• KSII Transactions on Internet and Information Systems
    Monthly Online Journal (eISSN: 1976-7277)

Cold Boot Attack on Encrypted Containers for Forensic Investigations


Abstract

Digital Forensics is gaining popularity in adjudication of criminal cases as use of electronic gadgets in committing crime has risen. Traditional approach to collecting digital evidence falls short when the disk is encrypted. Encryption keys are often stored in RAM when computer is running. An approach to acquire forensic data from RAM when the computer is shut down is proposed. The approach requires that the investigator immediately cools the RAM and transplant it into a host computer provisioned with a tool developed based on cold boot concept to acquire the RAM image. Observation of data obtained from the acquired image compared to the data loaded into memory shows the RAM chips exhibit some level of remanence which allows their content to persist after shutdown which is contrary to accepted knowledge that RAM loses its content immediately there is power cut. Results from experimental setups conducted with three different RAM chips labeled System A, B and C showed at a reduced temperature of -25C, the content suffered decay of 2.125% in 240 seconds, 0.975% in 120 seconds and 1.225% in 300 seconds respectively. Whereas at operating temperature of 25°C, there was decay of 82.33% in 60 seconds, 80.31% in 60 seconds and 95.27% in 120 seconds respectively. The content of RAM suffered significant decay within two minutes without power supply at operating temperature while at a reduced temperature less than 5% decay was observed. The findings show data can be recovered for forensic evidence even if the culprit shuts down the computer.


Statistics

Show / Hide Statistics

Statistics (Cumulative Counts from December 1st, 2015)
Multiple requests among the same browser session are counted as one view.
If you mouse over a chart, the values of data points will be shown.


Cite this article

[IEEE Style]
F. Twum, E. M. Lagoh, Y. Missah, N. Ussiph, E. Ahene, "Cold Boot Attack on Encrypted Containers for Forensic Investigations," KSII Transactions on Internet and Information Systems, vol. 16, no. 9, pp. 3068-3086, 2022. DOI: 10.3837/tiis.2022.09.013.

[ACM Style]
Frimpong Twum, Emmanuel Mawuli Lagoh, Yaw Missah, Najim Ussiph, and Emmanuel Ahene. 2022. Cold Boot Attack on Encrypted Containers for Forensic Investigations. KSII Transactions on Internet and Information Systems, 16, 9, (2022), 3068-3086. DOI: 10.3837/tiis.2022.09.013.

[BibTeX Style]
@article{tiis:25993, title="Cold Boot Attack on Encrypted Containers for Forensic Investigations", author="Frimpong Twum and Emmanuel Mawuli Lagoh and Yaw Missah and Najim Ussiph and Emmanuel Ahene and ", journal="KSII Transactions on Internet and Information Systems", DOI={10.3837/tiis.2022.09.013}, volume={16}, number={9}, year="2022", month={September}, pages={3068-3086}}