I wrote a paper with a countermeasure for a cold-boot attack and am currently in rebuttal process.
One reviewer struggles with the motivation behind cold-boot attacks. Specifically, he asks if there is an example of a cold-boot attack used in the real-world.
To answer him, I searched for forensic companies which use the cold-boot attack, but it was not easy to find.
Are there forensic companies or forensic examples that use the cold-boot attack?
Yes, there are examples of cold boot attacks in the wild. An archived presentation gives an example of live memory acquisition on a server when DMA is not possible and when the native BIOS automatically initializes ECC memory at boot. The forensic investigators ended up writing a custom version of the open source coreboot BIOS and flashing it on the target hardware. This custom BIOS was designed to read memory and export its contents, lightly compressed, over a serial device. In order to get the new BIOS to run, they had to reset the CPU. I believe they were able to do that using the LPC bus. The end result was a low-memory footprint cold boot attack.
There are also examples of cold boot attacks being used on hardware you own in order to obtain valuable information to assist reverse engineering. Cold boot attacks have been used against various game consoles, and even prompted Microsoft to implement transparent memory encryption on their Xbox 360 console. The attack has also been attempted to view memory (UMA) reserved by the Intel Management Engine which is blocked from software access.
