Sign in to follow this  
Followers 0
lordwud

bitunlocker.sh

14 posts in this topic

Wow... that looks hardcore wish I had sound atm

Anyone know where to get a boot tool that dumps all ram to a usb device such as the stated, " ram2usb " they're using which i'm assumming is a custom tool they created.

Edited by friendless
0

Share this post


Link to post
Share on other sites

They didn't release the code. The basic idea is that when you turn off a computer information stays in ram for up to 10 mins. So what they did was boot a small *nix distro and run a script to dump memory and scan for the encryption key that bitlocker uses. The really cool part was that they sprayed the ram with canned air, took it out, put it in another computer, and still recovered data from it.

0

Share this post


Link to post
Share on other sites

This is surprising, and somewhat contradicts what I've learned about the construction of memory.

For example, this text suggests that without power, memory looses it's contents fast:-

Similar to a microprocessor, a memory chip is an integrated circuit (IC) made of millions of transistors and capacitors. In the most common form of computer memory, dynamic random access memory (DRAM), a transistor and a capacitor are paired to create a memory cell, which represents a single bit of data. The capacitor holds the bit of information -- a 0 or a 1 (see How Bits and Bytes Work for information on bits). The transistor acts as a switch that lets the control circuitry on the memory chip read the capacitor or change its state. A capacitor is like a small bucket that is able to store electrons. To store a 1 in the memory cell, the bucket is filled with electrons. To store a 0, it is emptied. The problem with the capacitor's bucket is that it has a leak. In a matter of a few milliseconds a full bucket becomes empty. Therefore, for dynamic memory to work, either the CPU or the memory controller has to come along and recharge all of the capacitors holding a 1 before they discharge. To do this, the memory controller reads the memory and then writes it right back. This refresh operation happens automatically thousands of times per second.

In the Princeton article however it says:-

Contrary to popular assumption, DRAMs used in most modern computers retain their contents for seconds to minutes after power is lost, even at operating temperatures and even if removed from a motherboard.

I guess if this is working, then it's true!

Nice find.

0

Share this post


Link to post
Share on other sites

email this guy...he is part of the team that created it:

ajfeldma@cs.princeton.edu

He might be able to tell you the software that they used or if they created it themselves.

0

Share this post


Link to post
Share on other sites
He might be able to tell you the software that they used or if they created it themselves.
We implemented a tiny (9 KB) standalone application that can be booted via PXE and whose only function is streaming the contents of system RAM via a UDP-based protocol.

I doubt the memory extraction platform is Linux. 9KB is a bit small for a Linux kernel. IIRC, 2.6 broke the 1.44mb barrier. I want to demonstrate this technique to people. It sounds really jaw dropping. Especially for myself, using dmcrypt on everything.

In this situation you want as absolutely small of a footprint as possible. Even printing to screen the ram2usb, is destroying at least 7 bytes of otherwise recoverable data. Ideally there would be no text, no progress indicator, nothing.

Any ideas on whether a microcode update could add an AES routine, and randomly-generated-per-boot key to the cpu, in L2 cache? It would have to be done before booting the kernel and everything, so it would require adding something to the BIOS to do it. Just a thought though.

0

Share this post


Link to post
Share on other sites

I liked how they sprayed the compressed air crap all inside the computer, then put the wet RAM stick into the other computer :P

0

Share this post


Link to post
Share on other sites

Yes it was dripping, but the chemical that is used in compressed air is not conductive.

The problems that you start to have with compressed air is that condensation will start to form on such cold surfaces.

You can poor pure h2o on your computer and it will not have a problem. Water is only conductive because of the minerals and impurities in it.

0

Share this post


Link to post
Share on other sites
Yes it was dripping, but the chemical that is used in compressed air is not conductive.

The problems that you start to have with compressed air is that condensation will start to form on such cold surfaces.

You can poor pure h2o on your computer and it will not have a problem. Water is only conductive because of the minerals and impurities in it.

Pure H2O is a slightly ionized liquid, and will cause problems with any voltage high enough to arc it. It's not much.

0

Share this post


Link to post
Share on other sites

just use something like busybox. They booted from a usb hard drive so they really don't have a space constraint, but busybox is small enough and slim enough that it should boot fairly quickly. csweasle created a livecd a while back that allowed you to manually dump memory and do this same type of attack and it has been known for a long time. This really isn't anything new, these people are just the ones which have publicized the attack the most.

0

Share this post


Link to post
Share on other sites

Haven't posted here in a while, but I thought I could chime in on this, since I have something to show for myself for a change.

I've implemented a very small SysLinux com32 app that will boot from USB dump memory to another partition on the USB drive. This is similar to what the Princeton guys have done, but haven't released:

http://mcgrewsecurity.com/projects/msramdmp/

0

Share this post


Link to post
Share on other sites

Nice, I was considering putting something together to release but it seems you beat me too it. Nice work as usual.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0