Freezing RAM to ret...
 
Notifications
Clear all

Freezing RAM to retain data?

8 Posts
5 Users
0 Likes
4,262 Views
(@research1)
Posts: 165
Estimable Member
Topic starter
 

I heard this by word of mouth, def does not seem factual..but it was mentioned by an encase trainer.

RAM, after turning the system off, the data remains on the RAM for around 4 seconds. Instantly freezing that RAM then (obviously remove from system first i'd assume) will retain the data on that ram while it is frozen.

Has anyone else heard this, myth or fact?

 
Posted : 23/04/2010 1:45 pm
(@research1)
Posts: 165
Estimable Member
Topic starter
 

I heard this by word of mouth, def does not seem factual..but it was mentioned by an encase trainer.

RAM, after turning the system off, the data remains on the RAM for around 4 seconds. Instantly freezing that RAM then (obviously remove from system first i'd assume) will retain the data on that ram while it is frozen.

Has anyone else heard this, myth or fact?

Just found a research paper showing the above is very true.

 
Posted : 23/04/2010 2:15 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Just posted a link to it yesterday
http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=5711
http//citp.princeton.edu/memory/
as I'd like to know if - besides the experimental approach - it has actual use.

jaclaz

 
Posted : 23/04/2010 3:07 pm
(@robinsage)
Posts: 28
Eminent Member
 

I heard this by word of mouth, def does not seem factual..but it was mentioned by an encase trainer.

RAM, after turning the system off, the data remains on the RAM for around 4 seconds. Instantly freezing that RAM then (obviously remove from system first i'd assume) will retain the data on that ram while it is frozen.

Has anyone else heard this, myth or fact?

Just found a research paper showing the above is very true.

FYI

The paper, "Lest We Remember Cold Boot Attacks on Encryption Keys" and associated video may be found at http//citp.princeton.edu./memory/

<quote>
Contrary to popular assumption, DRAMs used in most modern computers retain their contents for seconds to minutes after power is lost, even at operating temperatures and even if removed from a motherboard. Although DRAMs become less reliable when they are not refreshed, they are not immediately erased, and their contents persist sufficiently for malicious (or forensic) acquisition of usable full-system memory images.

We show that this phenomenon limits the ability of an operating system to protect cryptographic key material from an attacker with physical access. We use cold reboots to mount attacks on popular disk encryption systems — BitLocker, FileVault, dm-crypt, and TrueCrypt — using no special devices or materials. We experimentally characterize the extent and predictability of memory remanence and report that remanence times can be increased dramatically with simple techniques.
</quote>

 
Posted : 23/04/2010 3:22 pm
(@robinsage)
Posts: 28
Eminent Member
 

Hi Jaclaz,

you type faster than I do ! I have used the memory cold transfer method once in a prior military environment to crossload a crypto key into a telecomms device that wouldn't read the tape / swipe card. The crypto custodian dude wasn't happy, but it got the job done… first we fix'em

 
Posted : 23/04/2010 3:33 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Hi Jaclaz,

you type faster than I do !

I don't, but I'm pretty much quick in copy and paste. wink

I have used the memory cold transfer method once in a prior military environment to crossload a crypto key into a telecomms device that wouldn't read the tape / swipe card. The crypto custodian dude wasn't happy, but it got the job done… first we fix'em

Good to know. )

I guess that the proper approach (for PC's RAM) would probably be that of building a hardware "RAM reader" device, sort of hardware write blocker, capable of cloning the frozen memory - something like those cheap SIM card readers/cloners do (example)
http//www.netpcdirect.co.uk/mobile-phone-gadgets/sim_tools.html
or something like a battery backed up RAM card, like the Gigabyte i-RAM, but with sockets to hold the various RAM stick types
http//www.gigabyte.eu/Products/Storage/Products_Overview.aspx?ProductID=2180&ProductName=GC-RAMDISK

jaclaz

 
Posted : 23/04/2010 5:21 pm
digintel
(@digintel)
Posts: 51
Trusted Member
 

I guess that the proper approach (for PC's RAM) would probably be that of building a hardware "RAM reader" device, sort of hardware write blocker, capable of cloning the frozen memory - something like those cheap SIM card readers/cloners do (example)
http//www.netpcdirect.co.uk/mobile-phone-gadgets/sim_tools.html
or something like a battery backed up RAM card, like the Gigabyte i-RAM, but with sockets to hold the various RAM stick types
http//www.gigabyte.eu/Products/Storage/Products_Overview.aspx?ProductID=2180&ProductName=GC-RAMDISK
jaclaz

Jaclaz,
that would be ideal! Since I didn't have that kind of equipment, I just used a Helix boot CD and an adapted USB stick. Froze the memory, rebooted the machine and.. Guess what it worked!

Well, sort of.. I got most of the RAM imaged, used Foremost to grep through it, and got some nice pictures out of the RAM, including some incriminating ones -) The boot-CD started a very small bootloader, that started a small program that tried to image all RAM. I'm not sure it would work for data as small a passwords, because some of the RAM gets overwritten by the bootloader and the image progam.

I'll see if I can find the notes I took then, it wasn't too difficult if you know your way around Helix/Linux. Oh, and be sure to hit the escape key if the machine reboots and tries to check the RAM, otherwise it may overwrite certain locations.

Roland

 
Posted : 03/05/2010 4:38 am
nlpd120
(@nlpd120)
Posts: 96
Trusted Member
 

A friend of mine (into radio/transistors)pointed out avoid spraying the RAM chip directly maybe place a piece of paper over the RAM first. That way your not getting the liquid directly on the chip. I haven't tried it, but it made sense to me.

Chris

 
Posted : 10/05/2010 8:25 am
Share: