About a week ago, some researchers demonstrated how encryption keys can be retrieved from memory if the attacker has physical access to a computer which is switched on or in standby.
Someone from McGrewSecurity released a tool called msrampdmp that does just that. He put together a utility that runs under syslinux to capture the data and installed it to a USB thumb drive. He managed to create a device that will boot on a machine and copy the contents of the RAM before it's overwritten by another utility.
The Princeton researchers applied this method to the recovery of encryption keys, with great results. They also cooked up a way to image the contents of RAM with a very small footprint, only overwriting a small amount of memory in the process. Unfortunately, at the time of writing this, their tool, ram2usb, hasn't been released. I decided that it wouldn't be hard to go ahead and implement one myself, based off their paper and youtube video posted above, so that I (and others) can go ahead and start having fun.
So, as a small side project, I've written "msramdmp", the McGrew Security RAM Dumper. Enjoy!
Security4all Blog
Twitter
Slideshare
Facebook
Digg
Flickr
0 comments:
Post a Comment