I’m specifically interested in typical steps of law enforcement confiscating a dedicated server at a hosting provider (like OVH, Hetzner).
Assume full-disk encryption is used with strong keys on a dedicated server (not cloud VM / VPS). The only way to get the keys is from RAM. Now law enforcement has an order to confiscate this server.
The easiest would be to power down the machine and take the disks (or the whole server case).
Do they commonly try to dump the RAM using a cold-boot attack to get the disk encryption keys?
I am specifically interested about the standard case: Not the top threat actors, but run-off-the-mill confiscations. I’m certain cold-boot attacks are used in high profile cases, but wondering about the everyday case.
An online research yielded lots of demos and experiments, but no field reports of this being used by law enforcement.
This has so many variables and factors including if what you’re doing is going to be illegal. We cannot advise you on how to do illegal things as I’m sure that’s against the platform and forum policy.
So, its going to be difficult if not impossible to answer with any certainty without knowing more.
Also, you’re asking about your country’s/regions’ law enforcement protocols on how best to fail their efforts. No one is going to know this info they guard deeply.
Thank you for the positive reply. Indeed I’m only interested in understanding security practices on all sides.
As an example, the 2025 Dell XPS does not support TME for memory encryption. Users may use LUKS, and get their laptop stolen with a screen lock on or in standby. An attacker could now reboot from USB or network and dump RAM. As a user, it is good to know this.
I asked the question specifically about large hosting companies, as these operate fleets of dedicated servers by all types of actors. Some of them may be political actors you may consider morally fine (even legally fine in most countries), but still under attack in some countries. It is important for such actors to understand the risk. Can they assume law enforcement dumps RAM on dedicated servers? I understand the question has no “yes” or “no” answer because it depends on the country and severity of the actor. However, I was trying to gather whether we are in the field of “yeah, dude, everyone always dumps RAM” or whether this is still something “special”.
Not with reset attack mitigation. The kernel can tell the firmware to wipe RAM on system reset.
My understanding is this is fairly ubiquitous in modern systems, though I admit I’ve never really cared to explicitly check for it.
However, this does not protect against all forms of cold boot attacks, only ones like you mentioned where the attacker tries to e.g. boot the system from USB and read from “empty” RAM.
The Trusted Computing Group (TGC) who specified the mechanism in the reset attack mitigation also is a part who worked on the Trusted Platform Module (TPM). It seems since TPM 2.0 and greater, reset attacks have been mitigated. However, after reading the demonstrated attacks, as well as some appearing to have voiced privacy concerns (more from FSF), its hard to say how well this make work in practice depending on the threat model proposed, and this isn’t an area I’ve studied as much so I can’t provide more insight.
I would try researching if law enforcement even discloses such information in the first place. Is law enforcement required to say exactly how they cracked it? If so, you should be able to dig into this more. Otherwise, this information will be hard to gather.
Otherwise, I would take a step back and ask, is this a question of curiosity or question of concern? If its the latter, I would highly recommend having redundancy measures in place and fail-safe countermeasures long before you need to start worrying about cold boot attacks.
When I was researching this type of attack, I concluded that they initiate this type of attack at the device’s location or in a mobile lab under the house, because the success of this type of attack depends on the speed of access to RAM. They may not succeed in many things if the device is protected. Therefore, I concluded that similar attacks could be used, for example, against Bill Gates, if he, figuratively speaking, falls out with Trump.