[Article]-Using Cold Boot Attacks and Other Forensic Techniq

Viewing 2 reply threads
  • Author
    • #8634
      Don Donzal

      This is a blog post. To read the original post, please click here »

      It’s a Thursday evening, and happy hour begins in a few minutes. You’re ready to get out of the office, as quickly as possible. You’ve been working on a report, and you know you still have work to do in the morning. So you lock your machine. It’s safe enough, right? You’ve got a strong password and full disk encryption. Ophcrack or a bootable Linux distro like Kali won’t work. You’d think you’d be fine, but you’d be wrong. More and more, attackers are using blended attacks to get the good stuff, and that includes utilizing the latest in forensic techniques.

      There is a single section of your computer full of unencrypted sensitive information any attacker would love to get their hands on: your active memory. The system stores all manner of valuable information in memory for easy reference. Full disk encryption mechanisms must store encryption keys within memory somewhere. The same is true for Wi-Fi encryption keys. Windows keeps the registry hives in memory, and consequently the System and SAM hives. Most clipboards are stored within memory. Many applications keep passwords within memory. The point is, memory houses much of the valuable information that the system needs at a moment’s notice. Getting to it requires using some of the same forensics techniques employed by attackers. This article helps add some of those techniques to your pentesting toolkit.

    • #53733

      Very interesting, at some point I actually need to grab an old laptop out to try this myself.

      The article mentions Pen testers not realizing the benefits of memory dumps, but this is only really applicable to physical memory dumps. Virtual memory dumps from VMs are being used heavily by testers to access passwords, and this is especially the case as more and more organizations virtualise old 32bit Operating Systems that run their critical ancient apps.

    • #53734

      Thanks for the comment. It’s a pretty decent amount of fun when you try it for the first time. There’s just something about seeing the machine coated in frost that’s ridiculous and awesome at the same time.

      You are correct, virtual memory dumps are quite common. This attack is mostly to gain that first initial access into a workstation.

Viewing 2 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2020 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.


Sign in with Caendra

Forgot password?Sign up

Forgot your details?