Recovering data stored in memory (RAM) after PC shutdown - Hacking computers

Some time ago I came across a few method by which the data held within RAM could be recovered thus giving full access to the computer as it stores the passwords to unlock the machine, encryption keys for hard drives and everything else of interest that has been used on the machine.

RAM is a volatile memory, unlike a hard drive which is non-volatile and permenant. I had read about some techniques to increase the time the data stays in RAM after losing power and found that with a few simple techniques this can be extended to 30-60 minutes with very little effort and even without, data can remain for up to 5 mins after powering down. These are some unsettling numbers and I didn't know that data could be retained for so long after powering off the system.

Most desktops have a "open case" switch which can lock the BIOS (or at least notify the user) if the case opened at any point. It is a simple 2 wire switch. I'm thinking of re-wiring this case switch to work with the "power on" wire from the ATX connector, so that if the panel is removed, the switch is tripped powering down the PSU, giving less time for the RAM to be recovered.

I'm not sure if there is any way to do a "RAM flood" of either repeating data or usless data if the switch is tripped. IDK how this couid be integrated into the MOBO the way they are currently made.

I just found out that USB-C and Thunderbolt are both vulnerable to DMA attacks! This is seriously disheartening as this is a major security risk. I found this out after writing about Firewire below.

en.wikipedia.org...

Another method of accessing RAM data is via Firewire as it has DMA. This seems like a major security issue which is why I would never buy a computer with firewire in it as it leaves the entire system open to hacking to anyone with a Firewire cable. I've had a couiple system with firewire for almost a decade and never once needed to use it and all the devices that have firewire also have USB, so unless you REALLY need to daisy chain, then disable firewire, destroy the port or don't get a system with it.

Has anyone ever recovered data in RAM by any of these methods?

The only way I have ever recovered the machine state is by looking at a detailed core dump after a blue screen.

If you can convince a computer to dump Stova Core, and you are able to get access to the file, you've got plenty of time to look around to recover any data you want.

Right off I don't know of any other techniques to snoop around in memory to recover data. But, I'm sure they exist.

-dex

I'm going to try the RAM transfer to a new machine and see how much data I can pull off with standard conditions and those with "modified" (I'm being vague on the method b/c it's not something that people really need to know unless they work in the IT industry and could lead to more problems than it could help).

There is software that allows a motherboard to do a full RAM scan to see if it is fully functional or not. It will also allow to do a full dump of the data if there is any present. I'm wondering if there is a way to transfer the RAM sticks to a board that only has power running to them, so the data isn't lost. IDK how many pins out of the 204 or 248 pins are data pins or power pins. I think this could be an interesting way to maintain data integrity if pulling sticks from a system for later recovery.

a reply to: DigginFoTroof

BBQ Time. Dont roast marshmallows over them , though. Too many chemicals in the smoke.

a reply to: DigginFoTroof

The only way that anything is stored in memory is if there is a constant flow of electricity . That is the way the Windows 10 quick boot works on a restart and why it doesn't if you shut down via power off
Although , there was some experimental memory designed by IBM - MRAM - Magnetic Ram. That went on to morph into the new NVMe drives.

Where are you getting your information ?

Ram recovery is generally achieved via super cooling the ram with the likes of Liquid Nitrogen. The case intrusion switch has more or less gone the way of the dodo. But you could make/find an old case panel switch and if you’re really paranoid you would want the switches on all removable panels I.e. the two side panels and top panel if your case has a removable top cover. The easiest thing is getting some micro switches that are closed circuit when pressed in and open the circuit in its unpressed stated then just wiring them to your 20 or 24 pin motherboard supply connection running the switches inline with the green power on lead so if any switch gets opened you get a instant shut down. I personally wouldn’t go through the trouble but if you’d like any help implementing a system like that I’d be willing to help.

a reply to: DigginFoTroof

A $10-15 SATA patch cord.

Remove the hard drive.
Unplug
Plug SATA ribbon into it
Plug other USB end into a 2nd computer
View files on 2nd comptr
Copy all possible

Your original files are being viewed by a 2nd, clean hard-drive.

I've done this 3 times in 20 yrs... Recovered everything.. because viewing 2nd comptr o.s. instead of affected/infected one.

Buy the cord

a reply to: Gothmog

Yeah, SOMEONE here does not understand that RAM is a series of electronic switches that go back to their original state after losing power.