Re: [Full-disclosure] round and round they go

I would think a more realistic scenario might be a person working at an airport shutting their system down then getting it stolen vs a forensic examiner yanking the cord on purpose. Just an observation.

----- Original Message -----
From: matthew wollenweber [mailto:mwollenweber@xxxxxxxxx]
To: lists@xxxxxxxxxxxxxx
Cc: full-disclosure@xxxxxxxxxxxxxxxxx
Sent: Fri, 22 Feb 2008 09:57:55 -0500
Subject: Re: [Full-disclosure] round and round they go

I found the article interesting, but I wonder about it's practicality. If
you have physical access to the box you never really need to power down the
box in the first place and generally if the box is already on, I think most
people would prefer to attack a service to get on the system directly. But
there are some special cases where these techniques will likely be very
useful.

For me, I've always disliked the practice of doing live forensic discovery.
I'd much rather get a clean disk dump than to poke around on the system
first, but losing RAM sucks. Maybe now IR/Forensic guys can get the best of
both worlds? They can yank the power to save the disk state and dump memory
by using the techniques described in the article. :)


On Fri, Feb 22, 2008 at 8:32 AM, niclas <lists@xxxxxxxxxxxxxx> wrote:

http://blog.wired.com/27bstroke6/2008/02/researchers-dis.html

(cooling down DRAMs keeps their contents for longer time, even during
reboot.)

well, this shows how important mechanical security still is, even with
all the crypto-stuff out there. if you e.g. just *glued* your RAM
modules into your motherboard, the option left would be booting a
malicious OS. a BIOS-password might put delays on that.

so, if it is really secret put your PC in a locked steel box!

as a dircet countermeasure you might as well consider a simple
temperature sensor next to your DRAMs, releasing [evil self-destruction
hack] when temperatures drop below 0?C.

thermite does a good job on destroying HDDs but it's very dangerous.

it's probably more easy to use this device then:
http://www.wiebetech.com/products/HotPlug.php

looking at these two methods, i notice how "they" (whoever) seem to aim
not only on physical access but also more and more on surprising the
crypto-user. "they" might use the methods mentioned above or just hit
you with a flashbang, so you can't press the lock key anymore. this
worries me more than any it-related security flaw. i don't want the
police to behave like that.

n.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




--
Matthew Wollenweber
mwollenweber@xxxxxxxxx | mjw@xxxxxxxxxxxxx
www.cyberwart.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/