles