Re: round and round they go

["Jay" <jay.tomas () infosecguru com>]

I would think a more realistic scenario might be a person working at an airport shutting their system down then getting 
it stolen vs a forensic examiner yanking the cord on purpose. Just an observation.

----- Original Message -----
From: matthew wollenweber [mailto:mwollenweber () gmail com]
To: lists () datenritter de
Cc: full-disclosure () lists grok org uk
Sent: Fri, 22 Feb 2008 09:57:55 -0500
Subject: Re: [Full-disclosure] round and round they go

I found the article interesting, but I wonder about it's practicality. If
you have physical access to the box you never really need to power down the
box in the first place and generally if the box is already on, I think most
people would prefer to attack a service to get on the system directly. But
there are some special cases where these techniques will likely be very
useful.

For me, I've always disliked the practice of doing live forensic discovery.
I'd much rather get a clean disk dump than to poke around on the system
first, but losing RAM sucks. Maybe now IR/Forensic guys can get the best of
both worlds? They can yank the power to save the disk state and dump memory
by using the techniques described in the article. :)


On Fri, Feb 22, 2008 at 8:32 AM, niclas <lists () datenritter de> wrote:

> > http://blog.wired.com/27bstroke6/2008/02/researchers-dis.html
>
> (cooling down DRAMs keeps their contents for longer time, even during
> reboot.)
>
> well, this shows how important mechanical security still is, even with
> all the crypto-stuff out there. if you e.g. just *glued* your RAM
> modules into your motherboard, the option left would be booting a
> malicious OS. a BIOS-password might put delays on that.
>
> so, if it is really secret put your PC in a locked steel box!
>
> as a dircet countermeasure you might as well consider a simple
> temperature sensor next to your DRAMs, releasing [evil self-destruction
> hack] when temperatures drop below 0?C.
>
> thermite does a good job on destroying HDDs but it's very dangerous.
>
> it's probably more easy to use this device then:
> http://www.wiebetech.com/products/HotPlug.php
>
> looking at these two methods, i notice how "they" (whoever) seem to aim
> not only on physical access but also more and more on surprising the
> crypto-user. "they" might use the methods mentioned above or just hit
> you with a flashbang, so you can't press the lock key anymore. this
> worries me more than any it-related security flaw. i don't want the
> police to behave like that.
>
> n.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/



--
Matthew  Wollenweber
mwollenweber () gmail com | mjw () cyberwart com
www.cyberwart.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/