Hi,
I am currently deciding on my dissertation topic for my final year at university and i'm looking for some advice/opinions on some ideas I have.
I have decided to do my dissertation on looking at how quickly RAM loses it's data after the plug has be pulled. After doing quite a bit of research into this topic I have the following questions
1. It appears that older RAM holds it data much longer than newer types of RAM such as DDR3 is this correct if so what is the reason for this?
2. After speaking to my tutor it has been decided that liquid nitrogen is too expensive/dangerous to work with, the other options I have thought about are desk fans, compressed air & air conditioning units although these are not very "controlled" conditions. Does anyone have any other ideas that would be safe and relatively simple to do?
3. I have been using standalone volatility software on Windows to analyse RAM after taking an image using FTK Imager, are there any other free to use software out there to analyse RAM. I would really like some software to help me look for things such as word documents open in RAM or chat sessions stored in RAM, I plan to use Encase to help me do this currently.
Thanks in advance for your advice, it is appreciated.
2. After speaking to my tutor it has been decided that liquid nitrogen is too expensive/dangerous to work with, the other options I have thought about are desk fans, compressed air & air conditioning units although these are not very "controlled" conditions. Does anyone have any other ideas that would be safe and relatively simple to do?
More than that it is very likely that at liquid nitrogen temperatures the RAM stick will crack/pulverize itself.
The compressed air & air conditioning seems to me like NOT providing the kind of temperatures needed for an experiment of this type.
But you could use Maxwell's Devil 😯
http//
Seriously, one of the most convenient means to have a flux of air at a controlled temperature (and at a relatively little cost) is to use a Ranquel-Hilsch tube (often called Vortex tube)
http//
jaclaz
Belkasoft Live RAM Capturer
http//
Thanks Igor, I shall do some investigation into Belkasoft and have a play around with it!
jaclaz,
I like the look of this tool it seems to be a lot easier to control it is just a matter of getting my university to agree to buying it or at least putting some money towards it. Also will probably pass the old H&S a bit easier than liquid nitrogen D
Thanks for your help I shall put this device forward to my tutor and see what he has to say!
I like the look of this tool it seems to be a lot easier to control it is just a matter of getting my university to agree to buying it or at least putting some money towards it. Also will probably pass the old H&S a bit easier than liquid nitrogen D
A Commercially built tool is not particularly expensive, provided that you already have a suitable air compressor, but even one of those "hobby type"would do (the ones you can by at large hardware stores for 100-200 £, it needs to be a bit "beefy", as the amount and pressure of compressed air determines the temperature drop of cool air ).
A Meech A20400 should be around 400 Pounds (maybe less)
http//
To this you will need to add a good air filter, I believe.
If you are really low on cash, a Vortex can be "home made", there are several "DIY projects" on the 'net, but rarely a home made one has an efficiency comparable to an industrial one.
Example
http//
jaclaz
Correct me if I'm wrong, but don't you want to power off the computer and see how much information remains in the DIMM? If so, you're going to want to look at tools that image the RAM immediately when booted, not something you have to load a full OS before using.
Some of the people at Volatility might have a suggestion.
I haven't tried this, but I would think you could load a modified Linux boot CD with the fmem kernel module and have it dump RAM to a USB drive as soon as it boots. That should get you a mostly complete image of RAM that hasn't been overwritten yet.
Now that I think of it, this could be useful. If you find a locked computer with encryption in use, freeze the DIMMs, boot to something that captures RAM upon boot and hope you get the encryption key. Not perfect, but it could work.
I haven't tried this, but I would think you could load a modified Linux boot CD with the fmem kernel module and have it dump RAM to a USB drive as soon as it boots. That should get you a mostly complete image of RAM that hasn't been overwritten yet.
Now that I think of it, this could be useful. If you find a locked computer with encryption in use, freeze the DIMMs, boot to something that captures RAM upon boot and hope you get the encryption key. Not perfect, but it could work.
Yep, this is what is already "documented", like in
https://
http//
What the dissertation should provide (if I get this right) is some data about temperatures needed, expected retention times on different kinds of RAM.
jaclaz
id use winpmem to capture ram. much smaller footprint than FTK imager and its maintained by the volatility crew.
Couldn't you pop over to the Chemistry/Biochemistry department and ask to use some of their liquid nitrogen? I know when I was at uni they had vats of the stuff and its not that dangerous really as long as you are careful D