BHDC11 - De-anonymizing Live CDs through Physical Memory Analysis

intrigeri intrigeri at
Wed Jan 12 11:11:28 UTC 2011


coderman wrote (11 Jan 2011 20:21:13 GMT) :
In order to
> solve this problem, we present a number of techniques that allow for
> complete recovery of a live CD’s in-memory filesystem and partial
> recovery of its previously deleted contents. We also present memory
> analysis of the popular Tor application as it is used by a number of
> live CDs in an attempt to keep network communications encrypted and
> anonymous.

> (do Tor Live CDs need a new kexec target for memtest sweeps / ram
> zeroisation? :)

As far as I understand, this seems like enhancements over the cold
boot attack, and one more reason why Tor Live CDs should wipe the
system memory on shutdown. Am I misunderstood?

Most Tor Live CDs (e.g. the good old, now obsolete, Incognito, and its
spiritual successor T(A)ILS) have been doing this for ages.
(note:  this is currently working when running from USB, but sometimes
buggy[0] when running from CD => debugging).


  intrigeri <intrigeri at>
  | GnuPG key @
  | OTR fingerprint @
  | We're dreaming of something else.
  | Something more clandestine, something happier.
To unsubscribe, send an e-mail to majordomo at with
unsubscribe or-talk    in the body.

More information about the tor-talk mailing list