‘McGrew Security RAM Dumper’
A short while back, a paper was published by researchers at Princeton University, in which they talk about the process of recovering encryption keys out of memory after a cold boot. This was surprising to many people, as most just assume that, since RAM is volatile storage, it is erased when power is removed. This is an incorrect assumption.
When the idea of memory retaining state for a short time was first brought to my attention a little over a year ago, Wesley McGrew ran a few experiments similar to this one, just to prove it to myself. The desktop machines Wesley McGrew tried would hold state for anywhere between 5 and 10 seconds without power, whereas my laptop, with no battery or wall power, would maintain state for an amazing 10 minutes. Wesley McGrew used a Linux bootable CD to get an image of memory from a Windows to data carve, and found some interesting things. The footprint for the Linux OS was huge, though, and this interfered with my ability to capture as much memory from the previously running operating system as possible.
The Princeton researchers applied this method to the recovery of encryption keys, with great results. They also cooked up a way to image the contents of RAM with a very small footprint, only overwriting a small amount of memory in the process. Unfortunately, at the time of writing this, their tool hasn’t been released. Wesley McGrew decided that it wouldn’t be hard to go ahead and implement one myself, based off their paper and youtube video posted above, so that I (and others) can go ahead and start having fun.
So, as a small side project, I’ve written ‘msramdmp’, the McGrew Security RAM Dumper. Enjoy!’