±Partners and Sponsors

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 1
New Yesterday: 1
Overall: 26928
Visitors: 57

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

Wipe Ram

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page Previous  1, 2 
  

Re: Wipe Ram

Post Posted: Wed Jan 02, 2013 3:46 pm

memory that is no longer used by any process, which is available to be allocated to other processes, but that still has not been resetted and contains the old values.  

avocadus
Newbie
 
 
  

Re: Wipe Ram

Post Posted: Wed Jan 02, 2013 4:21 pm

- Passmark
> When i inspect hiberfil.sys

You asked about RAM. The hiberfil.sys file is a file on the disk & not RAM. Although like many files on the hard disk it contains content that was in RAM at some point.

If your real question is how to avoid data in the hiberfil.sys, then you can turn off hibernation.

You might also want to zero the page file via the registry change.

[HKEY_LOCAL_MACHINESystemCurrentControlSetControl Session ManagerMemory Management] "ClearPageFileAtShutdown"=dword:00000001


Passmark, just to open up the discussion, have you found (and I am of course referring to your expertise), in your experience any system problems that occur following setting of "dword:00000001"?

Thnaks Greg
_________________
Institute for Digital Forensics (IDF) - LinkedIn
Mobile Telephone Examination Board (MTEB) - LinkedIn
Mobile Telephone Evidence & Forensics trewmte.blogspot.com
ForensicMobex now MTEB Linkedin Subgroup 

trewmte
Senior Member
 
 
  

Re: Wipe Ram

Post Posted: Wed Jan 02, 2013 8:34 pm

I am not aware of any problems.

Note that this isn't a undocumented hack.

It is a Microsoft documented setting.
technet.microsoft.com/...s.10).aspx

That article however makes me wonder if it only applies to Windows Server OS. I haven't tested this. It does slow down shut down times however if you have a large paging file.  

Passmark
Senior Member
 
 
  

Re: Wipe Ram

Post Posted: Wed Jan 02, 2013 8:45 pm

And going back to the original question.

If you are worried about people looking at your hiberfil.sys file then do full disk encryption. This provides a lot more security that just trying to clean the hiberfil.sys.

Or use a self encrypting hard drive, like this one
www.hgst.com/internal-...ng-drives/  

Passmark
Senior Member
 
 
  

Re: Wipe Ram

Post Posted: Thu Jan 03, 2013 6:15 am

@Passmark
Yes, that of full disk encryption is the same suggestion given on the linked to thread on reboot.pro.

- avocadus
memory that is no longer used by any process, which is available to be allocated to other processes, but that still has not been resetted and contains the old values.

Good, but not enough.
Now, how one can find that memory space?

I mean, imagine - to simplify things - that you are using a machine with a limited amount of memory, let's say 1 Gb and XP (you can extend the sizes to later OS, but the reasoning will be the same).
The windows memory manager will reserve, for the OS working, a given amount of RAM, let's say 384 Mb.
Then you start programs, do whatever you do on the PC, and the size of memory allocated changes (grows).
At the limit (but let us exclude the case for now) it could also go over total physical RAM and start paging on hard disk (and/or some Windows optimization routine may anyway page to hard disk in order to keep more RAM free).
Then you close all the programs and memory used by the OS should "shrink" to the initial 384 Mb. (but it won't for a number of reasons).
IF it does, you may, as the OP in the given thread proposed to, create a RAMDISK in the 640 Mb of "free" RAM and "wipe" this virtual disk.
But you will still have the 384 Mb used by windows in which there may well be "pages" of memory that still contain some of the data of the programs you ran previously.
And remember that Windows have proprietary managing code for the memory (including the "optimizing" tricks mentioned before) and it is a multi-tasking system with several service running in the background and that can be "triggered" by *anything* and that may thus write *anything* to RAM or allocate *any* address at *any*time.
Afaik a given memory location can be in any given moment in a "status" of either:
  1. unallocated by windows
  2. unused by windows but used before by it
  3. unused by windows but used before by it AND reserved for future use by windows
  4. used by windows
and the status of each is not "static" but rather "dynamic" so, unless you "hook" in real time the Windows Memory manager or - better - you write a replacement for it, you have no chances of getting what you would like to do.


@trewmte and @Passmark
The Clear Pagefile on shutdown is not reserved to Server OS, and JFYI, and limited to XP, it is possible to delete the pagefile on a running system (it will be recreated at next boot) as long as the RAM is not so filled up as to page consistently.
See:
www.msfn.org/board/top...-shutdown/


jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Wipe Ram

Post Posted: Thu Jan 10, 2013 2:34 pm

I am thinking that in general this shouldn't be too difficult.

As a start you really just need to walk the process list and map the memory assigned to each process.

VMMap will give you a nice viusal guide of how a process uses memory.

You would then need to allocate such memory to your own process, or otherwise loick it, to prevent a process claiming it as you are wiping it - and then wipe it.

It would be hard of course to gurantee that you are getting all memmory, especially on a dynamic system. Just watching task mangler showing all processes reveals how much work is going on even when you are not working so to speak.
_________________
Paul Sanderson
SQLite Forensic Toolkit
sandersonforensics.com...ic-Toolkit
www.twitter.com/sandersonforens
www.facebook.com/recon...resoftware 

PaulSanderson
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 2 of 2
Go to page Previous  1, 2