Got a BSOD. Had about 40 unsaved Notepad files.

Hello there,

My computer was running since about 80 days and i had about 40 unsaved Notepad text files.
Got a BSOD without doing anything.
Yesterday when i've come back to use the PC, i saw the BSOD.

Now i really need to backup those unsaved Notepad files.
I know that Windows 7 does not save them in a temporary folder and they are actually stored only in the ram which is volatile.

I found that it is possible to dump the memory with a "Cold Boot Attack" to a USB flash drive.

Cold Boot Attack Tools for Linux | Linux Journal

I tried to compile x64 version of the program (I have 8GB of memory) without success.
My knowledge in this domain is close to 0.
Can i ask a favor from someone with compiling knowledge and give me a compiled x64 scraper.bin so i can try to dump my memory with this method ?

My PC is still running and under power showing me the blue screen.
I did not touch him since the blue screen.
I also want to mention that my PC was never connected to the net, i only use it for writing Memo on Notepad files.

I do agree that not saving so much files is very stupid, but my PC was super stable and sometimes are running for over 6 months without a reboot.
I did not know that he can BSOD without doing anything like that.

Thanks you for the help.

Would you post the BSOD information per this-

Blue Screen of Death (BSOD) Posting Instructions

Hello,

Don't need assistance about the BSOD itself.
I don't care about it.
What i'm trying to do is to make a full dump of the memory in hope that the unsaved Notepad files are still somewhere in the memory even after the BSOD.

I need a compiled x64 version of the bios_memimage utility which should result in a scraper.bin file which i will put on a USB drive.
Then i will reset the PC and boot from the USB drive which should capture a complete dump of the memory before the memory get a chance to vanish.

In hope that i can get back all my unsaved Notepad files.

Thanks you.

My apologies but what you want to do is beyond my capabilities to answer. I've asked someone else if they can help.

Thanks you wither 2.

I forget the link of the utility.
Here it is.

GitHub - DonnchaC/coldboot-attacks: Archive of the original "cold boot" attack tools from CITP at Princeton. The original links are broken.

I need the 64 bits version which is the BIOS_memimage 2.1 file.

To compile the 64 bits version, the command are make -f Makefile.64

Instructions can be found in the archive in the docs folder.

ElielC said:

Hello,

Don't need assistance about the BSOD itself.
I don't care about it.
What i'm trying to do is to make a full dump of the memory in hope that the unsaved Notepad files are still somewhere in the memory even after the BSOD.

I need a compiled x64 version of the bios_memimage utility which should result in a scraper.bin file which i will put on a USB drive.
Then i will reset the PC and boot from the USB drive which should capture a complete dump of the memory before the memory get a chance to vanish.

In hope that i can get back all my unsaved Notepad files.

Thanks you.

The files you request depend on Compilation from GNU GCC compiler. I do not have this compiler on any of my machines. Sorry.

I think the code project in question depends on "Persistent Memory"; something which has only been exploited in Windows Server 2019 and Windows 10. From a Windows 10 computer, you can type something into WordPad, Restart the Computer, and the WordPad text will still be there on the desktop. You cannot do that in Windows 7.

Microsoft Office and LibreOffice, and many other applications, also have feature to backup your edited document, in case of Power Failure. This backup facility does not exist in NotePad or WordPad.

No you are wrong.

This exploit have been published by Princeton University in 2008

Here is the original link Lest We Remember: Cold Boot Attacks on Encryption Keys | Center for Information Technology Policy

This has nothing to do with the version of the operating system.

The current version of Windows 10 create a backup even on Notepad.

Well I'd like to give it a go and see if it works. Still I do not have GCC compiler on any of my machines. The file you request, depends on the GNU GCC compiler being available.

What is the state of the problem machine? Is it still switched on? If it has been switched off, then the RAM would have lost all data.

If your computer is still switched on continuously since the BSOD then I'd be prepared to install GCC compiler to prepare the file for you. You'd still need to load the file to a suitable USB flash memory stick, at your side.

Yes of course.
The PC is still running and is showing the blue screen.
I didn't touch him since the crash.

I will have to create the USB drive after that yes.

Since i do not have how to test the utility, it will be huge help if you can test it on your side before uploading it. (just check that the utility load up correctly and not giving any error)
I do have another PC but i can't test it since it is under UEFI and UEFI require another version of the utility.

I will only have 1 chance to try it.
If the utility does not boot or load correctly, im screwed.

Thanks you for trying to help !

First of all, if the data in question is so important to you to even seriously consider a cold boot attack on your own computer, I would consider hiring an expert in the field to do the trick for you. Not only he'll be in a better position to freeze the RAM, reboot and dump the data, but also in scrubbing the resulting thins into a useful piece of data.

Another possible way of rescuing the notepads is by scrubbing the page file, if you happen to have one. Since at the time of the BSOD the machine was idle, there is a goog chance of Windows paging notepad out of physical memory, in which case the page file will contain your data. Assuming it's not encrypted and not overwritten by the BSOD debug info, you might be able to find it there, as long as you don't boot Windows again before taking a copy.
Not that scrubbing a page file is easier that scrubbing a memory dump, but it's a lot more persistent than RAM. Consider this way if a cold boot attack fails or you can't reveal anything useful from it.

Other than that, I also am at a loss at the practical implications of such techniques, other than understanding the theory.