Is your data vulnerable due to RAM?
Data security is a topic that will always fascinate me. I spend countless hours trying to secure my own personal data as if everyone in the world wants the information. In the security field, physical access is everything. So good data security also takes into consideration the possibilities of somebody physically obtaining or gaining access to the computer the data is housed on. This is where data encryption comes into play. Generally, data is encrypted using one of several data encryption algorithms and is only accessible with the chosen password and key. Therefore, physical access is useless without this information. My question is, "How easy is it to get this information?"In the most recent issue of 2600 there is an article titled "Anti-Forensics: Make Secrets Stay Secrets." This article brings one key element of a computer in to play that is most often overlooked. Unfortunately, anything that you access locally or on the net via a password stores that password in your Random Access Memory (RAM) so that it may be loaded for access. This may seem like common knowledge, but the question is, "Does this password stay in memory during that session?" Does it stay in memory after you reboot or shutdown? This 2600 article definitely got me thinking so I coupled this with previous knowledge and began to investigate.
Let’s say that you have something on your computer that is encrypted and only accessible with the correct password and key. Chances are, if you have accessed that data recently, someone could crash your computer and gain access to your data. Windows dumps the memory when it crashes to a file memory.dmp located at C:\Windows\memory.dmp (file is hidden so be sure to set your comp to show hidden files). The type of dump is specified at Control Panel > System > Advanced Tab > Startup and Recovery Settings > Write Debugging Information. At default, Windows executes a Small Memory Dump of 64kb, but someone could easily change this to "Complete Memory Dump" before crashing your comp. Despite the size of the dump, valuable information will still be there. The data in the memory.dmp can be read if opened and analyzed by any basic hex editor. Keep in mind that you may have this file on your computer right now, which could contain some of your valuable information at the time that it was written by the OS.
Now, all that is between an intruder and a current Windows memory dump from your computer is forcing your Windows box to crash. Rumor has it, there are instruments out there to do this and I actually had one at one time. Ok, so I didn't have the real deal instrument, but I did have a wireless USB NIC that would crash any windows box I plugged it into. Something was wrong with it and I trashed it (didn't realize the value of it until now j/k). Since I live in the common world I will settle for a registry hack. Windows can be forced to crash when pressing right-ctrl and double Scrlk by enabling it in the Windows Registry. The registry hack is as follows (XP, 2k, 2k3):
Location of System Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters\
Value(s) to Modify or Add: CrashOnCtrlScroll
Correct Data Type: REG_DWORD
Hex Value: 1 to enable, 0 to disable
Once this is enabled the computer must be restarted in order for it to take effect. When the computer restarts some of the data in memory may be lost, which is why Forensics experts (with good or malicious intent) prefer a tool for the job. It enables them to crash the computer without restarting and losing possible incriminating information. Once this registry value is set, you can crash your own Windows box to test this by pressing right-ctrl + Scrlck Scrlck. If your computer is set to execute a small 64kb memory dump, the computer will crash and restart immediately. If you have chosen a complete memory dump, you will receive the blue screen of death until the memory dump is complete. Once it has completed, open this file up (c:\windows\memory.dmp) with a hex editor and search for some of your favorite passwords. You may be surprised. I did just this and some of the results are as follows:
Gmail Username & Password:
MSN Messenger/Hotmail Username & Password:
The FTP username/password for this site:
3 other old passwords in one nice bundle:
(Usernames and passwords are whited out for obvious reasons)
I was able to grab all this information from my computer shortly after a reboot (when the memory should be refreshed). Many techies brag about the uptime on their comps, just think what could be grabbed from memory on a comp that has been up for a month. Based on this investigation it would also be easy to search for keywords such as "gmail", "messenger" and any other common flags in this dump file that could help speed up the password finding process. This works for encryption mechanisms such as PGP and many others that require passwords and keys to be loaded into memory. I'm sure I could quickly develop a key word list after examining a few more of these files that could help search out common passwords (if I can do it, it already exists).
Please take what you have learned from this post and use it to protect yourself. Use secure deletion programs (programs that delete and write over) to delete temp files and .dmp files from your comp at shutdown. Practice crashing your own computer to make sure that you are not vulnerable to this attack. Prevent physical access to equipment with valuable data if at all possible. Reboot after accessing and modifying encrypted files. Always remember, it's ok to be paranoid when dealing with data security.
Posted by dmac at November 8, 2004 01:11 AM
Comments
[...] 11/9/2004 Forcing windows to crash (BSOD) enables a user to test recovery and password security. The following registry entries, when set, will allow you to crash Windows by holding [...]
Posted by: dmacatack.com » How to force windows to crash and display blue screen of death (BSOD) at November 8, 2004 01:11 AM
