±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36228
New Yesterday: 2 Visitors: 132

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Memory or not?

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

ClarkK
Member
 

Memory or not?

Post Posted: May 20, 19 17:34

For years I had been told not to bother getting a memory image for a machine that was turned off, shipped in and imaged a couple of days since last use. Lately, others have told me that memory retains enough data, even after being turned off to where it is still worthwhile to get it.

To the group here - agree or disagree and/or do you all get memory images as well as disk images if the device has been powered off?  
 
  

keydet89
Senior Member
 

Re: Memory or not?

Post Posted: May 20, 19 19:52

I'd suggest testing it.

Turn a system on, perform some actions, then shut it off. Later, turn it back on, dump memory and analyze it.  
 
  

passcodeunlock
Senior Member
 

Re: Memory or not?

Post Posted: May 20, 19 19:56

Tricky question...

Once the computer got powered off, how would you make a ram image of it without turning it back on, which actually makes your evidence void ?!
_________________
Apple passcode unlock + decrypted filesystem dump, Android user locks unlock + physical dump with decrypted userdata partition. We provide our services world-wide, but we reserve the right for choosing which tasks we take and which we deny! 
 
  

C.R.S.
Senior Member
 

Re: Memory or not?

Post Posted: May 20, 19 20:04

- ClarkK
Lately, others have told me that memory retains enough data, even after being turned off to where it is still worthwhile to get it.


Maybe what they wanted to say is: In times of increasingly complex power management, don't rely on anyone's statement that the device is "powered off".  
 
  

watcher
Senior Member
 

Re: Memory or not?

Post Posted: May 20, 19 20:28

If the device runs from a battery (e.g. a laptop), there is the possibility that turned off is not truely powered down. Attempting to read memory in that case may be worth it but is not easily and cleanly done. Only very unusual circumstances would likely justify the effort.  
 
  

kastajamah
Senior Member
 

Re: Memory or not?

Post Posted: May 20, 19 21:27

I say do it. I had a workstation computer crash over the weekend a couple of years ago. When I came into work that Monday, my computer was off. When I powered on my computer and opened Word, my report did not recover. I imaged the RAM. I was able to recover most of my document from the RAM dump.

An instructor of mine was able to recover passwords from a RAM dump from a computer that had been powered off for over a year. You do not know what you will find until you do it.  
 
  

Passmark
Senior Member
 

Re: Memory or not?

Post Posted: May 20, 19 22:08

From a technical point of view it doesn't make much sense.

DDR ram (DDR2, DDR3 & DDR4) requires a periodic "refresh" to hold the data. Typically this is around 64ms. Any longer than this and the data starts to fad away.

Details are here
en.wikipedia.org/wiki/...ry_refresh

So it is a bit hard to imagine that all those engineers got it wrong and a refresh period of days or years is all that is required.

What people might be seeing is,
1) Laptops might be asleep on battery power for many days.
2) System RAM being restored from hibernation file off disk as the machine boots. So the information contained in the RAM dump could have equally been collected from the hibernation file, without the need for a RAM dump.  
 

Page 1 of 2
Page 1, 2  Next