Cold boot attack

Typically, cold boot attacks are used for retrieving encryption keys from a running operating system for malicious or criminal investigative reasons.

[1][2][3] The attack relies on the data remanence property of DRAM and SRAM to retrieve memory contents that remain readable in the seconds to minutes following a power switch-off.

[2] With certain memory modules, the time window for an attack can be extended to hours or even a week by cooling them with freeze spray and liquid nitrogen.

[3] Cold boots attacks are typically used for digital forensic investigations, malicious purposes such as theft, and data recovery.

[2] BitLocker in its default configuration uses a trusted platform module that neither requires a PIN, nor an external key to decrypt the disk.

Due to this, two-factor authentication, such as a pre-boot PIN or a removable USB device containing a startup key together with a TPM should be used to work around this vulnerability in the default BitLocker implementation.

While these solutions may reduce the chance of breaking full disk encryption, they provide no protection of other sensitive data stored in memory.

Keys stored at this level cannot easily be read from userspace[citation needed] and are lost when the computer restarts for any reason.

TRESOR and Loop-Amnesia both must use on-the-fly round key generation due to the limited space available for storing cryptographic tokens in this manner.

It works by disabling a CPU's L1 cache and uses it for key storage, however, this may significantly degrade overall system performance to the point of being too slow for most purposes.

The strong atomicity guarantee provided by HTM, is utilized to defeat illegal concurrent accesses to the memory space that contains sensitive data.

Note that, the RSA private key is encrypted in initial state, and it is a result of write operations (or AES decryption).

To minimize access to encrypted information on the operating system hard disk, the machine should be completely shut down when not in use to reduce the likelihood of a successful cold boot attack.

Configuring an operating system to shut down or hibernate when unused, instead of using sleep mode, can help mitigate the risk of a successful cold boot attack.

One method involves soldering or gluing in the memory modules onto the motherboard, so they cannot be easily removed from their sockets and inserted into another machine under an attacker's control.

[2] However, this does not prevent an attacker from booting the victim's machine and performing a memory dump using a removable USB flash drive.

Memory scrambling may be used to minimize undesirable parasitic effects of semiconductors as a feature of modern Intel Core processors.

Sleep mode provides no additional protection against a cold boot attack because data typically still resides in memory while in this state.

As such, full disk encryption products are still vulnerable to attack because the keys reside in memory and do not need to be re-entered once the machine resumes from a low power state.

[10][46] The BIOS settings can also be modified while the system is running to circumvent any protections enforced by it, such as memory wiping or locking the boot device.

[50] A cold boot can be performed by disconnecting the phone's battery to force a hard reset or holding down the power button.

Liquid nitrogen, freeze spray or compressed air cans can be improvised to cool memory modules, and thereby slow down the degradation of volatile memory