Question Can the contents of the ram be reconstructed even though we have performed a cold restart and wiped whole ram?

Status
Not open for further replies.
Aug 21, 2022
5
0
10
To keep sensitive data safe, people on the internet recommend overwriting the RAM with other data.

Popular methods include, for example, running bios post memory test at startup, or running any other memory test utility from bios or CD.
I read somewhere on the forum that if you disconnect the power supply, the last thing the ram does is rewrite all the bits to 0 or 1 (I'm not sure now) and I'm also not sure if it's windows or bios that does it if at all?? Can anyon explain it to me?
In other words, I'm not so sure about this, because I don't know if it really works on every PCs, or if only some operating systems do it, or if it only works if you have the features set correctly in the BIOS. I mean specifically disabled quick boot, enabled memor clean, and automatic start in case of power loss.
According to one post I read, in theory it should be enough to have the turn on when ac power loss function turned on and pull out the cable, and the ram will supposedly be overwritten, but I can't say if it really works that way. I would appreciate it if someone could confirm or refute this information.
Regarding the memory clean function, I read that it is a security feature with the arrival of DDR3. Where the bios post is not seen so often due to the large ram capacity. Allegedly, this feature should zeroed out the contents of the entire ram upon restart. The question remains whether it also works in combination with features that speed up booting, and if is it enough?? Could someone explain here how to set this feature to work correctly?
In Linux systems, a script is used during shutdown. And I wonder if there would be, for example, the possibility to overwrite the ram several times with 0,1 and random characters or pseudo pattern, just as it is with sdelete program. Can it be done in practice, would it improve protection?


However, I came across this paper (Secure Deletion of Data from Magnetic and Solid-State Memory by Peter Gutmann) from 1996, which also mentions SRAM and DRAM a little, which are the predecessors of SDRAM and DDR ram, so the concept of the memory cells will probably be the similar as DDR2 DDR3 maybe DDR4 and DDR5, but I can't confirm that.
Dr. Gutmann claims that the value of the previous bit can be guessed based for example on voltage and current threshold shifts of memory cell.
By Peter Gutmann is it possible to recover overvritten ram data too if the recovery attempt is carried out fairly soon after the new data was written. (Does this also apply in the case of a cold restart?)
In chapter 8. Erasure of Data stored in Random-Access Memory, Dr.Gutmann states that the greater the amount of time that new data has existed in the cell, the more the old stress is "diluted", and the less reliable the information extraction will be. The oxide will immediately begin to take a "set" which will either reinforce the previous "set" or will weaken it.

He returns to this afterwards in his next study Data Remanence in Semiconductor Devices, where he analyzes the issues in more depth. Among other things, study mentiones various factors affecting RAM cells and general operation of the equipment, like electromigration, hot carriers, Ionic Contamination, Radiation, Scaling...)
In chapter 5.1. Avoiding Short-term Retention Effects explains further that, If nothing is done, the device will eventually recover by itself, although this can take quite some time at normal room temperatures. One way to accelerate the recovery process is to expose the device to elevated temperatures, the read access times for the SRAM devices mentioned previously were found to recover after around 1 ½ hours at 75°C, 3 days at 50°C, nearly two months at 20°C, and approximately 3 years at 0°C.



Finally in short, according to Dr. Gutmann's study, by measuring various values and examining the cells, it is possible to restore the contents of the ram.
If is possible to reconstruct the data from the ram after some time even though it has been overwritten, I would see it as a security issue.
Is this really doable, or is it just a myth, or an obsolete technique that could be done before DDR memories came?
 
To keep sensitive data safe, people on the internet recommend overwriting the RAM with other data.

[...]

Finally in short, according to Dr. Gutmann's study, by measuring various values and examining the cells, it is possible to restore the contents of the ram.
If is possible to reconstruct the data from the ram after some time even though it has been overwritten, I would see it as a security issue.
Is this really doable, or is it just a myth, or an obsolete technique that could be done before DDR memories came?

Theoretically, yes. But practical, as in something that anyone should be bothered to be worrying about? No. If "people on the internet" are telling you to worry about overwriting your RAM because of data remanence reasons, you're most likely asking some of the black helicopter crowd.
 
  • Like
Reactions: PEnns and Richj444
Recover the data, or recover usable data.
2 different things.

If I put an entire dictionary through a shredder, and on one of those tiny pieces of confetti you can read an "a"...is that anything usable?
Should I be worried?

Rather, I imagined that it could work by cooling the ram module, putting it in a special board, measuring the voltage divergencies of individual cells in a special mode at the same time and determining 0 or 1 according to them. I would expect a success rate above 50%, but for assuming that any significant divergencies are actually found. The question is whether the data output would make any sense 😀

Production techniques could play a significant role in this.
 
Last edited:
Rather, I imagined that it could work by cooling the ram module, putting it in a special board, measuring the voltage divergencies of individual cells in a special mode at the same time and determining 0 or 1 according to them. I would expect a success rate above 50%, but for assuming that any significant divergencies are actually found. The question is whether the data output would make any sense 😀

Production techniques could play a significant role in this.
Which would require immediate physical access, and the resources of the NSA/CIA/GCHQ/FSB.

For instance, if this system were known to contain the only viable plans for a working cold fusion reactor, then...maybe (but probably not).

But given their resources, they have other ways to extract "information".
 
Is there a reason why you are asking these questions?

As a practical matter, I would not worry much about residual data in ram.

But, if the pc ever used hibernate, the then contents of ram would be stored on the hiberfile.
If your system runs from ram, then literally everything is in Ram. So if someone wants, for example, a specific password, they have to get it from the ram.
 
To keep sensitive data safe, people on the internet recommend overwriting the RAM with other data.

Popular methods include, for example, running bios post memory test at startup, or running any other memory test utility from bios or CD.
I read somewhere on the forum that if you disconnect the power supply, the last thing the ram does is rewrite all the bits to 0 or 1 (I'm not sure now) and I'm also not sure if it's windows or bios that does it if at all?? Can anyon explain it to me?
In other words, I'm not so sure about this, because I don't know if it really works on every PCs, or if only some operating systems do it, or if it only works if you have the features set correctly in the BIOS. I mean specifically disabled quick boot, enabled memor clean, and automatic start in case of power loss.
According to one post I read, in theory it should be enough to have the turn on when ac power loss function turned on and pull out the cable, and the ram will supposedly be overwritten, but I can't say if it really works that way. I would appreciate it if someone could confirm or refute this information.
Regarding the memory clean function, I read that it is a security feature with the arrival of DDR3. Where the bios post is not seen so often due to the large ram capacity. Allegedly, this feature should zeroed out the contents of the entire ram upon restart. The question remains whether it also works in combination with features that speed up booting, and if is it enough?? Could someone explain here how to set this feature to work correctly?
In Linux systems, a script is used during shutdown. And I wonder if there would be, for example, the possibility to overwrite the ram several times with 0,1 and random characters or pseudo pattern, just as it is with sdelete program. Can it be done in practice, would it improve protection?


However, I came across this paper (Secure Deletion of Data from Magnetic and Solid-State Memory by Peter Gutmann) from 1996, which also mentions SRAM and DRAM a little, which are the predecessors of SDRAM and DDR ram, so the concept of the memory cells will probably be the similar as DDR2 DDR3 maybe DDR4 and DDR5, but I can't confirm that.
Dr. Gutmann claims that the value of the previous bit can be guessed based for example on voltage and current threshold shifts of memory cell.
By Peter Gutmann is it possible to recover overvritten ram data too if the recovery attempt is carried out fairly soon after the new data was written. (Does this also apply in the case of a cold restart?)
In chapter 8. Erasure of Data stored in Random-Access Memory, Dr.Gutmann states that the greater the amount of time that new data has existed in the cell, the more the old stress is "diluted", and the less reliable the information extraction will be. The oxide will immediately begin to take a "set" which will either reinforce the previous "set" or will weaken it.

He returns to this afterwards in his next study Data Remanence in Semiconductor Devices, where he analyzes the issues in more depth. Among other things, study mentiones various factors affecting RAM cells and general operation of the equipment, like electromigration, hot carriers, Ionic Contamination, Radiation, Scaling...)
In chapter 5.1. Avoiding Short-term Retention Effects explains further that, If nothing is done, the device will eventually recover by itself, although this can take quite some time at normal room temperatures. One way to accelerate the recovery process is to expose the device to elevated temperatures, the read access times for the SRAM devices mentioned previously were found to recover after around 1 ½ hours at 75°C, 3 days at 50°C, nearly two months at 20°C, and approximately 3 years at 0°C.



Finally in short, according to Dr. Gutmann's study, by measuring various values and examining the cells, it is possible to restore the contents of the ram.
If is possible to reconstruct the data from the ram after some time even though it has been overwritten, I would see it as a security issue.
Is this really doable, or is it just a myth, or an obsolete technique that could be done before DDR memories came?
Unless your working for the CIA or the KGB the answer is NO.
 
If your system runs from ram, then literally everything is in Ram. So if someone wants, for example, a specific password, they have to get it from the ram.

No, literally everything is not in RAM, only data that you are currently (meaning since last cold start) working with.

But this whole line of questioning is IMO silly. If I wanted your data, there's lots of simpler and easier methods of obtaining it.
 
Since you won't give a straight, specific answer, this paranoid line of questioning is suitable for your personal blog, not this forum. This thread is closed. Do not open another on these lines.

I will also remind you at this time that you may not use multiple accounts here.
 
  • Like
Reactions: PEnns
Status
Not open for further replies.