Pulling the plug on RAM loophole

Researchers from Greece have demonstrated the unreliability of ‘switching off’ computers and other electronic devices in terms of protecting sensitive data. Random access memory (RAM) is used to temporarily hold data while your computer is in use, and so it is often assumed that when the computer is turned off any volatile data held in the RAM is lost.

However, a study carried out by Dr Vasilis Katos and Stavroula Karayianni at Democritus University of Thrace in Xanthi, along with Dr Christos Georgiadis of the University of Macedonia in Thessaloniki, illustrates the fact that this only takes effect completely when the power supply is removed altogether.

Due to appear in the International Journal of Electronic Security and Digital Forensics, the paper details how the authors retrieved data from Facebook, Gmail, Skype and Microsoft Network (MSN) from a computer that had been turned off. They were able to reconstruct login details from data segments for Gmail, Facebook, Hotmail and WinRar after these applications were used in the Firefox browser.

Criminals as well as forensic experts might be able to mine valuable information from the user’s most recently opened applications hours and even days afterwards if the power supply to a device is not removed. Dr Katos took the time to further explain the findings he and his colleagues have made to ScienceOmega.com…


Why has it taken so long to realise that this loophole exists and what triggered your research?
It was first observed that data can be retrieved from a RAM module back in 2008 by a group of researchers from Princeton University, who developed a proof of concept for extracting data from RAM hardware. However, I think we should still address the question to the original 2008 observation; RAM modules have a history of over forty years, so why did it take so much time for someone to discover this loophole? I think the answer here is twofold.

First, it is a matter of stereotypes, as we have been captured by the tyranny of common logic. Every computer science student in their first year of undergraduate study is taught that RAM is volatile, and is not a reliable storage device once the power is switched off. Indeed, one cannot guarantee that RAM will hold all contents when the computer is switched off. But under certain conditions the RAM chips may maintain some of their memory states even when the power is removed. Yes, RAM loses its contents, but not necessarily all of its contents. This distinction is of paramount importance.

Second, there was simply no need to try and discover this loophole say, 20 years back. The rise of computer crime on the one hand and the need for the discipline of digital forensics to be a decent match on the other led first responders and forensics experts to explore all possible routes and alternatives to securing digital evidence. Forensic science is the science of taking what seems to be a trivial thread or a circumstantial piece of evidence and using it to build a complete picture of events in order to confirm or refute an accusation. As such, segments of data even in the volatile RAM that may be keys to encrypted partitions, passwords or even data revealing the user's activities (such as visiting a certain site) are certainly important to the investigation. Ignoring data segments found in RAM is like discarding a piece of hair found in a conventional crime scene because you did not manage to find the whole wig!

Our research is about developing processes for acquiring and exploring volatile storage media in a systematic way so that the digital evidence discovered can be admissible in a court of law. The observations and research thus far suggests that the RAM of a suspect's computer needs to be acquired and the contents analysed even if the computer is found to be switched off. This results in the need to revisit the widely adopted first response processes and operating procedures.


How exactly is the volatility of RAM affected by removing (or not removing) the power supply?
If power is removed then eventually RAM will lose all of its data – not immediately, but after a few seconds to minutes. The distinction we need to make is whether a device has power even when it is switched off.
Most devices may appear to be switched off, but if they are connected to mains electricity or have a battery, they can be in a stand-by state.

We discovered that many desktop computers have a small amount of current flowing in their circuits even when switched off. This is because desktop motherboards offer functionalities such as power-on with a mouse click, through the keyboard or even through the network card. As far as the electronics of the device are concerned, the device is not completely switched off. So it is really a matter of semantics; we need to differentiate between a completely powered off device and an Operating System shutdown. In the former case it is very unlikely that the RAM will hold any valuable data, but in the latter the current is enough to maintain the state of volatile memory.


How extensive are the effects – are all programmes and applications affected?
All applications and programmes run as processes and enjoy more or less the same treatment from the supervisor process – the operating system.
The applications need to be transferred from the long term storage device to RAM in order to be executed. User supplied data are stored in RAM in designated areas. Sensitive data such as encryption keys and passwords need to be in an unencrypted (plaintext) form in order to be used. We found that most applications do not sanitize the sensitive data in RAM.

Web browsers, for example, have the functionality to encrypt passwords when sent over the network (through SSL), but these passwords are stored unencrypted in RAM. Obviously the passwords will be unencrypted in such location, but it is the application developer's responsibility to zero out the location of the sensitive data once they are no longer needed. Most applications do not comply with this and sensitive data remain on RAM for a long period of time. Proactive destruction of sensitive data in RAM will significantly reduce the risk of unauthorised disclosure.


Can we have any idea to what extent the security loophole may have been exploited up to now?
One of the first examples that springs to mind is the exploitation of this security loophole by malicious botnets. Bots already have functionality to eavesdrop on user input (passwords, credit cards, etc). At present, the bot needs to wait for the user to type the sensitive information – if this was done before the installation or activation of the bot, then the information would not be available. However, in the case of the bot performing a memory dump, it can effectively go back in time, before the infection of the computer, and discover user provided data. Perhaps this functionality is already offered by the latest generation malware, but I am not aware of any.

It is interesting though to note that we had a desktop computer switched off over a whole weekend (but connected to mains) and we performed a memory dump on Monday. We were astonished to find URL sites (a particular YouTube video) that we had visited on the previous Friday. Going back to the discussion on forensic investigations, you can imagine that depending on the case, data found on RAM can be potentially significant digital evidence.


Obviously switching off mains power is the easiest solution, but are there other ways that the problem could be tackled?
As mentioned earlier, the application developers need to push the security threshold further; they need to proactively sanitise the sensitive data in RAM. Of course this adds to the computational costs and will impact the performance of the system, but today we all use computers and store invaluable personal and other data on our devices. We need to start considering yet another security trade-off. Removing the power is almost guaranteed to work, but this may not always be possible, especially with mobile devices nowadays, many of which do not offer easy access to the battery. If all else failed in case of emergency you would need to burn the device!


Are there potential forensic applications that might discourage closing this security loophole?
Wide adoption technologies like desktops, laptops and smartphones are not forensically friendly (or forensically ready) by default. There are many reasons for this which are well beyond the scope of this discussion, but forensic analysts always seem to be at the bottom of the functionality requirements ladder. Unless legislation is made which formally requires the vendors to comply with forensic needs and incorporate the appropriate capabilities into devices, the security loopholes must be closed and the community needs to encourage such initiatives. Forensic applications will always try to find and exploit security loopholes but should not discourage the development of secure systems. History has shown that backdoors are not a welcoming solution or good practice, no matter who endorses them.