Hello security gurus, this one's for you: After shutdown, is it possible to recover the data stored on the Random Access Memory? Be it an ancient mounted ramdisk, a tmpfs mount point or normal data kept in memory by programs.
In many ressources on the net (the Gentoo Wiki and Forums, other Security related HOWTOs), people suggest the use of tmpfs for the /tmp mount point. They say that since the temporary files are completely stored in RAM and on the eventually encrypted swap partition, it is secure. However, I have doubts as to the veracity of this fact. For one part, one week ago my Computer Sciences professor said that "deleting the files in the evening doesn't help you at all, since the data is stored on your RAM and the police knows about it". He was talking about Windows, but - if true - this should also hold true for Linux. This got me curious. Then, on the Gentoo Wiki (http://gentoo-wiki.com/SECURITY_Anonymizing_Unix_Systems), Van Hauser, the author of THC's secure-delete package, says "It [the RAM] can hold very sensitive information like the email you wrote before pgp'ing it, passwords, anything. To ensure, that the memory is cleaned, use the smem utility." And later on: "Now one problem is left. Even with normal RAM a well funded organisation can get the contents after the system is powered off. With the modern SDRAM it's even worse, where the data stays on the RAM permanently until new data is written. For this, I introduced a small tool for the secure_delete package 2.1, called "smem" which tries to clean the memory. This one should be called on shutdown. " These comments triggered off this thread. Consider that someone uses an encrypted swap and an encrypted root, with non-default cryptographic options. Also, in this discussion, please consider the case of a well founded organization, say the police or a three-lettered organization. Now, here's the worst case scenario. In the evening, you want to create a poster "NO Putins for Prime-Minister". You have everything encrypted on your system, so you feel OK. You fire up OpenOffice (just to complicate things) and write the text, then GIMP and open the image you want to use. Then you copy the text (say using cplipman, on Xfce) to GIMP. You do modify the beautiful image to make it beautifuler. And save your gorgeous poster on the encrypted hard disk. Using such programs will most surely leave you with the following: somewhere somehow temporary files of your .odt document, deleted temporary files of the .odt document, the hard disk copy of your poster, and more or less the same information in your RAM. On the former ones you feel OK: you've got an encrypted root and an encrypted swap. There's no breach (_is there?_). So, to continue the worst case scenario, in the morning you find yourself confiscated together with your laptop by a three-lettered organization. For a moment, disregard the human rights problem. First question: What about the RAM? After system shutdown, does the RAM still store your recent data and can it be recovered ?? A second, more science fiction one (although I did stumble on the following link: http://hardware.slashdot.org/article.pl?sid=06/04/10/1451200): Can someone encrypt at a software level the data stored on RAM? Third: Is smem -ll efficient? The man page (Gentoo edited, I imagine) states "Beware: BETA! smem is still beta." Fourth: How can one deal with the data stored on RAM, and that before shutdown? Thanks in advance if you can answer at least some of these questions. Regards, Liviu -- [EMAIL PROTECTED] mailing list
