Acquisition (6): The Guillotine
Cutting the power or forcing a reset may not look like being proper procedures to preserve a computer's main memory. However, current research tells a different and fascinating story.
Richard McQuown describes such a "procedure of last resort", called The Guillotine. Basically the hard drives's power is cut while Microsoft Windows keeps running. Next the reset button is pressed or the computer is power-cycled or Windows blue-screens due to the inaccessible system drive. Either way, as the system comes back up it is rebooted from a USB drive, CD or DVD holding a copy of a trusted and small operating system. Then the memory is copied through dd or a similar tool.
One might have difficulties to believe that this procedure could even work. The main memory of personal computers consists of dynamic RAM (DRAM). In contrast to static RAM (SRAM) it needs to be refreshed in regular intervals or it will start to lose its information.The information is represented by charges that are kept in field effect transistors. As soon as power and clock signals are cut, they will discharge. However, this takes some time.
In their live forensics tutorial held at USENIX Security 2007 Frank Adelstein (ATC-NY) and Golden G. Richard III (University of New Orleans) report that "timestamped" data could successfully be retrieved from an IBM T30 after it was powered down for 30 seconds.
Now the Center for Information Security Policy of Princeton University has extended this time-window into the range of minutes and hours.
We also confirmed that decay rates vary dramatically with temperature. We obtained surface temperatures of approximately -50 °C with a simple cooling technique: discharging inverted cans of "canned air" duster spray directly onto the chips. At these temperatures, we typically found that fewer than 1% of bits decayed even after 10 minutes without power. To test the limits of this effect, we submerged DRAM modules in liquid nitrogen (ca. -196 °C) and saw decay of only 0.17% after 60 minutes out of the computer.
The following sequence shows the slowed-down degradation of memory contents over time. According to the authors the "stripes" are the result of the memory chip's internal logic that represents logical ones by charged and discharged capacitors.
Don't miss their paper and the full movie that both are available at their web site.
