This should be able to be done via the software in a few seconds. The only way to restore the session would be for the user to enter their encryption password, which would return them to the OS’s lockout screen, whereby they would have to enter their user account password within 10/15 seconds or it would again re-lock/encrypt.

While this method isn’t perfect, it does offer increased security. The only way of getting the data/key then, would be to shut off all power to the machine quickly before any OS lockout occurs, then boot the machine to your device or remove the RAM and place in another machine to boot to your device. See next step for increased security.

Step 2:
The software could modify the BIOS to force a full RAM test (RAM fill) every time the computer is booted (force it to occur before any booting can take place). This will fill the RAM with random/null data as part of the test, thereby wiping any retained memory before anyone can boot into any device to make a copy of the memory.

This eliminates someone quickly shutting off power to the machine and then quickly booting into their device to copy the memory. But it does not stop them powering off the machine, spraying the RAM to cool it, removing the RAM and inserting into another machine that will boot to their device. So again, it is increased security but it is far from perfect.

Step 3:
Implement specialist hardware to solve the remaining vulnerabilities, for example:
RAM that loses all of it’s memory upon power loss within 5 seconds at room temperature
A machine case that requires a key to open, so nobody can access the internal hardware without damaging the case
An internal mechanism that can tell when the machine case is being tampered with (unauthorized access) and upon detection will wipe the RAM

Alternative Option:
Create/Modify encryption software to store the entered key onto a hardware key e.g. a USB drive, rather than in the RAM. If the USB is removed the encryption software (in RAM) will either lockout the user, shut down the machine, or wipe what is in RAM (except itself) before then shutting down. This will eliminate anyone getting the key from the RAM, but does not protect the unencrypted data still residing in RAM. Also the additional problem is introduced of the USB drive becoming the vulnerability; perhaps have a special purpose USB drive that uses a type of fast fading RAM rather than flash. So if it is taken the memory will fade quickly, and if the drive has a secure housing, it would be difficult to obtain any residual memory as they would not be able to get to the chip quick enough to cool it or copy data.

Conclusion:
All these ideas need refinement, but a combination of the above methods would make it exceptionally difficult to obtain the user’s key or data. Some of the options are cheap and easy to implement, others are not. It all depends on how much the user is willing to spend. Spend enough, using most of these options and nothing will get your data except an extremely well planned attack, or a vulnerability presented due to user error (e.g. easy to guess pass key / user not watching who is watching them / user leaving a machine with extremely sensitive data unattended…. etc).

I mean, thats if you WANT to. I’m sure the number of people out there capable, or even aware, of this attack is extremely low. You’re most likely going to have your laptop stolen by someone who isn’t familiar with this type of attack.

…. Did you not see the tactic demonstrated for recovering dumped ram.. Bios password,hahaha remove the CMOS battery and it’ll reset. BIOMETRIC in the bios and even then a piece of scotch tape foiled your secret data.

irc.2600.net #backtrace

if attacker finds an unattended laptop the key isn’t there.

lookup IronKey usb drives surly this technology can be applied to external hard disks as well?

I am experimenting with modifying the halt script at shutdown in a Live CD environment of Ubuntu 8.10 (Gnome env). It looks like there is a configuration parameter that sets HALT=poweroff that might be able to be changed to HALT=halt, so that it might be possible to work it into the script to execute just before powering off (possibly manually).

Who would need security from this – what about credit card or insurance companies that deal with full social security numbers on a daily basis?

Like everyone else has said, running a shutdown program to wipe the RAM requires power to the system. No power = no wipe = stolen info.

Biggest question is, are hard drives with a built-in security chip safe from something like this? I think Western Digital or Seagate have drives like this. The key is stored on the drive, not in RAM, so a different method is needed?