On Wed, 9 Jul 2003, Eric Murray wrote:
> I doubt it as well.  DRAM also has power-off memory persistence
> and nearly everyone in security ignores that as well.
>
> But not the spooks :
>
> "The FEI-374i-DRS is a data recovery system that captures and preserved
> digital data, in its original format, directly from the Dynamic Random
> Access Memory (DRAM) of Digital Telephone Answering Machines (DTAMs)
> ..
> The FEI-374i-DRS is an indispensable tool for forensic investigators
> required to evaluate residual audio and tag information retained in
> today's DRAM-based DTAMs."
>
> http://www.nomadics.com/374idrs.htm

The system doesn't seem to be able to recover data from powered-off DRAM.
The specs say it can recover files that were erased. The DRAM-based DTAMs
use the DRAM as a RAM disk. For some reason unknown to us (may be
conspiracy with TLA, but Occam's razor says it's mere negligence/laziness)
the designers don't overwrite the memory region that pertains to an erased
file, only deallocate it, leaving the data there. I suppose the DRAM
refresh circuits are backed up with a small battery to cover brief
blackouts.

It is impossible to get access to the voltage on the DRAM cell capacitors
(at least if the chip is in its case and we can access only its pins). We
can only see if it is in the range for H or L. And after a power-down (or
even a sufficiently long period without a refresh of the given cell) the
cell capacitor loses voltage steadily, reaching the level of L (or maybe
H?) within at most couple seconds.

Seems the device is nothing more than a logic analyzer connected to the
DRAM pins.

This is a nice illustration of the problem with comercial vendors and
closed-architecture devices they peddle. If we'd have access to the
firmware of the DTAMs, writing extensions for storing data in (at least
somehow) encrypted format and their overwriting after deletion won't be a
big problem. Hope the price of embeddable computer "cores" will continue
to fall. (Apropos, whats the current cost of the cheapest cores able to
run stripped-down Linux? Maybe something based on ARM or MIPS
architecture?)

Reply via email to