Field of the Invention
The present invention relates to computer memory devices and, more specifically, to systems and methods for preserving, protecting and interrogating short term memory devices.
Description of Related Art
In the field of computer forensics, there is a need to examine the contents of a long-term memory storage device without any possibility of making changes to the device. U.S. Pat. No. 6,813,682 discloses a method for protecting the contents of long-term memory devices, such as hard drives. Hard drives and similar devices are non-volatile, meaning that when power is removed the data remains intact. The present invention describes systems and methods that allow for the preservation, protection and interrogation of data on short-term volatile memory devices, such as dynamic and static RAM. In addition, the present invention may provide write protection for the volatile RAM.
In the field of computer forensics, it is desirable to be able to get a snapshot of the state of a computer system at a given point in time. In the case of a hard drive, all that is required is that the system shut off, the drive removed, and connected to a forensics system through a device such as that described in U.S. Pat. No. 6,813,682, incorporated herein by reference. The hard drive contains a snapshot of the long-term storage component of the system, but tells nothing about the state of the short term storage, from where the operating system and applications are run. This information only exists in the system RAM, which is typically made up of DIMM (Dual Inline Memory Modules) modules on the motherboard. A DIMM is a small assembly made up of one or more memory chips, typically dynamic RAM, in a standardized form factor. Additional supporting circuitry may also be present on a DIMM.
The information in RAM is critical for a number of forensics functions, such as determining the nature of any malware that may be running. It also provides a unique snapshot as to the state of the system. The RAM may also contain evidence that would not otherwise be found on a hard drive. Attempting to use a program on a running computer to read the short term memory changes the data in the short term memory, as the program itself is run from this memory. For computer forensics work, that is not an optimal solution.
It is common knowledge that when power is removed from a memory device, such as Dynamic RAM, that the contents of the RAM will be lost. What is not as well known is that the contents of the RAM do not instantly change. There is a very short period of time after power is removed that all of the contents of the RAM is intact. This period of time can be as short as a couple of hundred milliseconds. In some cases, it can be longer. The actual amount of time that the data remains valid is variable, but may be adjusted by a number of factors.
The primary variable that is common to most typical Dynamic RAM designs is that of temperature. If the RAM module is cooled far enough, which can be accomplished using commercial, off-the-shelf cooling spray, the amount of time before the data begins to change may be measured in seconds. With proper cooling, the data can remain valid for 10-20 seconds, and if cooling is maintained, sometimes much longer.
There are numerous methods with which to chill the memories. In order to preserve their contents, their temperature typically needs to be dropped well below the freezing point of water. As mentioned before, commercial, off the shelf “freeze” sprays can accomplish this, as can other methods including Freon and even liquid nitrogen. This is not meant to be an exhaustive list. Refrigeration and chilling techniques are well known in the art. Up to a point, cooler is better, especially considering that until the memories are chilled enough to have power removed, they are actively generating heat. Also, the body heat of the operator moving the memories can quickly remove the chill from the memories.
While 10-20 seconds might not seem like a very long time, it is enough for a skilled operator to chill the memories in a system, power off the machine, and transfer the memories to another device to be safely powered up and read. One of the problems that an operator would encounter when trying to move the memories is that most PCs have two or more DIMMs. The data is often interleaved between the modules, so all of the modules need to be moved successfully in order to read valid data. There are devices designed to test RAM, but the tests are destructive, meaning that they alter the contents of the RAM under test. One familiar with the field of Computer Forensics would recognize that any change to an item under investigation or in custody is to be avoided. There are devices on the market, such as memory testing devices and EPROM programmers that are capable of performing tests on short term memory devices. Since the assumption of existing devices is that short term memory devices have no important data, the tests are destructive to any data that might be contained in the memories.
Accordingly, there is a need for Safely Moving Short Term Memory Devices while preserving and protecting their contents so that their Digital Data may be examined.