Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory

Beitrag in einer Fachzeitschrift

Details zur Publikation

Autorinnen und Autoren: Bauer J, Gruhn M, Freiling F
Titel Sammelwerk: Digital Investigation
Zeitschrift: Digital Investigation
Verlag: Elsevier Ltd
Jahr der Veröffentlichung: 2016
Band: 16
Tagungsband: Proceedings of the 3rd Annual DFRWS Europe Conference
Seitenbereich: 65-74
ISSN: 1742-2876
eISSN: 1873-202X


As hard disk encryption, RAM disks, persistent data avoidance technology and memory-only malware become more widespread, memory analysis becomes more important. Cold-boot attacks are a software-independent method for such memory acquisition. However, on newer Intel computer systems the RAM contents are scrambled to minimize undesirable parasitic effects of semiconductors. We present a descrambling attack that requires at most 128 bytes of known plaintext within the image in order to perform full recovery. We further refine this attack using the mathematical relationships within the key stream to at most 50 bytes of known plaintext for a dual memory channel system. We therefore enable cold-boot attacks on systems employing Intel's memory scrambling technology.

FAU-Autorinnen und Autoren / FAU-Herausgeberinnen und Herausgeber

Bauer, Johannes
Lehrstuhl für Informatik 1 (IT-Sicherheitsinfrastrukturen)
Freiling, Felix Prof. Dr.-Ing.
Lehrstuhl für Informatik 1 (IT-Sicherheitsinfrastrukturen)
Gruhn, Michael
Lehrstuhl für Informatik 1 (IT-Sicherheitsinfrastrukturen)


Bauer, J., Gruhn, M., & Freiling, F. (2016). Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory. Digital Investigation, 16, 65-74. https://dx.doi.org/10.1016/j.diin.2016.01.009

Bauer, Johannes, Michael Gruhn, and Felix Freiling. "Lest We Forget: Cold-Boot Attacks on Scrambled DDR3 Memory." Digital Investigation 16 (2016): 65-74.


Zuletzt aktualisiert 2019-28-07 um 07:14