Cold boot attack

In cryptography, a cold boot attack (or to a lesser extent, a platform reset attack) is a type of side channel attack in which an attacker with physical access to a computer is able to retrieve encryption keys from a running operating system after using a cold reboot to restart the machine. The attack relies on the data remanence property of DRAM and SRAM to retrieve memory contents that remain readable in the seconds to minutes after power has been removed.

To execute the attack, a running computer is cold-booted. Cold-booting refers to when power is cycled “off” and then “on” without letting the operating system shut down cleanly, or, if available, pressing the “reset” button. A removable disk is then immediately used to boot a lightweight operating system, which is then used to dump the contents of pre-boot physical memory to a file. Alternatively, the memory modules are removed from the original system and quickly placed in a compatible machine under the attacker's control, which is then booted to access the memory. Further analysis can then be performed against the information that was dumped from memory to find various sensitive data, such as the keys contained in it. Automated tools are now available to perform this task for attacks against some popular encryption systems using various forms of key finding attack.

The attack has been demonstrated to be effective against full disk encryption schemes of various vendors and operating systems, even where a Trusted Platform Module (TPM) secure cryptoprocessor is used. This is because the problem is fundamentally a hardware (insecure memory) and not a software issue. While the focus of current research is on disk encryption, any sensitive data held in memory is vulnerable to the attack.

...
Wikipedia