, , , , , , , , , , , , ,

Most of us are taught that a computer’s system memory is completely and immediately erased after a computer is switched off, but in reality the contents of a RAM chip degrades over a period of time, and it takes up to 10 minutes in some experiments for it to disappear completely. This allows a period of time where data recovery is possible, perhaps by live analysis using another OS loaded on the target machine that doesn’t overwrite the memory.
The rate of memory loss in system memory depends on the amount of electron activity within the chip and its capacitance, which is determined largely by its temperature. In theory, the data can be well preserved for a substantial period by cooling the chip to around -80 degrees Celcius.

This has everything to do with encryption, as a research group at Princeton University managed to acquire the keys from system memory for BitLocker, FileVault and dm-crypt using this method. Pontentially, keys for anti-piracy systems that rely on encryption can also be acquired this way. The materials to do this are available at little cost, and a couple of programs have also been created for acquiring the data directly from system memory – ram2usb by the Princeton University research group, and msramdmp by McGrew Security. Those two programs are very basic so running them will have a minimal affect on the system memory. I imagine they’d also be configured to load at memory addresses that aren’t holding any important data.

As far as I’m aware, none of the developers of disk encryption have come up with countermeasures since the research was published back in 2008, such as code that wipes the key from its memory address during shutdown. Whether this is a security problem depends on whether the target is a shared computer, whether it’s left in standby mode after use, whether the BIOS is configured to prevent another OS being loaded, and to what degree the computer is physically protected. If the target system’s a laptop, the chances of someone getting mugged within 10 minutes of switching it off by a skilled attacker with the resources are very slim.

How easy would it be to use the RAM freezing technique at a crime scene? The answer is the same as above – the technique only works on a computer very recently used, so the biggest problem would be the delay between someone pulling the plug on a computer and the arrival of a trained analyst. Another issue would be the criteria in the ACPO Guidelines that any action must (or more accurately ‘should’) be taken by someone who’s competent and able to understand and explain the full implications of that action. This requires much further training. It’s likely to be another decade before RAM freezing becomes common in forensics, if it ever does.