At work, we’ve been looking at hard drive encryption options for laptops that get sent into the field, with our service techs and salesmen. Like most other companies in our position, we sometimes have important customer information stored on computers that leave the physical property of the business, and we want to protect that in case a laptop should turn up missing. And there have been a few different encryption schemes that we’ve checked out, none of which we’ve been particularly satisfied with.
Of course, we hamper our own decision making process somewhat with the (correct) observation that: “if you have access to the hardware, you can get at the data.” In a sense, encrypting laptop hard drives in case of theft is a great idea, if in fact the thief is not particularly skilled at computers and is just looking to get his/her hands on something that can be pawned. On the other hand, if the thief’s goals are more along the lines of industrial espionage, and/or if the thief is a bit more technically savvy, virtually nothing that we do will truly protect the data stored on the laptop’s hard drive.
And actually, using a bootable flash key that contains a small script to capture the contents of a computer’s RAM can reveal to any potential attacker all the information currently stored in the computer’s memory — including encryption passkeys.
The basic principle here is that RAM retains the data that has been put into it for a short time after the computer powers down (or power cycles, i.e. restarts). Cutting power to the RAM will cause it to drop the data it is storing, but only after a short delay. The exact duration of the delay is something which is still in question: ECC (error correcting) RAM tends to clear faster than non-ECC RAM, but even in that case the rate of data decay can still be lowered by subjecting the RAM to freezing conditions (even the cool jet of compressed air from a can can buy you enough time to get at the data).
And all the script on the bootable flash key does is grab the contents of a computer’s RAM at boot time which, generally speaking, is before the RAM has had time to clear. Physical access to the hardware, once again, renders any security method meaningless if the attacker knows what s/he is doing. About the only effective countermeasures against this sort of attack are either physically pulling your computer’s RAM every time you walk away from it (impractical in the case of laptops, in which a portion of the RAM is usually inaccessible and/or impossible to remove from the system board, or else powering down your computer every time you will be away from it. That latter option is fine in an office environment, but many laptop users prefer to just close their laptop up and let it hibernate when they aren’t actively using it. Doing that would, unfortunately, leave the computer vulnerable to the bootable flash key method of attack, since the RAM doesn’t actually get powered down.
Computer security is a pain in the ass.
