(Reposted and edited from my old blog)
It’s commonly taught that a computer’s system memory is entirely volatile – that its contents are immediately erased after power is removed. In reality the RAM chip’s state degrades gradually over a certain period, and it takes up to 10 minutes in some cases to dissipate entirely. This allows a period of time in which data recovery is possible, perhaps by loading another OS with a small footprint on the target machine.
The rate of data loss in system mmory is determied largely by the amount of electron activity within the chip and its overall capacitance, which in turn is largely determined by its temperature. In theory, cooling the RAM chip to around -80 degrees can preserve the data until it reaches a digital forensics lab.
This has major implications for digital forensics, as we’re potentially looking at 2GB of recoverable data for the average home PC, and it also provides a way around disk encryption. A research group at Princeton University managed to acquire the keys from system memory for BitLocker, FileVault and dm-crypt using this method. The materials to do this are available at little cost, and a couple of programs have also been created for acquiring the data directly from system memory – ram2usb by the Princeton University research group, and msramdmp by McGrew Security. Those two programs are very basic so running them will have a minimal affect on the system memory. I imagine they’d also be configured to load at memory addresses that are known not to store important data.
As far as I’m aware, none of the developers of disk encryption have come up with countermeasures since the research was published back in 2008, such as code that wipes the key from its memory address during shutdown. Whether this is a security problem depends on whether the target is a shared computer, whether it’s left in standby mode after use, whether the BIOS is configured to prevent another OS being loaded, and to what degree the computer is physically protected. If the target system’s a laptop, the chances of someone getting mugged within 10 minutes of switching it off by a skilled attacker with the resources are very slim.
How easy would it be to use the RAM freezing technique at a crime scene? The answer is the same as above – the technique only works on a computer very recently used, so the biggest factor would be the delay between someone pulling the plug on a computer and the arrival of a trained analyst. Another issue would be the criteria in the ACPO Guidelines that any action must (or more accurately ‘should’) be taken by someone who’s competent and able to understand and explain the full implications of that action. This requires much further training. It’s likely to be another decade before RAM freezing becomes common in forensics, if it ever does.