Scenario: Your Windows laptop has Bitlocker protection that prevents unencrypted access to the hard drive if the laptop was powered off.
There are three successful physical attacks:
- Seize the hardware while the user is logged in and Windows is not locked.
- Seize the hardware while the user is logged in and has locked Windows.
- Seize the hardware immediately after the laptop as powered off.
In the first attack the thief has access to the unencrypted information. This is to be expected.
In the second and third cases, you would expect the thief to be denied access to the encrypted information. Actually, the thief could obtain the encryption keys through a Direct Memory Access (DMA) attack (attack 2) or by reading DRAM before the bits decay and memory fades (attack 3). This last approach is referred to as a “Cold Boot Attack”.
iSECPartners has made You’ll Never Take Me Alive to mitigate DMA attacks. If Windows is locked and either the power cord or wired internet is disconnected, then the system goes into hibernation. A side effect of hibernation is removing the encryption keys from memory. If you were working off battery power with a wireless network connection, then YoNTMA does not mitigate your risk.
How practical is a DMA attack? See Inception.