In my forensics class this Monday I will talk about the disk encryption attack that Princeton researchers published in April of this year. The attack exploits the fact that data remains in RAM for up to several minutes after power to the computer is turned off. Rather than all memory being erased immediately, data in RAM quickly decays as time goes on. The Princeton research team showed that sensitive information such as passwords and disk encryption keys can be recovered from RAM after a machine is powered off. You can see a video of this attack here.
To demonstrate this attribute of RAM to my class, I will follow the simple experiment described here, but adapted to OS X:
1. Unlike other versions of Unix, as of the Intel processor switch OS X no longer has a device file for physical RAM. However, the kernel still supports such a device file. To reenable the device file for physical RAM, pass this kernel option to the boot loader as follows:
sudo nvram boot-args="kmem=1"
To verify that this kernel option was passed, type:
nvram -p | grep boot-args
You should see the following line:
Note: to later remove this boot argument, type:
sudo nvram boot-args=""
2. Reboot your machine and verify that you now how a /dev/mem device file.
3. Open a terminal window, type “python” to enter the Python interpreter and enter these commands:
ram = ""
while True: ram += "MYPASSWORD"
4. The Python interpreter will run until physical RAM is so full that it cannot contain one more “MYPASSWORD” string. You can visually show students that RAM is filling up by showing the RAM pie chart in Activity Monitor. After waiting a few minutes after initiating the python command, immediately shutdown the computer by holding down the power button.
5. Wait a few seconds or minutes, depending on how much RAM decay you want to allow.
6. Turn the computer back on, open a terminal window, and type this command:
sudo cat /dev/mem > /tmp/ramdump.txt
This step will take a minute or two depending on how much RAM you have installed. Eventually the file will be as large as the amount of RAM installed. In my case, this command yields a 2 GB file.
The command will terminate with this error:
cat: /dev/mem: Bad address
This indicates that all of the contents of RAM have been copied to the /tmp/ramdump file.
7. Type the command,
grep -a MYPASSWORD /tmp/ramdump.txt
This command should then display many instances of the string “MYPASSWORD”, demonstrating that some data has remained in RAM even after power to the computer was turned off.