Step 4: Memory scraping
Here's a photograph of the MacBook's screen as it's booting over the network from Appelbaum's laptop.
It was sent and is now executing an "EFI memory scraper" program that reports 1,298,309,120 bytes (1.25 GB) are available to be transfered. Most of that is in the "segment 2" chunk that totals 1,280,458,752 bytes.
Remember, this is still extremely early in the boot process, meaning the contents of memory from the last session have not been overwritten and may still be intact; Appelbaum, in fact, is counting on it. Those memory contents could include the AES key used for FileVault, the contents of documents being edited, the text of e-mail being written, and so on. FileVault encrypts only data saved to disk, not data kept in memory.
Photo by Declan McCullagh/CNET News.com
Get Smart about Business Spending
