Can volatile memory (RAM, DRAM, SDRAM and similar technologies) be read after power has been removed? Short answer: Probably, but it's likely too resource intensive to be practical for your purposes. However, if you find an efficient way to extract information from "non-live" DRAM/SRAM storage you are probably exceeding the threat model of a large number of institutions. Long answer: It is true that the capacitors in SDRAM or DRAM storage (or stray capacitance in SRAM) will discharge quickly, implying that the charge level of the capacitors will quickly become unreadable. If your timeconstant T= 10us (totally ballpark, based on typical refresh rates), the charge will reach a millionth of its initial value in about a ten thousand of a second. This means that in a very short time span the surrounding static, including your favorite radio channel, powergrid noise, static fields from your clothes, and cosmic radiation will vastly exceed the voltage left in the capacitor, and make detection of that voltage unfeasible. Remember... cosmic radiation can flip a "fully charged" bit in a DRAM cell. (That’s what causes all these WinNT crashes.:)) Needless to say, a trillionth of a trillionth of a "bit charge" isn’t going to stand up very well. There are, however, other forms of "memory effects" occurring in memory cells. Gutmann points out in his paper that changes to the oxide insulating layer will occur over time. This memory effect becomes a bigger problem the longer you store the data in the cell. In the case of SRAM the RAM chip's built-in circuitry can in some cases be used to decode this, because the circuit (which typically has no stable state at power-on) will have a tendency to flip to its "learned" state. If you want to exploit this effect in SRAM your biggest problem is probably avoiding power on initiation, ram-tests and similar, besides the fact that the memory retention probably doesn’t last more than a few hours or days. Exploiting this in DRAM sounds like it’s going to be a heck of an expensive affair... I’d assume that you’d have to dissect the chip and examine the oxide layer directly, bit by bit, with some Star Trek equipment built on a Pentagon size budget. But the potential opportunity/threat has been acknowledged: "Media that have ever contained Cryptographic (CRYPTO) material cannot be sanitized at all; such media must be destroyed." With respect to sanitization of Static random access memory (SRAM): "Store a random unclassified test pattern for a time period comparable to the normal usage cycle." From: U.S. Army Regulations. http://www.fas.org/irp/doddir/army/r380_19.pdf NTISSAM recommends 24 ours on time with random contents to clear RAM: Advisory Memorandum on Office Automation Security Guidelines http://www.radium.ncsc.mil/tpep/library/rainbow/N-C-1-87.txt Again, a link to Gutmann’s paper: http://www.usenix.org/publications/library/proceedings/sec96/full_papers/gutmann/ If anybody has better pointers related to combating (or exploiting) "undesired" volatile memory retention, I’d like to hear. TMD P.S. Sorry about the late post on this subject, my first one got bounced when Hotmail decided to use RTF (Rude Text Format). D.S. ----- Original Message ----- From: "Eric Boltz" <Eric_Boltzat_private> Sent: Monday, September 10, 2001 3:02 PM Subject: Solid State HDD Data Recovery? >Hello All! >I am interested in finding out if there is a way to scavenge data from a >Solid State HDD, as you would from a standard mechanical drive? From what I >understand, as soon as power is removed from the SSD(and the built-in >battery is drained), all data is irretrievably lost... is this true or is >there a way of examining SDRAM-based drives to retrieve the data? _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Sep 14 2001 - 12:07:05 PDT