When it comes to recovering encryption keys from memory nobody has a more intriguing method than Princeton University researchers. We explore a method known as the “Cold Boot Attack”. Plus, a clever DirectX injecting UI widget for your PC games that means the end of ALT+Tab.

Download HD Download MP4 Download XviD Download WMV

When it comes to recovering encryption keys from memory nobody has a more intriguing method than Princeton University researchers who pioneered what is known as the Cold Boot Attack.

Their paper, Lest We Remember: Cold Boot Attacks on Encryption Keys debunks the popular assumption that RAM modules lose their contents when power is lost. As it turns out the degredation of memory can be a matter of seconds to minutes at room temperature. Furthermore this degredation can be slowed by freezing the memory module.

The researchers go on to outline several methods for copying memory from a reset computer or extracted RAM module. Princeton University’s Center for Information Technology Policy site maintains the paper, videos, and source code from the research.

The USB / PXE Imaging tool in combination with the AES Key Finding tool are a powerful combination. In this week’s show we discuss and demo these tools in action.

We also touch on the McGrew Security RAM Dumper and Foremost.

After laying the ground work for this attack I’ll be back in studio next week with more in depth demos and answers to your questions. Please send your feedback and questions along to feedback@hak5.org.

Darren Kitchen

PlayXPert is a unique in-game overlay for PC and MMO games, incorporating the popular use of social media and the web with the importance of impressive FPS and un-distubed gameplay. PlayXPert lets you play your game without ever having to Alt-Tab out of the game by downloading the small widgets and customizing your opacity, widget settings, and key bindings. You can see it for yourself at their site: PlayXPert.

Shannon Morse

Also don’t forget about our first ever official Hak5 Meetup at Busch Gardens Williamsburg on August 15th. Find all the details at hak5meetup.squarespace.com or RSVP on Facebook.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

27 Comments

  • AndiC 5 years ago

    When i saw the last video 520 about truecrypt.

    I suddenly thought i saw a video that was going around a year or two ago demoing how to freeze the contense of ram with a can of compressed air and then using software to recover encryption keys and all sorts of other data.

    I am sure you have seen the original i believe they did it on a Macbook?

    good stuff

  • WooDoo 5 years ago

    Nice episode, I was wondering if you could upload your compiled version of the software that you had on your usb. (For memory dump)

    regards

  • The Sorrow 5 years ago

    Cool episode, id love to see more episodes on USB hacks for my pentesting st school

  • BeanBag 5 years ago

    PXP is an awefull program to set up, my first account wouldnt let me log in despite knowing the password, so I created another account which did let me log in. Then I discovered it doesnt work with windows 7! so I unistalled, now all I want to do is delete the accounts, but the website doesn’t let me do that!!

    In my opinion it is a waste of time, just add all your games to your steam list so you can get the overlay in any game.

  • Thanks for the name-drop guys!

  • Good show! Darren, have you seen the Volatility framework for memory analysis? It’s at https://www.volatilesystems.com/default/volatility/
    I’ve used it and it’s very cool.
    KP

  • Sank you very much. your kung fu is SUPER! Stick around keep up the good works guys!!!!

  • AndiC 5 years ago

    @BeanBag

    you slamming a product that doesn’t work with a beta OS? (a OS that isn’t finalised or out yet), give them a break!!!!!

    They probably do have a development version that works with windows 7 just haven’t released it to general public yet.

  • AndiC 5 years ago

    @WooDoo

    if you cant compile it, learn!

    if you cant compile code then hacking isn’t for you.

  • @WooDoo

    Just simply run make. If you mess up make clean and try again. You’ll notice in the video I show the small configuration change that need to be made to the Makefile if you’re using GCC 4.1 or later. Or you could simply compile it with an older version of GCC without the hassle of editing 3 makefiles. Breezy Badger anyone?

  • BeanBag 5 years ago

    @ AndiC

    Most of my complaints were actually about the online services to do with my account if you read carefully.

    I only had one problem with the acutal program and I only noted that out of fustration because it took so long to get the damn online services working.

  • Popsicle-Pete 5 years ago

    Great Show! I’m actually comparing available options for disk encryption for my company. This type of hacking sets some obvious warning signs.

    I built a test environment with a TrueCrypt volume along with some Windows-encrypted directories. I keep getting hung up after dd’n the USB drive:

    # sudo dd if=scraper.bin of=/dev/sdb1

    1) The USB drive no longer mounts under linux / Windows after I dd.

    2) I plug it in, reboot, boot from USB, and get the following endless loop:

    Bootstrap loaded… trying packet mode… starting.

    Any ideas?

  • @Popsicle-Pete

    I went through three cheap USB drives (vendor swag from CES) before I got a working one. Same problem, after using dd the drive wouldn’t mount or would cause some interesting errors when trying to boot off. Not sure if I’ll ever be able to recover the drives — I haven’t tried but win/linux doesn’t even see one of ‘em.

    Sorry no good answer for ya. Just be careful and keep at it. The drive that worked for my was a 4gig from Micro Center. House brand. Not sure how much that helps. Report back if you find one that works.

  • Hey, never heard of cold boot before, nice to know!

  • BeanBag – I can delete your accounts if you want :P Sorry about the trouble you had regsitering, not sure why that occurred – but we’re looking into a couple things that could have caused something like that.

    Email me and confirm if you want your accounts deleted, or if there’s anything else I can do to help. By the way, Win7 will be out not long after x64.

  • FYI – Jguscott@playxpert.com – If anyone has any questions or needs some info, be sure to let me know either through email, or drop by our forums…I’ll be there…always..

  • There is one more possibility to get a dump of the memory and this without rebooting the computer. There is only a hardware requier (but that are already all around on laptop), it’s a fireware port.
    I saw a demo of this technique in a security show, a guy dumped all the memory through a firewire only by plugin a cable between his computer and the other laptop. the laptop was running XP at this time.
    And this guy could unlock the user session by sending back the dumped memory to the xp.
    So, this is some information about it : http://www.friendsglobal.com/papers/FireWire%20Memory%20Dump%20of%20Windows%20XP.pdf

    Btw, Thx for you show, really interessting !!

  • BeanBag 5 years ago

    @ Jesse-PXP

    Thanks for the reply. I’ve sent you an email. Hope you can help :)

  • Same problem

    Bootstrap loaded… trying packet mode… starting after booting.

    Tried on 3 laptops. Is it the usb stick fault?

    Thanks

  • Hey guys, I also have a beta version of my screenshot widget for PXP.

    (Screenshot Widget)

    I was holding off on putting it up on the widget gallery, because I’m working on adding auto phot/soc networking site uploads.

  • So on this alt-tab craziness. I am not a fan of installing apps to slow down my system. I am also not a fan of alt-tab ruining any of my gaming sessions. I have stumbled upon a simple launch option configuration you can use in any HL2 based game.

    -console -sw -w 1920 -h 1200 -novid -dev -noborder

    So the run down of what is happening.
    Console: duh, gives you console (nice to have cause L4D doesn’t have it in options)
    SW: Start in windowed mode
    W: Res width (set to monitors max)
    H: Res height (set to monitors max)
    Novid: Kill that pesky startup video
    Dev: extra monitoring tools and options (not needed at all, but I use it when working on Goldeneye so I always have it on)
    Noborder: This is the important part…

    With having the game start in windowed mode you usually never have an issue with alt-tab, so I took advantage of this by setting the resolution to match my monitor, what happens is you have that stupid windows border around your game and you cant get it full screen the way it should be. Solution was to use -noborder with this little guy active you have the same look as fullscreen but with all the window perks.

    The main reason I ended up doing this config was that I use a triple monitor setup and filling out msn and going to other active games can cause issues. Yes I play many games at once, multiple EVE clients and at least one of the following: GE:S, BZ2, L4D, TF2, NS..

    I hope others an benefit from this, Enjoy!

  • @Enzo.Matrix, that’s a great tip. With the noborder option does the game always start at pixel 1,1 — that is to say at the very top left of the screen, thus filling the screen completely.

    Do you know of a parameter that will specify window location? Without the border how is one to move the window?

    I ask because I have three monitors, two 19′s flanking a 22.

    Getting off topic just a bit: Years ago I tried out playing UT99 and Q3 on 3 screens with an FOV of 180. I had to use windowed mode. It wasn’t that great performance wise then, but now I’ve got dual Geforce 8600′s so I might just give it another go.

    @Jesse-PXP, thanks for coming by and clearing things up. Looking forward to the Win7 x64 release.

  • @Darren, no, It somehow always finds the dead centre of your screen, which can be a pain without the border because I couldn’t figure out how to reposition the window. So when you play with the res specs of your monitor it does fill the screen perfectly.

    My main is 24″ with 2x 22″ to the right. I use multiplicity (Stardock made something useful) on an old 19″ (left of 24″) in landscape to do my email and msn on my old box.

    9600 GT on the 24″ and 8800 GT on the dual 22″ I run into the issue if I drag a game like L4D onto a 22″ I lose frames like mad. Could never figure out how to swap the primary for launch. EVE I like, the give you the choice of adapter.

  • sp3cialk 5 years ago

    Just throwing this in there.. I don’t know why since NeoTokyo is a HL2 mod.. but the noborder switch doesn’t work for it. I’ve gotten so used to having noborder for TF2 and L4D I can’t stand games that do not work with it. I’ve not had a chance to test this but my game always loads on what is set as my primary display. I assume this may take some of the credit for opening on my main display, but I really haven’t wanted games on anything but my main. I have a 24″ and a 22″ to the left of it that I keep IRC, Ventrilo, and HLSW open so this trick is clutch for admins. I have heard you do take small performance (in FPS) from running in window like this instead of at full screen, but I have 2 GTX 260 in SLi.. so I’ve never noticed :|

    Love the show.. keep up the awesomeness!

  • Hi

    Is there some place I can download the scraper.bin files for usb sticks? I can’t compile it on my old mac. Can’t find it anywhere but Darren mentioned he would post the .bin file in one of the shows.

    Tnx

  • LordDust 4 years ago

    One Imprtant thing you missed to protect you from this sort of attack is a BIOS password. Which won’t even try to boot until it receives the password. Thus rendering all but the custom motherboard useless.

  • Lawl is the dumbest thing on the net since roflcopter or zomg or kk