11
I'm just curious. I've read about law enforcement and what not recovering incriminating data from ram to get evidence, but how is it done? What kind of equipment would one need to recover files from a stick of ram?
steini
Posted 2010-12-29T17:04:45.080
Reputation: 365
10
Freeze the chip, pop it into another computer, and run the linux command dd to copy the raw data to disk.
After you have the raw data, copy it to a new partition using dd again and run an undelete program on the partition. Undelete should pull out any files that fall under a recognizable format (ex pictures, etc...). The rest could be further processed but not easily unless you know what you're looking for.
I can't say that I've done this myself but it's not hard to imagine how it's done.
Check out this video that Daniel Beck posted in the comments to see a demonstration of how to crack hard drive encryptions using this method.
Evan Plaice
Posted 2010-12-29T17:04:45.080
Reputation: 1 387
1
You can't (in practice). RAM needs to be constantly refreshed to keep "remembering", when the computer is turned off the charge leaks out after a minute or so.
Form wikipedia
Dynamic random access memory (DRAM) is a type of random access memory that stores each bit of data in a separate capacitor within an integrated circuit. Since real capacitors leak charge, the information eventually fades unless the capacitor charge is refreshed periodically. Because of this refresh requirement, it is a dynamic memory as opposed to SRAM and other static memory.
The main memory (the "RAM") in personal computers is Dynamic RAM (DRAM), as is the "RAM" of home game consoles (PlayStation, Xbox 360 and Wii), laptop, notebook and workstation computers.
The advantage of DRAM is its structural simplicity: only one transistor and a capacitor are required per bit, compared to six transistors in SRAM. This allows DRAM to reach very high densities. Unlike flash memory, it is volatile memory (cf. non-volatile memory), since it loses its data when power is removed. The transistors and capacitors used are extremely small—millions can fit on a single memory chip.
Nifle
Posted 2010-12-29T17:04:45.080
Reputation: 31 337
5
The keyword is "eventually". This research paper http://citp.princeton.edu/memory/ shows that RAM keeps its contents for a few seconds to a few minutes after it loses power, even after it is removed from the motherboard, which is long enough for an attacker with physical access to the machine.
– j-g-faustus – 2010-12-29T17:42:37.8872@j-g-faustus If you have access to the computer, why turn it off? – Nifle – 2010-12-29T17:43:50.017
5@Nifle If it's locked you won't be see what files the user is currently using. You could restart it and (if you're using windows) hack your way around the password but only if the drive isn't encrypted. With the right tools and a freshly plucked ram chip, you can even crack the hard drive encryption key by reading the ram. In the fields of security and forensics, these little techniques can be extremely useful. – Evan Plaice – 2010-12-29T17:48:32.100
1@Nifle To place it in a controlled environment and prevent software on that system from running. Basically the same reason they don't start your machine, but take the hard drive and dump its contents first. – Daniel Beck – 2010-12-29T17:49:47.570
They use this attack to steal cryptographic keys from RAM to get access to encrypted files on disk. You can't read the files in the normal fashion since you don't have the password, but the OS needs a password as well (otherwise it couldn't read the disk), so this is a way to steal the OS key. (To the best of my knowledge, as much detail as you want in the paper.) – j-g-faustus – 2010-12-29T17:52:58.740
@Daniel thanks for the links. I have never tried this before but I've always wondered exactly how it's implemented. You're a wealth of knowledge. – Evan Plaice – 2010-12-29T17:55:21.077
6@Evan - I still think it's more "normal situations" the OP is referring to. "The cops show up and take your computer." and not "Seconds after you shut your computer the DHS storms your apartment and a few seconds later they have your computer dismantled in their portable RAM extraction lab" – Nifle – 2010-12-29T17:59:42.353
@Nifle Of course it's easier to get data off an (unencrypted) hard disk, but it's still possible. Severe limitations on the practicality, which the other answer mentions, but still. I even remember reading that some police are able to get your desktop machine to their lab without cutting power, to prevent startup scripts from running. Law enforcement are constantly upgrading their bag of tricks. – Daniel Beck – 2010-12-29T18:03:54.507
@Nifle Read whatever inferences into the ops question that you want. The point is, it can be done easily and they don't need to storm anything, they just need a computer that is still running and the right software tools to extract the encryption keys once it has been transferred to another computer and copied to the hard drive. In the field of forensics, it's another tool for the toolbox. – Evan Plaice – 2010-12-29T18:06:47.337
0
DRAM cells store electrical charges. They are leaky, so as was mentioned, they need to be refreshed.
There are manufacturing tolerances, and the influence of temperature and component age, that will define the ACTUAL time it takes for a DRAM cell to be no longer readable reliably if it has not been refreshed. The refresh specification for a given DRAM chip will actually be a worst case value - something that will keep your data readable with monday-production chips that have been running at maximum temperature for 20 years more or less. In most cases, the cell can keep the data far longer.
In addition, the circuitry inside a DRAM chip decides whether to read the amount of charge in a given cell as "0" or "1" (in some designs, that might be reversed - low charge means "1"). Charge content that is not high enough to be read as "1" is still in the cell - and in some cases, by running the DRAM chip with an out-of-spec operating voltage (which might stress it, or make it far slower, but will not yet destroy it), the threshold voltage on which 1 is decided from 0 can be manipulated temporarily, so some or all cells become readable again.
Also, unless there is actually an output register, there might be subtle voltage or waveform differences even in the quantized (switched to 1 or 0) output signal that can give you a hint at what charge is actually in the cell - comparators (which read amplifiers are) are rarely perfect quantizers, especially if they are built for speed not precision.
Also, if a cell reads unreliably, a determined attacker or forensicist can still use statistics to his advantage (count how many times a 0 or 1 is read, and correlate)...
rackandboneman
Posted 2010-12-29T17:04:45.080
Reputation: 670
3
That board contains a link to a page on Ed Felten's CITP site with the original research on the topic.
– Daniel Beck – 2010-12-29T17:36:50.160This is not "Law Enforcment", it's something that can be done under controlled conditions. If you have that kind of access to the computer (a few minutes and some liquid nitrogen) why not keep it from turning off. – Nifle – 2010-12-29T17:38:01.053
@Nifle There's probably someone with substantial interest in turning his computer off moments before being pinned to a nearby surface. Also, it's rather recent research, and much of that isn't about immediate practical applications. – Daniel Beck – 2010-12-29T17:40:09.697
@Daniel - Well police is one thing. CSI (the tv-show) is probably the only ones capable of doing what the paper describes outside a laboratory. – Nifle – 2010-12-29T17:42:33.823
2@Nifle not true. it doesn't take any special tools to accomplish. An air sprayer can (to cool the chip) and a minimal linux install that includes a few necessary (and freely available) tools running on a usb drive or separate computer is all it takes. – Evan Plaice – 2010-12-29T17:50:50.583
@Evan - Your link is broken – Nifle – 2010-12-29T18:08:01.483
1But if you boot the computer with the ram, wouldn't that erase everything on it during POST? – steini – 2010-12-30T14:02:13.103
@steini If your BIOS has the option to 'quick boot' (which most if not all should these days), set it to skip the POST check. – Evan Plaice – 2010-12-31T00:17:40.687