67

Is it possible for RAM to retain any data after power is removed? I don't mean within a few minutes such as cold boot Attacks but rather 24 hours plus.

Working with classified systems the policy always seems to treat RAM the same as disks and must be removed and disposed of according to classification.

Is this a myth which has become standard practice or is there really a data security risk present?

I am assuming regular PC RAM designs over the past 20 years.

MattP
  • 773
  • 1
  • 6
  • 7
  • 1
    possible duplicate of [Recover the prior contents of RAM from a turned-off PC?](http://security.stackexchange.com/questions/10643) – BlueRaja - Danny Pflughoeft Sep 09 '15 at 21:39
  • 1
    I suggest adapting an [EtherKiller](http://www.fiftythree.org/etherkiller/) for use with a RAM slot. This should ensure that any "residual" data in the memory cannot be recovered. – Doktor J Sep 09 '15 at 22:44
  • 3
    Btw despite the answer being "there's no risk", I'd be wary of dismissing a precautionary measure as a "myth". Provided it's easy and cheap to destroy the RAM along with the storage, it may be better to do so than to rigorously prove that not doing so does not now and never will pose a risk. The military is quite comfortable in the "perhaps not necessary but undoubtedly sufficient" zone. – Steve Jessop Sep 10 '15 at 07:51
  • ["data retention of seconds to minutes at room temperature and "a full week without refresh when cooled with liquid nitrogen.""](https://en.wikipedia.org/wiki/Data_remanence#Data_in_RAM) – JimmyB Sep 11 '15 at 12:53
  • 4
    If your data was all zeros, then yes it certainly can retain your data after removal. – recursion.ninja Sep 11 '15 at 16:23
  • You did say regular designs, but I think it is worth mentioning that in the near future system designs are likely to have a couple gigabytes of fast SRAM on the CPU chips as last level cache and system RAM will be non-volatile RAM like XPoint or memristor. – Zan Lynx May 20 '16 at 16:30
  • @recursion.ninja an explaination would be helpful. – roottraveller Jul 17 '17 at 09:32

7 Answers7

75

This 2013 article analyses retention time for several DRAM chips. Among the relevant information, one may list the following:

  • Retention time depends on a lot of things, including the values of neighbouring bits. A DRAM bit is a potential well, and it loses its contents by moving charges from or into neighbouring areas, so whether there is room in these neighbours matters.

  • Temperature is very important for retention time (which is why cold-boot attacks insist on cold: if you plunge the machine in liquid nitrogen, you can keep the charges in place for substantially longer).

  • At room temperature, typical retention time is counted in milliseconds, at best a few seconds, and, more importantly, the discharge is exponential in nature (it goes in e-Ct for some constant C), as could be expected (capacitors also work that way). So the remaining charge after 2 minutes will be half that after 1 minute; after 10 minutes you are down to a thousandth of the initial charge; after 20 minutes, a millionth; after 30 minutes, a billionth.

To sum up: 24 hours... forget it. You won't find meaningful data in DRAM that has been kept unpowered, at room temperature, after 24 hours (even if the room is, say, in Canada).


This is for DRAM, where a stored bit can be envisioned as a charged capacitor. This is the kind of RAM commonly found in PC for the last 20 years.

There also exists SRAM, where each bit is stored as the current state of a bistable circuit that consists in 6 transistors. SRAM is substantially faster than DRAM; it is also a lot more expensive. In PC, SRAM is used for cache (usually integrated in the CPU). Without power, SRAM loses any trace of its contents within microseconds.


There are some stories about bits being "burned" into RAM when the same value is stored for a long time in a specific emplacement in a chip. To the best of my knowledge, these stories are exactly that: stories. They come from "thought by analogy", by people who think of RAM in the same way as they think about CRT displays (which could have "burn-in" effects, hence the development of "screensavers"). I am not aware of any case where such stories were ever substantiated.

But fears and doubts are powerful forces that cannot always be dispelled by the strongest logic.

Tom Leek
  • 168,808
  • 28
  • 337
  • 475
  • 8
    You are right with saying it's exponential, but apply that wrongly (but overly optimistic, which is fine): Your calculations for 2 and ten minutes are based on the assumption that in the first minute only half the charge is lost - whereas you just said the retention time is counted in milliseconds or seconds. – Hagen von Eitzen Sep 09 '15 at 20:31
  • 1
    I don't think SRAM data necessarily vanishes faster than DRAM data. If one were to load font-bitmap data into the $1C00-$1DFF range on the VIC-20, power it down for a couple seconds, and power it back up again, many bits would be corrupted but some of the data would still be recognizable. – supercat Sep 09 '15 at 21:05
  • 4
    I encountered a design for burned RAM. Somebody figured out how to adjust the null potentials of RAM so it would come up with a pre-loaded image on powerup without needing a separate ROM chip. Don't know if it ever got used. – Joshua Sep 09 '15 at 21:44
  • 14
    "people who think of RAM in the same way as they think about CRT displays" -- speaking of which, does the military in fact dispose of CRTs from classified systems by thorough destruction, just in case classified information is burned into them? – Steve Jessop Sep 10 '15 at 07:47
  • @Joshua that sounds pretty cool - any links or even search terms you could share? – Joe Lee-Moyet Sep 10 '15 at 10:25
  • 1
    I've gotta +1 for 'screen savers' you've changed my life. – Alec Teal Sep 10 '15 at 12:37
  • @supercat: when you shut the power from the motherboard, there is some remaining charge in the capacitors in the board. The voltage drops sharply so the CPU stops, but the remaining charge can keep static RAM "alive" for a few seconds. The manual for my computer from that era (a Thomson MO5) explicitly recommended keeping the power off for at least 5 seconds when doing a power-cycle. – Tom Leek Sep 10 '15 at 12:47
  • @yjo: Sorry it's pre-internet to me. I have a circuit diagram somewhere but it would take days to find it. – Joshua Sep 10 '15 at 15:14
  • 1
    @SteveJessop I can't speak for CRTs; but LCDs need to be inspected to make sure there isn't any image persistence (similar to burn in but can be reversed by looping video for long enough and more common on older panels) before they can be disposed of as unclassified. There's one LCD in the lab I work in that's been sitting around for years after the back light failed preventing us from following the normal procedure to make sure it's safe to dispose of. When the program ends, it'll probably end up going back to the govt by default along with any other material we can't dispose of ourselves. – Dan Is Fiddling By Firelight Sep 10 '15 at 19:24
  • 3
    lol @ the ram being in Canada. Both funny and depressing comment as I prepare for at least 8 months of cold. –  Sep 10 '15 at 20:26
  • 2
    Interested but unrelated side note: once upon a time you probably could burn in to RAM like you can with a CRT because at one time CRTs were actually used as RAM. https://en.wikipedia.org/wiki/Williams_tube – Kaithar Sep 11 '15 at 00:50
  • 1
    What if RAM is bugged and actually contains a concealed flash memory? In case of destroy-all-chips policy it won't work, but if you trust that it is indeed the technology you expect, the data may leak. – Vi. Sep 11 '15 at 01:54
  • @TomLeek: Unless VDD is driven negative, each bit of a CMOS SRAM will have two nodes, one grounded and one with nothing to pull it below about 0.7 volts except leakage (for which the design goal is to have none). If VDD is raised slowly, it won't take much imbalance between the two nodes to tip the balance toward the proper bit being set. If VDD is raised quickly, process variations may have a stronger influence on startup behavior than latent charges, but I don't think there's any particular hard limit as to when one would be able to guarantee that information was gone. – supercat Sep 11 '15 at 02:20
  • 1
    If people think in analogies and understand screen savers, maybe it's time to start selling RAM savers that randomly shuffle contents around in RAM (aka the world's most expensive busy loop). – musiKk Sep 11 '15 at 08:07
  • My local US embassy disposed of all the RAM from disused computers before they were auctioned off publicly. – Filip Dupanović Sep 11 '15 at 16:20
  • GREAT IDEA! I will shortly be releasing my RAM Saver™ software product!!! – ErikE Sep 11 '15 at 16:30
  • `At room temperature, typical retention time is counted in milliseconds` This isn't true. Modern DRAM refreshes at 64ms intervals, but can still retain information for significantly longer (at the risk of more bitflips). To the best of my knowledge, even the most volatile DRAM takes on the order of seconds to begin to degrade to unrecoverable levels. – forest Dec 11 '17 at 00:53
  • And @supercat is right. While in theory, SRAM may lose information instantly upon power removal, at least one device was even found to have some remnants _weeks_ later. And an unrelated but fun fact: CMOS RAM can be "frozen" in place if blasted with a certain wavelength in the X-ray spectrum. Useful for attacking secure microcontrollers. – forest Dec 11 '17 at 03:17
21

There are mechanisms that could result in data remanence in DRAM beyond the charge stored in the gates (which is typically gone in seconds, especially at normal elevated operating temperature). One is movement of ionic contaminants which can cause slight shifts in thresholds. This could be the 'burn in' that Tom's answer refers to. There may not be any practical way to recover data, but I don't think we can dismiss the possibility out-of-hand.

There is a paper on it here. Data Remanence in Semiconductor Devices Peter Gutmann IBM T.J.Watson Research Center

Kevin Mark
  • 105
  • 5
Spehro Pefhany
  • 559
  • 2
  • 10
  • 11
    @GuntramBlohm To me this sounds like an answer. Paraphrased, it says: "There's no commonly known way to extract the data, but there's enough risk to dispose of ram carefully if people could die if the data leaked." – Patrick M Sep 10 '15 at 17:08
6

In theory any device can store anything, because it is speced to meet an interface, not spec'd for its implementation. Realistically speaking, the answer is more murky. This, by the way, is where SSD's get so interesting because there is no accepted way to tell a SATA SSD to "wipe everything" (edit: no way that is reliably trustworthy, at least)

From what I understand, with any classified hardware, one has "declassification instructions" to declassify the hardware after it is no longer needed. These typically come in the form of a letter from the vendor indicating what operations must be taken before the vendor considers the data irrecoverable. For many devices, this comes in the form of "unplug from power for X seconds," indicating the range of time the government feels memory is volatile enough to warrant special handling. For a long time, the process for harddrives was to run a particular series of wipes, but the process was so brutal few harddrives survived, so they were often just destroyed instead.

One reason one may elect to destroy hardware rather than declassify it is if the cost of acquiring those letters from the vendor is too great compared to the value of the product. If a server farm's worth of RAM is expected to be worth a mere $1000 after depreciation, it might be cheaper to just throw it in the wood chipper when you're done.

Final detail: how valuable is your product? If its worth a mere $10 million dollars, you'll find unplugging the ram at room temperature for a minute or two more than sufficient. If its' worth several hundred billion, you may want to consider the wood chipper. If it's beyond monetary cost, well, its your threat model. Do as you see fit.

Cort Ammon
  • 9,206
  • 3
  • 25
  • 26
  • *This, by the way, is where SSD's get so interesting because there is no accepted way to tell a SATA SSD to "wipe everything".* What about the Secure Erase command, though? – user541686 Sep 11 '15 at 16:42
  • @Mehrdad There is the Secure Erase command. However, its actual behavior is unspecified. For the class of individuals worried about ram retaining its contents, the "This command says to erase everything" is insufficient to allay fears. It is currently presumed by many that you need to confer with the vendor to determine if their particular implementation of the Secure Erase command for that particular model is sufficient for one's needs. – Cort Ammon Sep 11 '15 at 17:17
  • Sure but that's not the same as the problem you pointed out in your answer. In the answer you said the problem is that there is no way to TELL the SSD to erase everything, but in your comment you're saying that "telling" is possible, but insufficient. Your comment seems fine but your answer seems wrong. – user541686 Sep 11 '15 at 17:47
  • @Mehrdad Good point. I've added an edit to soften the wording a bit. Thanks! – Cort Ammon Sep 11 '15 at 18:53
  • Cool, nice, but now I don't get why this is an SSD issue. Isn't the problem you're mentioning the same for *any* storage medium -- hard disk, tape, etc.? You're basically saying you can't trust the hardware, and if that's the case then you can't really trust anything ever. – user541686 Sep 11 '15 at 19:09
  • @Mehrdad SSDs in particular are known to practice "load balancing" to maximize the lifespan of flash memory. With a HDD, the magnetic medium can be explicitly overwritten, sector by sector, because most HDDs don't play games with that. SDDs offer no such process, so there is no way to guarantee any given flash block gets overwritten N times. In theory any hardware could do such games, but in practice, SDDs actually *do* do those games, so as a class of hardware, they are considered more troublesome than others. – Cort Ammon Sep 11 '15 at 20:50
  • 1
    Well, HDDs do reallocation, but generally only when blocks start failing checksums. SSDs (and lesser flash devices) do it continually, for wear leveling. And even on tapes where there was no logical addressing system, explicit overwrite may not completely destroy the old data, as the head alignment starts to drift there can be a thin ribbon left along the edge with the old content. Erasing things is hard. – Ben Voigt Sep 11 '15 at 23:31
4

No. Though the UK may differ, the US seems to be just fine with simple power removal for sanitizing RAM in classified systems. NSA/CSS Policy Manual 9-12 states:

Sanitize DRAM (dynamic random-access memory), SRAM (static random-access memory), and Volatile FPGA by removing the power, including backup batteries. Once power is removed, sanitization is instantaneous.

Check the Solid State Storage section here.

2

In theory data can be recovered as individual bit probabilities (ie 62% 1) by measuring the time it takes a given bit to drop to logic 0 without refresh. This was feasible up to about 256MB RAM but the newer geometries are so small (<50nm) that the number of electrons makes this unfeasible. About the only use would be recovering partial encryption keys prior to bruteforcing to reduce the keyspace, ie 50% of a 2048 bit RSA key with reasonable fidelity would reduce the time to break it by a few years. Note that this still requires a massive stroke of luck such as immediately powering off the system under attack and reinitializing the memory at <-70C within 5 minutes in a specialist test jig with analogue circuitry to read back the subtle timings needed.

I have heard of cases where data was accidentally written to the SPD chip and then erased, these chips are low density Flash and potentially recoverable with the right tools even if the RAM itself is wiped.

Conundrum
  • 29
  • 1
  • For RSA, 50% of the private key would actually make it _trivial_ to break, since even only one of the two primes gives you enough information to calculate the remaining prime with a single division. – forest Nov 02 '18 at 02:57
1

A RAM is a set of transistors and capacitors. Transistors are used to amplify -electrical- signals, whereas the capacitors store properly said the data temporally. The information stored by such elements is volatile, meaning it can not be available after few (5 approximately) minutes after it is powered off.

0

I hate adding this so long after the fact but it is important for people working in security to consider after reading the comments above.

User (WhatPlantsCrave) posted good info about SRAM and I wanted to give more about where you will find this memory and another common name people use.

NVRAM or non-volatile RAM (also SRAM mentioned above) will retain data until it is deleted or disconnected from the battery. Appliance related equipment such as switches, routers, other equipment often use NVRAM to store configurations. These configurations will often have the passwords (either in clear text or a hash). Administrators can and should use secret levels to secure the password in a hash in most cases. The issue can arise when older equipment is donated or placed in the trash with the SRAM and internal battery intact. If a person or group were determined enough they could potentially get that password or the hash (running the hash against a rainbow table) and get enough information to be a threat to your organization. There are many other scenarios, designs, and things to consider.

The point of this post is to be aware when you are clearing out old equipment and to consider the potential of SRAM being in the device.