Memory forensics- How long does it take for data to be wiped from memory/RAM?

For example, if you open up a notepad editor and type in "abcdefghijklmnopqrstuvwxyz" etc etc..... that data will go onto your memory. If you turn off your computer, for a couple of minutes this data should be wiped from your memory.

But what about if you were to close out that file and left your computer on, how long would it take for the "abcdef......" data to be wiped off of your memory? 99% of the time it should be wiped out in a couple of minutes, correct?

Now if you were to leave a computer on for an extended amount of time, are there any cases where data can retain for extended periods even after you have exited the "abcdefgh..." file? I am talking about over 10-30 minutes where your RAM data from yesterday still lingers in your RAM.

What about the clipboard, once you copy and then cleared out the clipboard by copying something else, the original data should not retain in your memory for extended time period, correct?

 

Why not just do it in a read-only virtual machine -- e.g., your preferred Linux Live ISO running in VirtualBox or whatever?

What are you doing with the result of this typing, BTW?

 

I'd worry less about a copy of this evidently either very bad or very sensitive text residing elsewhere in the many locations of a modern OS, than I would about memory. With memory, it's (as far as I still know), gone upon reboot. I only know of catching things in memory by using an on-site attack, meaning the forensic guy or crook is sitting by the machine, and that's not something just any nosy person is going to be able to pull off.

 

As far as data & windows forensics, yes I agree that using a VM, especially residing in an encrypted partition would maximize data security. (FDE would actually be the most secure method, imo)

However, as far as real time memory/ram vulnerability is concerned:

Well I was under the impression that anything you access, read, etc. that displays on your computer goes into your memory as plain text. And that neither using sandboxie, truecrypt, or a VM with live linux//encrypted VM would make any difference.

http://www.sandboxie.com/index.php?PrivacyConcerns
http://www.truecrypt.org/docs/
"Note that TrueCrypt cannot prevent the contents of sensitive files that are opened in RAM from being saved unencrypted to a paging file (note that when you open a file stored on a TrueCrypt volume, for example, in a text editor, then the content of the file is stored unencrypted in RAM)."

The reason for my question is because I want to know exactly how long and what it takes for RAM to be cleared 100%, as a protection against cold boot or memory attacks (or just someone stealing my laptop while my FDE is mounted).

Well yes, I agree completely with you. Memory is not usually the concern and the chances of memory attacks is rare, but I also think that it is good to know exactly how memory works (how long it takes to be cleared 100%, etc).

So are you saying that the only way for memory to be cleared 100% is to shut down or reboot your computer? (And a reboot being as effective as a complete shut down?)

I mean, going back to my original question, if you were to open a notepad or whatever, shouldn't the act of closing that file wipe the contents off your memory 100%, at least after 5-30 mins? Or is there a chance it can linger for hrs+++ and possible until you reboot?

 

Just a thought would something such as these apps help with dealing with the memory retention issue ?

CacheMan - http://www.outertech.com/index.php?_charisma_page=products

Rizone Memory Booster - http://www.rizone3.com/archives/27

 

There have been some theoretical discussions about how data may persist in a memory chip. The theory is that if a block of data is held in the same memory circuits for a long time (days/weeks) there could be something like a burn in effect. The voltage thresholds for the on/off states of circuits that have been held constant over this long period could be different from those that have been frequently flipped. This effect might not fade very quickly (if at all) after shutdown.
In practice however, it would be a challenge to measure this because it would require detailed knowledge of low level testing procedures of the memory chips. ( you would need a great deal of assistance from the chip manufacturer for example)
I have seen this topic discussed before in reference to encryption keys. Since encryption master keys might be expected to be held in memory for long periods of time it is in the realm of possibility that some three letter agency would attempt such a technique to find an encryption key.

 

VirtualBox uses virtualized memory. I had assumed that traces left in host memory, absent context provided by the VM state, would be meaningless. Also, I don't see (obvious) virtual memory files. Upon reflection, I don't know what might persist. And after some googling, I still don't. I do suspect that Christiaan Beek might be a good place to start. Anyone want to invite him by for a few questions?

 

What OS are you running (Windows, Mac OS X, or Linux/Unix distribution)?

The real answer to your question depends on how much RAM you have - not, when you close a file, or even delete it which usually only removes an index pointer (filesystem inode file) to the "deleted " file whiile the contents remain accessible on hard drive.

In Linux/Unix there is a package aka secure-delete which has routines like sfill, sdmem and sswap which securely wipe RAM and hard driive files:

sfill - secure free disk and inode space wiper (secure_deletion toolkit)
sdmem - secure memory wiper (secure_deletion toolkit)
sswap - secure swap wiper (secure_deletion toolkit)

The August 2008 release of Incognito Live CD (now suceeded by Amnesic aka TAILS) is a Tor, Tork, Torbutton enabled way of anonymous surfing which has these routines (at least the RAM wipe enabled at shutdown. You could try downloading the Live CD of Incognito, burn the .iso image to a CD, boot it up and then shut it down - to see how long it takes for your RAM to be securely wiped.

-- Tom

 

Thank you for the links CloneRanger.

Yes, this would be the worst type of memory vulnerability but hopefully it is more theoretical/extremely rare.

So basically, we all can test wiping effectiveness on hard drives by running file recovery programs. Are there no such program or ways to test to see what is residing in RAM/memory (without the help of chip manufacturers)?

Hiero, that's what I thought too at first, and I was going to ask about that.. so we are in agreement that a notepad file opened & contents displayed in a VM is no more secure (memory wise), than a notepad file opened on your host?

I am running Windows XP.

Can you care to explain why how much RAM I have would make more of a difference than when I close a file? It would seem to me that when you close a file, it should generally be wiped from memory. But from what you are saying it makes it seem that closing a file doesn't have anything to do with wiping out the memory at all?

I always find that Linux is 10 steps ahead of the game and those commands would be EXACTLY what I would be looking for. Although I am using Windows XP and I don't think there are commands/software that exist for XP.

 

I'd say that we don't know, so it's prudent to assume that it's not.

And hey, my hosts and private VMs are all Ubuntu Lucid, so I guess I'll start using them.

 

Hi dialxdrop,

Yes, closing a file, or more particularly deleting a file does not have anything to do with wiping out the memory (i.e. editor or other file viewing buffers in RAM) created by the applications at all, e.g. after a close, then delete operations in sequence on a file.

What you might be able to do with a Linux Live CD for almost any distribution (I'd recommend Ubuntu as the easiest to use), is to download the source of the secure-delete package and compile it under Cygwin for Windows. It is probably written in C and depends on having compatible libraries in Cygwin or the other Ming software for Windows. Ok, just saw hierophant's post, so, if you use Ubuntu, then it is easy to add a deb-src line to your repositories in /etc/apt/sources.list to get the source for the secure-delete package using Synaptic Package Manager (SPM) - just check all repositories for Universe, Multiverse, and Backports. Then click on Reload, and use the Search selection at the right-hand-side of SPM. Then Mark the source for secure delete, or use apt-get source secure-delete to download the source code on a Terminal window command line.

Note: The Incognto .iso Live CD software is standalone (Gentoo Linux hardened), and would make a good test (on shutdown as I mentioned above in my previous post) on your Windows platform (if your system allows a bootable Live CD to boot first) for the size of your RAM to give you an idea of the time it would take to wipe your RAM.

Then again wiping RAM without also wiping swap is short of the goal. Takes two commands at the shell script level (or Terminal Window level), which can be done in parallel with a dual-processor and parallel shell script setup in Linux/Unix.

-- Tom

 

I wouldn't worry much, its not like your going to have special forces break down your door and perform a coldboot attack unless your some kind of terrorist or massive collector/distributor of illegal material, if its some idiot stealing your machine than you defiantly don't have to worry about them trying to recover data from your Ram, most people who steal laptops and machines are trying to support a drug habit, not a hacker trying to steal your so called top secret data, hackers have better ways of doing this .

 

Yes, like living inside RAM.

As long as RAM has power it can hold data.
Desktops and laptops differ in how they power RAM.
My laptop keeps power to the RAM always but my desktop doesn't.
To cut power from my laptop RAM I have to remove the battery and pull the power plug for at least 1 minute to prevent old data persisting across a cycle.

File persistence rates differ depending on which memory section the file is in.
Paged pool vs. non-paged pool.
Processes in the non-paged pool have been known to persist up to 14 days, according to forensic memory analysis sites I have read.

 

Sounds like your laptop is stuck in standby/sleep mode.

 

Must be a firmware feature. There are some bios functions not availble to the user.
I have changed HDD with different OS's, Windows vs. Linux, so isn't an OS thing.

 

Can I get a link to that statement? Ive heard up to 10hrs with coldboot attack, but 14 days?

 

I hope this is useful.

Searching for processes and threads in Microsoft
Windows memory dumps - PDF

 

Theirs a big difference "while the system is in use" "Power on" so if the system is not in use "Power off" then this is not plausible, so in other words don't leave your machine on for weeks on end or their is a possibility data from a week ago may still be lingering in ram.

 

Unplugging is the only sure bet.