Tools used to crack system passwords when Shutdown (video)

Princeton University published a study in February this year, pointing out that the data in DRAM is in a "gradual" process several seconds after the computer is shut down. If the ambient temperature is low, this time will last for several minutes, which means that some data, such as passwords, in the computer system, does not disappear during this time, you can use special methods to obtain and crack sensitive data.Here). Yesterday, the research team published this group of tools for cracking at the h.o. P. E 2008 hacking conference.Their Home PageReleased the source code of the tool.

This tool consists of three parts: Memory imaging allows you to remotely start a computer using the PXE network, or use USB Memory to obtain a Memory image (the tutorial in the compressed package uses iPOD as an example to illustrate the corresponding steps ), the EFI Netboot Imaging Tools are applicable to the BSD system environment under EFI (Extensible Firmware Interface, Extensible Firmware Interface; the Automatic key-finding function can obtain 128/256-bit AES or RSA keys from the memory image respectively. Error-correction for AES key schedules provides 15% Error correction for the obtained AES keys. The group demonstrated this tool at the conference. The final memory data is only 0.1% different from the original data, and less than 0.01% if it is cooling down,The premise of the entire process is that the system is shut down abnormally (that is, the power cord is forcibly removed or the laptop's battery is removed), and the ECC memory is not used.

Due to the physical characteristics of DRAM, the entire cracking method is applicable to almost all disk encryption technologies (Windows, Mac OS, Linux, or any third-party disk encryption tools ), if the computer is not shut down (including locking or sleep), it means that all the key information in the memory stick can be easily obtained with the help of a small tank of compressed coolant after the computer power is forcibly disconnected. You canDownload hereIf you are interested in the dynamic process of data in the memory, you can do this by yourself.This experimentTo observe the data changes (Linux environment ). The following video details the process of the so-called "Cold Boot Attack:

Video watching