[TOOL] McGrew Security RAM Dumper

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



McGrew Security RAM Dumper
------------------------------------------------------------------------


SUMMARY



DETAILS

Overview:
A short while back, a <http://citp.princeton.edu/memory/> paper was
published by researchers at Princeton University, in which they talk about
the process of recovering encryption keys out of memory after a cold boot.
This was surprising to many people, as most just assume that, since RAM is
volatile storage, it is erased when power is removed. This is an incorrect
assumption.

When the idea of memory retaining state for a short time was first brought
to my attention a little over a year ago, Wesley McGrew ran a few
experiments similar to this one, just to prove it to myself. The desktop
machines Wesley McGrew tried would hold state for anywhere between 5 and
10 seconds without power, whereas my laptop, with no battery or wall
power, would maintain state for an amazing 10 minutes. Wesley McGrew used
a Linux bootable CD to get an image of memory from a Windows to data
carve, and found some interesting things. The footprint for the Linux OS
was huge, though, and this interfered with my ability to capture as much
memory from the previously running operating system as possible.

The Princeton researchers applied this method to the recovery of
encryption keys, with great results. They also cooked up a way to image
the contents of RAM with a very small footprint, only overwriting a small
amount of memory in the process. Unfortunately, at the time of writing
this, their tool hasn't been released. Wesley McGrew decided that it
wouldn't be hard to go ahead and implement one myself, based off their
paper and youtube video posted above, so that I (and others) can go ahead
and start having fun.

So, as a small side project, I've written "msramdmp", the McGrew Security
RAM Dumper. Enjoy!


ADDITIONAL INFORMATION

The information has been provided by <mailto:wesley@xxxxxxxxxxxxxxxxxx>
Wesley McGrew.
To keep updated with the tool visit the project's homepage at:
<http://mcgrewsecurity.com/projects/msramdmp/>
http://mcgrewsecurity.com/projects/msramdmp/



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages