One of the things I love about my job is I get to work on things that I would do in my spare time for fun. The most recent of these projects involves dumping the contents of RAM from computers that have been turned off.
For the last few decades common knowledge has stated that when a computer is turned off the contents of your computer’s RAM is lost. In April 2008 a number of researchers at Princeton released a paper showing that the contents of RAM could still be acquired minutes after a computer had been powered off and even if the RAM was removed from the computer.
To this end I set about testing this process using the tool found at McGrew Security: msramdmp.
The process involves creating a USB drive with a bootable partition and a separate partition to store the RAM dump. Obviously, one needs a partition of equal and advisably greater than the size of the RAM you are attempting to grab.
After testing the process with a laptop running Windows XP and Ubuntu Linux this is what I found.
- The initial part of the dump has so far always been the remnants of the BIOS and Syslinux boot process. I.e. You WILL be altering RAM when you participate in this process.
- The process is SLOW.
- Ubuntu does not leave a lot of interesting things in RAM. I used each OS for approximately 10 minutes and then shut the laptop off. Waiting a minute I then inserted the USB drive and booted the laptop. After using Ubuntu there were the typical initial sections with Syslinux and BIOS things and then lots of nothing that was readable by a human.
- Windows XP leaves lots of interesting things, registry keys, initialization variables for programs, file paths, recently seen Wireless Access Points, the names of other computers seen on the local network as well as snippets of HTML from web pages that had been recently loaded.
- Despite what some people and blogs say, the tool provides you with the raw binary dump of the RAM. It is up to you to carve interesting data out of it. A Push-Here-Dummy tool does not exist for this process… yet.
I’ve read that some places can actually get the contents of RAM to persist longer by freezing or cooling the RAM. One person used liquid nitrogen and another used compressed air. I’ve not tested this yet, but if what they say is true then the claim that keeping the contents of RAM static for up to 24 hours may not be so very far off.
Hmmm very interesting, would this have any practical application?
Evidentiary acquisitions and finding the keys to entire-disk encryption setups.
But you’d only have a 24 hour window on that in the very best case scenario right? Like, would it be worth it to have some one on the police force with liquid nitrogen at the ready? How long does the info stay on the RAM without any cooling?
Also, this sounds like a sweet plot device for a story, I am going to have to remember this one.
When a warrant is served and the door is knocked down to find the child pornographer shutting down his computer with an encrypted file system… a few minutes is all a properly trained forensic team may need to stabilize the RAM. If, as some results are showing, you can still acquire data out of unstabilized RAM after 10 minutes of no power… then that’s plenty of time to secure the location and get forensics in to do their work. Remember, once power has been reapplied those bits aren’t going anywhere unless you start writing to RAM.
24 hours would be amazing and much better than a best-case scenario.
I’d take 10 minutes just about any day assuming the team was properly trained and prepared. Minutes can truly be an eternity in the land of “search and seizure”.
Though as I noted, this is a bleeding edge area of research and I am unaware of anyone actually using it outside a test environment.
Up until now, one has always had to hope to catch people literally and figuratively with their pants down.