Windows Realistically, can police retrieve data from RAM?

So for the sake of this discussion, let's pretend that i might anticipate an investigation in the future and i want to get rid of all my data. Would it be enough to brutally annihiliate my hard drives, or can there be crumbs of stuff i loaded still stuck in the RAM (see sig)? I'm using Windows 7 Pro 64 retail on the desktop and Windows 7 Home OEM 32 on the laptop.

Thanks

 

It would be very difficult to do that. In fact I dont think it can be done. RAM is cleared each time it powers up, but down I am not sure about (pretty sure it clears itself on power down too)

 

It's possible. Source.

I wouldn't worry too much about it. What you want to do is make sure everything's encrypted with TrueCrypt. Then don't give out the password.

In the UK you are required by law to disclose your password if asked so I have a fairly clever setup. I have two TrueCrypt containers - my real one for everyday use, and a second one with just a clean copy of Windows - this one has a folder with some porn in it and a spreadsheet called finances.xls. (Plausible deniability )

The key for my proper partition is split in two. I have one part in my head, which I type in when my PC boots, and then there's a 256 byte part which was generated randomly. This is stored on my harddrive. I have three passwords - one to decrypt my fake container, one to decrypt my real container, and one to erase the stored key from the HDD and decrypt the fake container.

If my PC is confiscated I just tell them my duress password and there is no possible way to ever decrypt the real container again because most of the key required is now destroyed.

It's a nice system, but total overkill. I have nothing to hide, but I just hate the fact that I have no right to privacy. So I do it to **** The Man.

 

screw the actual question, i want to know what the OP has gotten into!

 

+1 to that!

Oh and capnPedro, if you are required by law to hand out that password, i'm quite sure that using your distress password would be an illegal act, as it is destroying evidence to whatever it is that you are obviously not guilty for.

Also, if they reallt wanna get to the data, they just pull the plug, and let the hardwaredoctors have a look at it.

 

Everything is RAM starts to be lost the moment the power is cut off.

I did think that it was totally wiped as soon as the power went off until I found this via Wiki:

http://citp.princeton.edu/memory/

So, theorically they can as long as the machine is still powered or has just been powered down according to the research. Filling you RAM with random data would be a better way on ensuring that there is non of the "incriminating" data left in ram, though you whould have to write enough to overwrite the memory locations used to store it, which is all controlled by windows. The best best would be to run a program that would fill your entire available RAM rather than hopeing the data would be deleted by powering it off.

However, Windows may store some data that was in RAM to the hard disk for different purposes, for example the page file. I am not sure if the data in the page file gets deleted when you power off.

As long as you erase the entire hard disk it shouldn't matter. However they could potentally still recover data from the wiped hard disk depending on how throughly it was wiped. Your best bet to make sure you data is gone for good is a very powerful magnet.

One of these hard drives may help:
http://www.bit-tech.net/news/hardware/2010/08/10/toshiba-announces-self-wipe-drives/1

Again however the police can require you to give up you encrption key if the have reasonable cause under the Regulation of Investigatory Powers Bill 2000.

The best advice is dont store anything dodgy on your pc!

 

Normally.. in the sense that they unplug your computer to move it, RAM can't be recovered.
At any point where the current is cut, the RAM data is loss.

So, if you want to clear your RAM, restart or turn off your computer.

Encrypting your data is ideal, as let's say the police knock on your door with a warrant, by surprise (which they usually do, so that you don't have time to destroy any evidence), they won't be able to decrypt it, especially with a strong password, to access it.
And if you do have time to destroy your data, then deleting the files quickly will make them impossible to recover as they would be encrypted. (They'll recover encrypted files.. which is useless as they need to decrypt it).

 

You're quite right, in the case of a court order requiring release of the password, giving the distress password and by automation, destroying your original data would be a bad idea.

If they find it and can prove when the data was wiped.

Except if its encrypted with modern commercially available encryption ciphers, it'd take years on a supercomputer to break it, if its even possible at all, so they won't bother

 

One of TrueCrypt's features is plausable deniability. The difference between encrypted data which doesn't get decrypted and random garbage present on the drive cannot be proven.

Besides, they ask for a password and they get given one. It decrypts some documents which would have reason to be hidden, so why assume there would be anything else?

Oh, and police would always copy a drive, then mount it as read-only, so I only really have the key removed for fun. In case someone else (Mafia, Triads, the usual suspects) get hold of my data, but don't follow such rigorous data gathering protocols. Besides, I can always restore a copy of my data from an offsite encrypted backup.

 

well for hard drives, you gotta grind the platter into dust..... or use Boot n Nuke.

 

Nay, thermite that sucker- have a large 'charge' in a sealed compartment above all the vital bits ( HDD & RAM ), and wire that upto a big panic button/ fighter jet style toggle switch with cover. If you hear the rozzers bangin' in your front door at 2am, just leap out of bed and hit the magic button ( thats wired upto a suitable ignition source/ coil etc ). Bye bye PC & evidence....

 

Thermite + butane torch = No more HDD... And posibly no more house too.

 

Why not just destroy the RAM sticks too since you're already destroying the HDDs

 

Because, you'll pass from:
Police: "He is clever, he destroyed his HDD, we have no evidence."
too
Police: "HAHA! He destroyed his RAM! LOL! Hey Jim! You want to hear something funny...."

 

EMP from orbit, it's the only way to be sure.

/Obligatory Alien reference.

 

It probably might just be best not to do anything to warrant a visit from the rozzers!

 

Police officers dont examine drives for peoples info, i know how to play games, go onto the internet but have never examined a hard drive in my life, closest i came too was looking at cd's that were seized for naughty pictures.

Every force has a bunch of IT gurus with computer forensic style degrees who examine hard-drives and send a report to the officers with samples of what is found, we dont need to ask for passwords for ecyrpted software/files and if they cant get in or view a file there is a lab in london that can, i have never had collagues who are more involved in those sort of investigations and in terrorist/financial fraud/organised crime investigations mention to me the hi tech crime unit come back to them saying "sorry, we cant access this file because its ecyrpted"....

Plently of people out there that have had things to hide in the past and people will be naive to think some of those did not use ecyrpted software to hide those naughtly files to little effect in the end it seems. I guess with the right software/equipment/time which the police have infiniate of they can be broken.

 

Sorry but that makes no sense at all, we all know DragunovHUN is gun running

 

********. You're not going to just brute force SHA-512/AES-Serpent-Twofish with a 256bit key. Not even with 20TB or rainbow tables would you break that in this century.

I wouldn't be surprised if you're right about the police never being presented with data they can't recover though - the technical aptitude of the terrorists I hear about on the news appears to be much lower than the average on these forums. They have a hard time even just making an explosive that actually works.

 

I love the following line

... and yet your spelling is atrocious. I'm sorry but I wouldn't put up with that in a report for a private business - it makes you look like a 14 or 15 year old trying to impress a bunch of random forum people - and you're insinuating that you do this for the police and have a degree? If you're on the up and up, and you're dyslexic or something, then I apologise, however you are still misinformed:

Two convicted for refusing to give up keys
38 demands for encryption keys yr 09/10

People are required to give up their encryption keys, and people who haven't have been convicted.

More results