I was quite surprised to actually see parts of the main memory survive a reboot for the first time. Well, Farmer and Venema were not the first to describe this. Here are two more interesting papers on that topic.
Peter Gutmann's paper Secure Deletion of Data from Magnetic and Solid-State Memory dates back to 1996. Have a look at chapters 7 and 8:
Contrary to conventional wisdom, "volatile" semiconductor memory does not entirely lose its contents when power is removed.
What's that special "built-in self test capabilities" Gutmann writes about? Is it still there in today DRAM technology? Are there any devices available (for a reasonable price) to read out dynamic memory that way?
The second paper I came upon is Shredding Your Garbage: Reducing Data Lifetime Through Secure Deallocation by Jim Chow, Ben Pfaff, Tal Garfinkel and Mendel Rosenblum. They examine the lifetime of data in memory. Their paper contains some interesting observations in regard to memory forensics.
They took a workstation with 1 GB RAM running Microsoft Windows and sent 4 MB of data via TCP through the loopback device. This data ended up in kernel memory. After 14 days of "normal" operation they still found 3 MB of data left in memory.
Particularly interesting is what the authors write in a paragraph entitled "Effect of Rebooting". They found that a soft reboot would not clear the memory on some systems. Ok, after all that was to be expected. But then:
On some machines, hard reboots cleared all stamps; on others, such as IBM ThinkPad T30 laptops, many were retained even after 30 seconds without power.
I see a bright future for memory forensics.
