?

Log in

No account? Create an account

Josh-D. S. Davis

Xaminmo / Omnimax / Max Omni / Mad Scientist / Midnight Shadow / Radiation Master

Previous Entry Share Next Entry
Locked screen, encrypted disk? NO PROBLEM!
Josh 201604 KWP
joshdavis
http://news.cnet.com/2300-1029_3-6230933-1.html

Basically, the decryption key must be accessible in RAM in order to use the encrypted files. RAM is not erased on reset.

Hard reset the system while it's on, boot from network, and copy out RAM contents. Only the very beginning of system memory will be clobbered.

If you can't get at it this way, you can supercool the RAM, pull it out, and insert it into a system which can handle dynamic RAM add. An example would be a can of compressed air turned upside down, and an external memory reader. With the RAM supercooled, bit rot will be minimal or nil during the move. Then, the memory image can be pulled.

If you're hibernated to a non-encrypted disk, then that file can be read off as the memory image.

Once the memory image is copied, they scan for the key (only takes minutes). Through deterministic means, they are able to detect and repair AES, PGP and a few other key types with as much as 10% bit rot.

Your best bet is to unmount the encrypted volume when not in use or afk. With good encryption tools, they should wipe RAM of the key on dismount. Powering off for a minute is long enough for bit rot purge any in-memory key as well.