Bauer J, Gruhn M, Freiling F (2016)
Publication Type: Journal article, Original article
Publication year: 2016
Publisher: Elsevier Ltd
Edited Volumes: Digital Investigation
Book Volume: 16
Pages Range: 65-74
Conference Proceedings Title: Proceedings of the 3rd Annual DFRWS Europe Conference
Event location: Lausanne, Switzerland
DOI: 10.1016/j.diin.2016.01.009
Open Access Link: https://www.sciencedirect.com/science/article/pii/S1742287616300032
As hard disk encryption, RAM disks, persistent data avoidance technology and memory-only malware become more widespread, memory analysis becomes more important. Cold-boot attacks are a software-independent method for such memory acquisition. However, on newer Intel computer systems the RAM contents are scrambled to minimize undesirable parasitic effects of semiconductors. We present a descrambling attack that requires at most 128 bytes of known plaintext within the image in order to perform full recovery. We further refine this attack using the mathematical relationships within the key stream to at most 50 bytes of known plaintext for a dual memory channel system. We therefore enable cold-boot attacks on systems employing Intel's memory scrambling technology.
APA:
Bauer, J., Gruhn, M., & Freiling, F. (2016). Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory. Digital Investigation, 16, 65-74. https://dx.doi.org/10.1016/j.diin.2016.01.009
MLA:
Bauer, Johannes, Michael Gruhn, and Felix Freiling. "Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory." Digital Investigation 16 (2016): 65-74.
BibTeX: Download