Notifications
Clear all

Memory or not?

14 Posts
11 Users
0 Likes
1,159 Views
(@clarkk)
Posts: 11
Active Member
Topic starter
 

For years I had been told not to bother getting a memory image for a machine that was turned off, shipped in and imaged a couple of days since last use. Lately, others have told me that memory retains enough data, even after being turned off to where it is still worthwhile to get it.

To the group here - agree or disagree and/or do you all get memory images as well as disk images if the device has been powered off?

 
Posted : 20/05/2019 5:34 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I'd suggest testing it.

Turn a system on, perform some actions, then shut it off. Later, turn it back on, dump memory and analyze it.

 
Posted : 20/05/2019 7:52 pm
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
 

Tricky question…

Once the computer got powered off, how would you make a ram image of it without turning it back on, which actually makes your evidence void ?!

 
Posted : 20/05/2019 7:56 pm
(@c-r-s)
Posts: 170
Estimable Member
 

Lately, others have told me that memory retains enough data, even after being turned off to where it is still worthwhile to get it.

Maybe what they wanted to say is In times of increasingly complex power management, don't rely on anyone's statement that the device is "powered off".

 
Posted : 20/05/2019 8:04 pm
watcher
(@watcher)
Posts: 125
Estimable Member
 

If the device runs from a battery (e.g. a laptop), there is the possibility that turned off is not truely powered down. Attempting to read memory in that case may be worth it but is not easily and cleanly done. Only very unusual circumstances would likely justify the effort.

 
Posted : 20/05/2019 8:28 pm
kastajamah
(@kastajamah)
Posts: 109
Estimable Member
 

I say do it. I had a workstation computer crash over the weekend a couple of years ago. When I came into work that Monday, my computer was off. When I powered on my computer and opened Word, my report did not recover. I imaged the RAM. I was able to recover most of my document from the RAM dump.

An instructor of mine was able to recover passwords from a RAM dump from a computer that had been powered off for over a year. You do not know what you will find until you do it.

 
Posted : 20/05/2019 9:27 pm
Passmark
(@passmark)
Posts: 376
Reputable Member
 

From a technical point of view it doesn't make much sense.

DDR ram (DDR2, DDR3 & DDR4) requires a periodic "refresh" to hold the data. Typically this is around 64ms. Any longer than this and the data starts to fad away.

Details are here
https://en.wikipedia.org/wiki/Memory_refresh

So it is a bit hard to imagine that all those engineers got it wrong and a refresh period of days or years is all that is required.

What people might be seeing is,
1) Laptops might be asleep on battery power for many days.
2) System RAM being restored from hibernation file off disk as the machine boots. So the information contained in the RAM dump could have equally been collected from the hibernation file, without the need for a RAM dump.

 
Posted : 20/05/2019 10:08 pm
(@mrevoluter)
Posts: 14
Active Member
 

Wow….that's a bit of good discussion.
Depending on your question…..one more question arises. Does ICT device has been seized on spot or it was just collected from a location of suspicion?

Major cases if it is seized from onspot!
Well, the seizure procedure must've carried out along with a memory dump. Oh if not taken, take the image of the hard drive, create a new system and boot with the duplicate one. Definitely you are going to get a bon.

If it is seized on suspicion!!
Until unless you get something while analysis of the hard disk image you can get along with hiberrfile and pagefile.

To say a word, memory does contain lots of information stored, which brings out for a forensic purpose.

 
Posted : 21/05/2019 3:04 am
(@athulin)
Posts: 1156
Noble Member
 

From a technical point of view it doesn't make much sense.

Much of half-remembered 'RAM can be forensically acquired even after power down' may originate from the paper Halderman et. al Lest We Remember Cold Boot Attacks on Encryption Keys (https://www.usenix.org/legacy/event/sec08/tech/full_papers/halderman/halderman.pdf)

Note, though, that they based their result on some rather special procedures

In each trial, we loaded a pseudorandom test pattern into memory, and, with the computer running, cooled the memory module to approximately−50◦C. We then powered off the machine and maintained this temperature until power was restored.

Peter Gutmann (known from research of magnetic remanence) has also researched this area (http//static.usenix.org/events/sec01/full_papers/gutmann/gutmann.pdf). His paper is interesting because it shows physical changes of semiconductor devices, which in turn may affect memory content immediately after power on or be retrievable in other ways

These include the effects of electrical stress on ionic contaminants and hot-carrier effects (which can be used to recover overwritten data or data from memory to which power has been removed), and electromigration effects (which can be used to determine, after indefinite time periods, which type of signal was most commonly carried by a particular part of a circuit). The latter would prove useful in recovering information such as the bit patterns of keys stored in special-purpose cryptographic devices —since the physical device is modified the bits can be recovered an arbitrary amount of time later even if the memory cells they were stored in have been successfully erased and trapped charges have bled away.

But he's not talking about general-purpose RAM content recovery.

 
Posted : 21/05/2019 5:44 am
(@trewmte)
Posts: 1877
Noble Member
 

Down the line I assume digital examiners in public or private may need to branch into IoT devices/boards such as e.g. Raspberry Pi and such like. Devices like these; some developers are known to use U-Boot and therefore a precise correlation between the U-Boot Startup Messages and the device may need some research before jumping into the examination.

Boot Loader Console Messages
These messages are generated by the initialization code when the U-Boot Universal Boot Loader runs. This U-Boot software presents a description of the hardware and CPU model. In a PC, the equivalent would be the BIOS; in a Macintosh, it would be the EFI Firmware. This brings up the hardware to a point where it can look for an operating system kernel and start that running. Press any key to halt the automatic loading of the operating system and interact with U-Boot to explore the XXXXX hardware.

U-Boot Startup Messages
U-Boot 2012.07-00020-g5430e19 (Dec 09 2015 - 113137) for XXXXXXX
CPU Exynos3250 [Samsung SOC on SMP Platform Base on ARM CortexA7]
APLL = 700MHz, MPLL = 800MHz
Board XXXXXXX
DRAM 504 MiB
WARNING Caches not enabled

Might save time, who knows….

 
Posted : 21/05/2019 7:26 am
Page 1 / 2
Share: