I've heard that if your PC is turned off, then an attacker can recover the RAM from the last session. I find this hard to believe. How could it be done?
5 Answers
There is an element of truth to this one - an attack was discovered which took advantage of data remanence in RAM, allowing an attacker to grab data from the RAM in a machine. There was a very short timeframe (a matter of seconds or minutes) in which to do this, but it wasn't a hack of the PC as such.
Simple Wikipedia link to Cold Boot Attack here
And the McGrew link here giving more detail
- 4,814
- 8
- 35
- 61
- 61,474
- 12
- 117
- 321
-
but even if the pc is turned off ?!!!. So, you mean the period while pc is turning off ?? – wisdom Jan 13 '12 at 13:04
-
Added extra info. As you will see from the linked article, the machine is cold booted and then you can retrieve info. – Rory Alsop Jan 13 '12 at 13:09
-
1IIRC: There is a video floating around of a demo of this, freezing the RAM when you power off the PC allows it to retain data longer, they pull it, pop it in, and analyze it and get most of the memory off of it. – StrangeWill Jan 13 '12 at 16:42
-
15For those who think this is only theoretical: They were able to use this technique to create a bootable USB device which could determine someone's Truecrypt hard-drive encryption key automatically, just by plugging it in and restarting the computer. They were also able to recover the memory-contents 30 minutes+ later by freezing the ram (using a simple bottle of canned-air) and removing it. Using liquid nitrogen increased this time to *hours*. – BlueRaja - Danny Pflughoeft Jan 13 '12 at 17:53
Yes, but the term 'turned-off' may be confusing.
A computer require power to run, this you know. A PC is powered from the wall in AC (alternating current) but computer parts require DC (Dirrect Current). Inside the desktop PC is a power supply unit that converts AC to DC. As long as the desktop PC is plugged into the wall it always recieves AC power.
In the early days a PC had a 'AT' power supply with a switch on the front. The 'AT' type power supply had a push button switch that stoped the DC power. The problem with this was that users would turn off the computer while it was writing to the hard drive. Turning off the power during hard drive write would cause the hard drive to become corrupted.
So, the next itteration of PC design had an ATX power supply. In this design the power supply connected to the motherboard and the switch on the front of the PC was connected to the motherboard. For the ATX design pushing the off switch sends a signal to the motherboard, the Operating System reads the signal on the motherboard and sends a signal to the power supply.
The power supply has multiple DC outputs. The hard drive (and floppy) used 12 Volts. The CPU took 5 Volts and later 3.3 Volts. The different voltages are independent, so different parts of the computer may be switched of while other parts are on.
When you press the power button on the fron of the PC or select turn-off from the Operating System, there are always at least one or two powered components. At very least the circuit on the motherboard that receives the power button signal and relays it to the power supply must be powered and is as long as the PC is plugged into the wall.
The component in question is the RAM (actually DRAM), and it is not easy to tell if the power to the RAM is off or what method of turning the computer off will stop the supply of power to the RAM.
The only way to be absolutly sure there is no power to the RAM is to disconnect the PC from the wall.
As long as power is supplied to the RAM the RAM will retain the contents of whatever was last in it.
When RAM is removed from power the conents begin to decay and at some point become unreadable. Temperature has a impact on how quickly the data in the RAM decays. Lowering the temperature will slow the decay of the data. A simple “canned air” duster turned upside down will allow an attacker to cool the RAM down to a temperature that allows them to reboot the machine with a custom Operating System designed to extract the contents of RAM.
This attack requires only a bootable CD/DVD or USB Flash Drive and a canned air duster.
- 8,843
- 2
- 29
- 51
-
2I suspect only your last 3 paragraphs are actually relevant here, with the 4th-from-last possibly being useful on a paranoid theoretical level. As for the rest, I'd really prefer to see some actual statistics on whether any/how many PCs maintain power to the RAM when the PC is 'soft' powered off. I find it very difficult to believe the circuit that lets the motherboard listen for a power-on event keeps the RAM powered, all the time, for no reason. RAM is not the cheapest in terms of resources - power and refresh logic - so why would OEMs waste power on RAM when there's no OS to use it? – underscore_d Oct 18 '15 at 12:48
-
@underscore_d Please see https://citp.princeton.edu/research/memory/ on Cold Boot Attacks "Contrary to popular assumption, DRAMs used in most modern computers retain their contents for seconds to minutes after power is lost, even at operating temperatures and even if removed from a motherboard." – this.josh Dec 24 '15 at 00:49
-
2Except that's clearly not what I was talking about, so allow me to repeat myself: I was referring to this: "the circuit [...] that receives the power button signal [...] must be powered and is as long as the PC is plugged into the wall. The only way to be absolutly sure there is no power to the RAM is to disconnect the PC from the wall." Again, although "on a paranoid theoretical level" this is correct for any device, I am highly sceptical that any motherboards maintain _normal_ voltage to the RAM - keeping it _fully_ refreshed - when 'powered' in this passive sense. – underscore_d Dec 24 '15 at 09:50
-
RAM isn't normally refreshed in the traditional power off mode, but with the sleep modes, preserving RAM is a requirement, unless it transitions to hibernate. https://en.wikipedia.org/wiki/Sleep_mode – GuitarPicker May 19 '16 at 19:05
-
Disconnecting the PC from the wall ensures nothing. Laptops and tablets have batteries. All electronics have capacitors. Phones these days support wireless charging. The only sure way to prevent additional power from flowing into the RAM is to isolate the RAM from other circuitry, and even then, ultraviolet radiation can boost transistor gate voltage (although in an uncontrolled fashion, more likely to destroy data than preserve it). – Ben Voigt May 04 '17 at 14:38
-
**This answer is incorrect**. A cold boot attack has nothing to do with powered on RAM. – forest Mar 01 '18 at 06:03
The RAM in a PC is DRAM: each bit is stored in what amounts to a very small capacitor, which leaks. Which is why DRAM must be "refreshed" regularly. Typical DRAM is guaranteed to hold a given bit for at least 64 ms, but, in practice, a given bit may linger for longer times, up to several minutes, depending notably on temperature.
See the bottom of the Wikipedia page for details.
Also, many machines (desktops and laptops) have a "sleep mode" in which the CPU is off but the RAM is still powered; this is the mode from which the machine can be "awakened" without going through the whole boot procedure. It seems that real shutdowns have become a rarity nowadays. In such a mode, RAM contents are, by definition, preserved, hence extending the "several minutes" above to arbitrary durations.
- 170,038
- 29
- 342
- 480
-
nice summary, but "real shutdowns have become a rarity nowadays" - do you really think so? I suppose it depends who we're talking about. I'd guess a lot of modern users would be inclined to just shut the lid to sleep and never think about the concept of fully powering off. Whereas my parents probably don't even know they _can_ do that and always shut down fully! I'm in the middle: I know all the options, and I prefer a full shutdown to save power, tidy up the system, and just because I can. – underscore_d Oct 18 '15 at 12:53
I have personally performed the Cold Boot Attack before, it definitely works. I mainly referred to the actual Princeton coldboot paper as well as the McGrew link
I used dry ice, beware of condensation (use tissue to wipe) since the RAM is colder than surrounding air. The time frame in which to pull and plug in the RAM is about 5-15 seconds.
- 105
- 4
- 151
- 5
I would suggest you look at these two articles. They are quite technical but explain a lot on low-level.
- Peter Gutmann, Data Remanence in Semiconductor Devices
- Peter Gutmann, Secure Deletion of Data from Magnetic and Solid-State Memory
If you are looking also for a counter-measure then I would suggest
- 332
- 1
- 2
- 11