When we look at security of laptop computers, many people think that encrypting their hard drive will be enough to protect their data in case a laptop gets stolen. Basically that is much safer, than if it is not encrypted.
When laptop is stolen even encrypting hard drive may not save your data from thief’s eyes. Lately there was quite a lot of talk within the security crowd about this, when it was discovered, that computer RAM chips do not lose information as fast as everybody thought. When the computer is turned off, the data on them still stays accessible for 5 minutes or more, especially when RAM chips are cooled down (with CO2 for example) the data on them may be preserved for even 1/2 an hour. That gives bad guys an oportunity to move the chips to another computer, dump the whole content of RAM to disk and then they have a lot of time at their disposal to search for the encryption keys that were stored in RAM while the computer was running. With keys in their hands your hard disk is an open book. With all your documents, emails, bank accounts, telephone numbers and what not.
So what do scenarios look like? Many people use standby mode, or hibernate to get the computer faster online. Each of them puts the computer into a vulnerable position.
When the computer is in sleep mode, the RAM is still being refreshed and so all the keys for hard disk encryption are still there. If the computer is stolen, a bad guy can poweroff the box and cool down the RAM and then do all the magick needed to access your encrypted data.
With hibernate the contents of RAM is written to hard disk before the power is turned off. Again the encryption keys reside somewhere in the saved ram. Some might say, but we can encrypt the hibernate file/partition. True, but then again the keys for reading this partition need to be stored somewhere and if that is in the computer they can be found.
And if we use the normal power off, the contents in RAM is still available for certain amount of time. What can be done, to avoid this? For example wiping RAM content at shutdown would be ok.
But if somebody steals the laptop while it was turned on (or in sleep mode) they might be able to get access to your (secret) data.
Testing this RAM behavior can be done easy with coreboot. Coreboot is an open source BIOS, that can basically start any payload you want to start. It can use L2 cache for its operation and not touch (change) RAM at all. So if you use coreinfo payload, you can besides other things, do RAM dump and see for yourself.
