Re: MRAM, persistance of memory
On Thursday, July 10, 2003, at 08:27 AM, Eric Murray wrote: On Thu, Jul 10, 2003 at 04:45:58PM +0200, Thomas Shaddack wrote: It is impossible to get access to the voltage on the DRAM cell capacitors (at least if the chip is in its case and we can access only its pins). We can only see if it is in the range for H or L. And after a power-down (or even a sufficiently long period without a refresh of the given cell) the cell capacitor loses voltage steadily, reaching the level of L (or maybe H?) within at most couple seconds. I would not bet on that for sensitive data. See Peter Gutmans and Ross Anderson's papers on RAM memory remanance. We were reading remnant state information in DRAMs back in the mid-70s. When a DRAM is powered back up after some period without power there are remnants which are not really electrons (which thermalize into the substrate in a matter of microseconds) but which cause preferential turn-on or turn-off in the cells, due to shifts in threshold voltage. (This is why irradiation of the DRAMs with gammas can sometimes freeze the stored data pattern.) Intel was the inventor of DRAM and we led the market (along with Mostek) for most of the 1970s. We had some really cool tools for seeing the internal states of DRAMs, before, during, and after things we did to the devices. Powering them off and watching the states they came back up in was child's play. This effect, of seeing DRAMs wake up in preferred states, is a very subtle effect. And no doubt it varies amongst vendors and even between design and process steppings of the same vendor's part. I would not want to be the forensic data analyst trying to do this, but I expect sometimes they do. The recover data from voice answering machines gadget is no doubt much lower tech. Most answering machines are battery-backed (duh), so a forensics expert can keep power maintained and even use the battery-backed store to keep the DRAMs nominally refreshed. But I thought most modern answering machines which don't use tapes are in fact using flash, not DRAMs. Am I wrong on this? Flash is of course an entirely different story. --Tim May
Re: MRAM, persistance of memory
On Wed, 9 Jul 2003, Eric Murray wrote: I doubt it as well. DRAM also has power-off memory persistence and nearly everyone in security ignores that as well. But not the spooks : The FEI-374i-DRS is a data recovery system that captures and preserved digital data, in its original format, directly from the Dynamic Random Access Memory (DRAM) of Digital Telephone Answering Machines (DTAMs) .. The FEI-374i-DRS is an indispensable tool for forensic investigators required to evaluate residual audio and tag information retained in today's DRAM-based DTAMs. http://www.nomadics.com/374idrs.htm The system doesn't seem to be able to recover data from powered-off DRAM. The specs say it can recover files that were erased. The DRAM-based DTAMs use the DRAM as a RAM disk. For some reason unknown to us (may be conspiracy with TLA, but Occam's razor says it's mere negligence/laziness) the designers don't overwrite the memory region that pertains to an erased file, only deallocate it, leaving the data there. I suppose the DRAM refresh circuits are backed up with a small battery to cover brief blackouts. It is impossible to get access to the voltage on the DRAM cell capacitors (at least if the chip is in its case and we can access only its pins). We can only see if it is in the range for H or L. And after a power-down (or even a sufficiently long period without a refresh of the given cell) the cell capacitor loses voltage steadily, reaching the level of L (or maybe H?) within at most couple seconds. Seems the device is nothing more than a logic analyzer connected to the DRAM pins. This is a nice illustration of the problem with comercial vendors and closed-architecture devices they peddle. If we'd have access to the firmware of the DTAMs, writing extensions for storing data in (at least somehow) encrypted format and their overwriting after deletion won't be a big problem. Hope the price of embeddable computer cores will continue to fall. (Apropos, whats the current cost of the cheapest cores able to run stripped-down Linux? Maybe something based on ARM or MIPS architecture?)
Re: MRAM, persistance of memory
On Thu, Jul 10, 2003 at 04:45:58PM +0200, Thomas Shaddack wrote: On Wed, 9 Jul 2003, Eric Murray wrote: I doubt it as well. DRAM also has power-off memory persistence and nearly everyone in security ignores that as well. But not the spooks : The FEI-374i-DRS is a data recovery system that captures and preserved digital data, in its original format, directly from the Dynamic Random Access Memory (DRAM) of Digital Telephone Answering Machines (DTAMs) .. The FEI-374i-DRS is an indispensable tool for forensic investigators required to evaluate residual audio and tag information retained in today's DRAM-based DTAMs. http://www.nomadics.com/374idrs.htm The system doesn't seem to be able to recover data from powered-off DRAM. [..] It's still interesting. It is impossible to get access to the voltage on the DRAM cell capacitors (at least if the chip is in its case and we can access only its pins). We can only see if it is in the range for H or L. And after a power-down (or even a sufficiently long period without a refresh of the given cell) the cell capacitor loses voltage steadily, reaching the level of L (or maybe H?) within at most couple seconds. I would not bet on that for sensitive data. See Peter Gutmans and Ross Anderson's papers on RAM memory remanance. Eric
