Got a BSOD. Had about 40 unsaved Notepad files.

[ElielC]

Hello there,

My computer was running since about 80 days and i had about 40 unsaved Notepad text files.
Got a BSOD without doing anything.
Yesterday when i've come back to use the PC, i saw the BSOD.

Now i really need to backup those unsaved Notepad files.
I know that Windows 7 does not save them in a temporary folder and they are actually stored only in the ram which is volatile.

I found that it is possible to dump the memory with a "Cold Boot Attack" to a USB flash drive.

Cold Boot Attack Tools for Linux | Linux Journal

I tried to compile x64 version of the program (I have 8GB of memory) without success.
My knowledge in this domain is close to 0.
Can i ask a favor from someone with compiling knowledge and give me a compiled x64 scraper.bin so i can try to dump my memory with this method ?

My PC is still running and under power showing me the blue screen.
I did not touch him since the blue screen.
I also want to mention that my PC was never connected to the net, i only use it for writing Memo on Notepad files.

I do agree that not saving so much files is very stupid, but my PC was super stable and sometimes are running for over 6 months without a reboot.
I did not know that he can BSOD without doing anything like that.

Thanks you for the help.

 

[wither 2]

Would you post the BSOD information per this-

Blue Screen of Death (BSOD) Posting Instructions

 

[ElielC]

Hello,

Don't need assistance about the BSOD itself.
I don't care about it.
What i'm trying to do is to make a full dump of the memory in hope that the unsaved Notepad files are still somewhere in the memory even after the BSOD.

I need a compiled x64 version of the bios_memimage utility which should result in a scraper.bin file which i will put on a USB drive.
Then i will reset the PC and boot from the USB drive which should capture a complete dump of the memory before the memory get a chance to vanish.

In hope that i can get back all my unsaved Notepad files.

Thanks you.

 

[wither 2]

My apologies but what you want to do is beyond my capabilities to answer. I've asked someone else if they can help.

 

[ElielC]

Thanks you wither 2.

I forget the link of the utility.
Here it is.

GitHub - DonnchaC/coldboot-attacks: Archive of the original "cold boot" attack tools from CITP at Princeton. The original links are broken.

I need the 64 bits version which is the BIOS_memimage 2.1 file.

To compile the 64 bits version, the command are make -f Makefile.64

Instructions can be found in the archive in the docs folder.

 

[iko22]

Hello,

Don't need assistance about the BSOD itself.
I don't care about it.
What i'm trying to do is to make a full dump of the memory in hope that the unsaved Notepad files are still somewhere in the memory even after the BSOD.

I need a compiled x64 version of the bios_memimage utility which should result in a scraper.bin file which i will put on a USB drive.
Then i will reset the PC and boot from the USB drive which should capture a complete dump of the memory before the memory get a chance to vanish.

In hope that i can get back all my unsaved Notepad files.

Thanks you.

The files you request depend on Compilation from GNU GCC compiler. I do not have this compiler on any of my machines. Sorry.

I think the code project in question depends on "Persistent Memory"; something which has only been exploited in Windows Server 2019 and Windows 10. From a Windows 10 computer, you can type something into WordPad, Restart the Computer, and the WordPad text will still be there on the desktop. You cannot do that in Windows 7.

Microsoft Office and LibreOffice, and many other applications, also have feature to backup your edited document, in case of Power Failure. This backup facility does not exist in NotePad or WordPad.

 

[ElielC]

No you are wrong.

This exploit have been published by Princeton University in 2008

Here is the original link Lest We Remember: Cold Boot Attacks on Encryption Keys | Center for Information Technology Policy

This has nothing to do with the version of the operating system.

The current version of Windows 10 create a backup even on Notepad.

 

[iko22]

Well I'd like to give it a go and see if it works. Still I do not have GCC compiler on any of my machines. The file you request, depends on the GNU GCC compiler being available.

What is the state of the problem machine? Is it still switched on? If it has been switched off, then the RAM would have lost all data.

If your computer is still switched on continuously since the BSOD then I'd be prepared to install GCC compiler to prepare the file for you. You'd still need to load the file to a suitable USB flash memory stick, at your side.

 

[ElielC]

Yes of course.
The PC is still running and is showing the blue screen.
I didn't touch him since the crash.

I will have to create the USB drive after that yes.

Since i do not have how to test the utility, it will be huge help if you can test it on your side before uploading it. (just check that the utility load up correctly and not giving any error)
I do have another PC but i can't test it since it is under UEFI and UEFI require another version of the utility.

I will only have 1 chance to try it.
If the utility does not boot or load correctly, im screwed.

Thanks you for trying to help !

 

[Alejandro85]

First of all, if the data in question is so important to you to even seriously consider a cold boot attack on your own computer, I would consider hiring an expert in the field to do the trick for you. Not only he'll be in a better position to freeze the RAM, reboot and dump the data, but also in scrubbing the resulting thins into a useful piece of data.

Another possible way of rescuing the notepads is by scrubbing the page file, if you happen to have one. Since at the time of the BSOD the machine was idle, there is a goog chance of Windows paging notepad out of physical memory, in which case the page file will contain your data. Assuming it's not encrypted and not overwritten by the BSOD debug info, you might be able to find it there, as long as you don't boot Windows again before taking a copy.
Not that scrubbing a page file is easier that scrubbing a memory dump, but it's a lot more persistent than RAM. Consider this way if a cold boot attack fails or you can't reveal anything useful from it.

Other than that, I also am at a loss at the practical implications of such techniques, other than understanding the theory.

 

[wither 2]

I know I'm a lightweight on this but, out of curiousity, how does one run a utility on a system where a BSOD is displayed on the screen? I'm also wandering why it stopped since a BSOD always reboots my system.

 

[Alejandro85]

I know I'm a lightweight on this but, out of curiousity, how does one run a utility on a system where a BSOD is displayed on the screen?

A cold boot attack is performed by freezing the RAM to near absolute zero (using liquid nitrogen for example) to preserve its contents, then rebooting the computer and booting some memory dumping utility on it. This way, RAM contents are keep for long enough after reboot to boot a small program that records its whole content into disk, for latter forensic analysis. It's not done with the system still BSODed.

All this is possible thanks to the fact that typical RAM sticks don't magically lose their data instantly after power off, but it last a few seconds afterwards, even more if they're cooled. The saved data can then be analyzed safely, often for malicious purposes, or on this case, to recover the previous unsaved workspace.

I'm also wandering why it stopped since a BSOD always reboots my system.

That depends on the system configuration, which is by default to reboot after a few seconds. You can choose to keep the blue screen there indefinitely, until a manual hard reset.

 

[wither 2]

Excellent response!

 

[ElielC]

Hiring an expert...no i don't think.
It's not that hard to do it.

1) Connect USB drive with loaded dump memory utility
2) Freezing the memory with compressed air can
3) Pushing reset bouton on the PC
4) Hold F12 key (on my Gigabyte) to load boot menu options
5) Choosing the USB drive

Step 2 is recommended but not required.
I also don't need to unplug the PC, i can reset it.
So the memory should not have the time to vanish.
Unless BIOS check the RAM and write on it at the boot.
It depends on the BIOS and the motherboard from what i have learn.

I do have pagefile enabled.
This is the first thing i do after installing Windows.
Why ?
Because i have an UPS to prevent loss of work in the case of power cut.
And hibernation take relay when battery is low so i don't lose work even if i'm not at home during the power loss.

But my PC is configured to never enter in sleep when in idle mode so i don't think it moved the notepads to pagefile.

But it is the first thing that i was thinking off to do after the first boot, even if chances are slim on this side.

About the BSOD not rebooting my machine, yes the default parameter is to reboot just after the blue screen which is the most stupid thing that i can think off.
Off course i always change this parameter.

I can't remember if when changing this parameter i also changed the option to make full dump of the memory.

Sad that Windows does not indicate which sort of dump it has created on the BSOD screen.