•  News
  • 50.2% (Neutral)
  • Member Topic Starter
Utilizing a little known fact about RAM, researchers have devised a way to crack disk encryption.

The attack takes only a few minutes to conduct and uses the disk encryption key that's stored in the computer's RAM.

The attack works because content as well as encryption keys stored in

RAM linger in the system, even after the machine is powered off,

enabling an attacker to use the key to collect any content still in RAM

after reapplying power to the machine.

"We've broken disk encryption products in exactly the case when they

seem to be most important these days: laptops that contain sensitive

corporate data or personal information about business customers," said

J. Alex Halderman, one of the researchers, in a press release. "Unlike

many security problems, this

isn't a minor flaw; it is a fundamental limitation in the way these

systems were designed."

Successful attacks were performed against Vista's Bitlocker, Apple's FileVault, TrueCrypt, and Linux's dm-crypt.

i was unaware that RAM stored information after being powered off, when did it become non-volatile?

so really it depends on the type of ram you have, hot hot it runs, and the program you use, the safest being truecrypt and dm-crypt of course, depending on what you encrypt with them.

and apple's filevault is less than secure in the first place, not really a challenge for that one. but the rest i'm surprised to see.


/scratches head.

I wonder how that works as the last time a check RAM is volatile memory so this confuses me. 


werty316 wrote:

I wonder how that works as the last time a check RAM is volatile memory so this confuses me. 

Although my understanding on this matter is limited, I do understand the principal of volatile memory so I'm confused too.



Hi All,

Beats me.

Maybe they meant ROM 🙂
after watching the video, if you click the link at the top, they explain that while the memory information IS lost when power is gone, it's not instant, it works like a capacitor, slowly losing information in a predictable manner.

their method is to remove the ram chip (1 in a laptop) cool it with an upside down compressed air can, plug it into another and then boot to their eHDD with software on it that dumps the ram and then run software that searches and extracts the key.

this method works far better on system volume encryptions than it does on container encryptions....i.e. not entire volumes and you manually mount the object (truecrypt) as when un-mounting, if you were to heavily use your ram, it would overwrite it and clear it out.

pagefiles come into the equation, and it's better to not use them, or clean them out on power down. same with your swap in linux.

Savage Animal

 So really its a joke. You need to actually remove the ram from the encrypted machine, freeze it, then install it in a new machine and run a dump program to retreive the info wanted. If the info is so confidential that it needs to be encrypted the machine is not going to leave the users person to allow the ram to be removed, so what good does that do?