@Retr0id is absolutely right. Hardware-level memory encryption (like AMD SME or Intel TME) is the ultimate silver bullet here. The encryption key is generated by the CPU/memory controller per-boot and is lost the moment power is cut, making the RAM contents useless even if frozen.
To answer @floralhangnail's questions from the perspective of how my dumper operates:
Removing RAM vs. Rebooting: My tool actually doesn't require removing the RAM sticks at all! The attack involves freezing the RAM in place, performing a hard power-off, quickly swapping the main system drive with my prepared USB/drive, and powering back on. So physical obstacles like hot-gluing the RAM or hiding it under the keyboard won't stop this specific reboot-based attack.
BIOS Passwords & Secure Boot: You nailed it—these are your best practical defenses on standard hardware. If a BIOS password prevents booting from external media, or if Secure Boot blocks my unsigned 16-bit bootloader, the time it takes to bypass them means the RAM bits will decay. This is exactly why my dumper targets systems with CSM/Legacy BIOS enabled and boot options accessible.
Condensation & Freezing: You don't freeze the entire laptop. You open the bottom cover and spray inverted canned air (-60°C) directly onto the memory modules. Condensation definitely happens and will eventually short the board, but the hardware usually survives just long enough (the few minutes needed) to complete the raw memory dump to disk.
P.S. I'm using AI to translate my messages because I don't speak English. Hope this clears up the physical attack vector!
When I asked about this 5 years ago, I was told that for many processors you can still just JTAG them and get everything:
https://security.stackexchange.com/questions/189950/how-does...
Has this changed?
I'm not an expert but why would a sufficiently sophisticated attacker not be able to extract the key from SME/TME type hardware protections? I'm thinking about government type attackers who can do extremely sophisticated things to hardware in a lab, not hobby type people.
for SecureBoot you could use the Linux shim bootloader, to boot your stick, or a tiny Linux that runs your code, right?
Excellent info, thank you.
I still think with laptops that have 2 RAM sticks under the bottom cover and the other 2 sticks underneath the keyboard, the spray can attack would be trickier. I assume though it's possible the attacker can keep the laptop running while the palmrest and keyboard are being disassembled. If the attacker cannot freeze all sticks of RAM though, would the attack be less likely to be successful? Would the disk encryption key be spread across all RAM sticks, or possibly just one?
I will look more into the hardware memory encryption as suggested.