Mar 07, 2008
Last week, a group of information security researchers released a whitepaper detailing a practical data extraction attack on DRAM after the power's been cut. Unfortunately, Applebaum et al didn't release the source code for the utilities they used in the lab. One Wesley McGrew read the paper and decided to apply the scientific method by reproducing their experiments. This required developing utilities to extract data from powered-down DRAM from scratch which he's done and released the source code for. The source is mostly in C with some in-line assembly. It's dense and you really have to understand what's going on when a machine boots up - I don't understand all of it myself right now.
McGrew used a bootable USB key for his experiments and a copy of the open source bootloader syslinux to implement his attack. It requires zeroing out the entire USB key to ensure that data dumped is easily distinguishable from the deleted data that piles up on storage devices over time and partitioning it in a particular manner so that his RAM dumper can walk through the memory field and know where to put what it finds. Oddly, he used two different partition types (type 40, which was used for Venix 80286, and type 41, which is used in PPC PreP Boot disks; both are fairly unusual, but I guess they saw use at some point in the past) to denote partitions that had not been used and had been used to store data, respectively. Obviously, you need a USB key larger than the amount of RAM in the machine being attacked (but you can buy a 4GB USB key for as little as $15us these days, so this isn't really a hurdle). Going through the results can be as simple as running a copy of strings over the data, or as complex as breaking out a hex editor and walking through the memory field images page by page.
Even more interesting, he was able to do this using VMware OS images, so if you want to try this at home it should be pretty easy. I might play around with this tonight to see what happens.
If nothing else, his research explains the basics of using syslinux nicely, a package which is notoriously confusing.
Just in case, I've uploaded a mirror of msramdmp: Download?