HeadlinesBriefing favicon HeadlinesBriefing.com

GitHub Releases Bare-Metal RAM Dumper for Cold Boot Research

Hacker News •
×

A new x86 bare-metal utility called BareMetal-RAM-Dumper enables direct RAM dumping to disk for Cold Boot Attack experiments. The tool boots from USB or disk using BIOS interrupts and enters unreal mode to access memory above the 1MB barrier, targeting researchers investigating memory security vulnerabilities.

The tool exploits a critical window: by freezing RAM to -60°C and rebooting from a USB drive, attackers can dump memory contents before encryption keys decay. It parses the system memory map via BIOS INT 0x15 E820, identifies valid RAM regions, and writes data directly to disk starting at LBA 64 using extended write operations.

The two-stage bootloader loads stage2 from LBA 1, queries for Enhanced Disk Drive support, then iterates through RAM in 32KB chunks. Each chunk gets copied to a low memory buffer before being written to disk. Users must employ a dedicated blank USB drive since the tool overwrites data beyond sector 64.

This represents a significant advancement for memory forensics research, providing a reliable mechanism for capturing volatile memory states in controlled security experiments.