Windows Realistically, can police retrieve data from RAM?

Hahaha. You do realise that not even the CIA can't crack something thorough like 256-bit AES-Twofish-Serpent encryption?

Besides, why would they bother? They can't even manage the data they've got without worrying about yours. Of course if they really want what you have on your HDDs they could resort to the one semi-reliable method:

From xkcd (for those of you unfortunate enough not to be familiar with this webcomic)

 

Depends on whether they secretly have working quantum computers. There's no way that would be leaked out since they could brute-force encryption foreign governments use.

Of course if they used it to decrypt a criminal's personal files then maybe the secrets out. So ye, I guess you are still safe!

 

Couple things.

First

Well, even as Brits, we're aware of the NSA's ability to simultaneously monitor any and all forms of electronic communication within the United States at least.
That must require some considerable computing power, so I wouldn't be overly sceptical with regard to the safety of only a 256 bit encryption.

Quantum, I doubt. The resale/licensing of that technology would generate far more revenue than the $1 trillion annual defence budget, only a tiny fraction of which actually goes to agencies such as the NSA & FBI. Also, correct me if I'm wrong, but doesn't the CIA lack operational jurisdiction for domestic affairs?

Second

Couple questions/points.

Someone mentioned later on that the police, as opposed to the Mafia, was it? would be likely to first make a copy of the drive as is.

So. Where is the key for your real container stored on your HDD?

Either 1. On the Disk outside of any encryption? (Would they not be able to directly compare between the copy made and the original after the duress password had erased the stored key on one disk, thus being able to identify the stored key on the copy?)

or 2. Inside the fake container? (What if the volume was mounted by the police as read only? Would they not get an indication of an attempted write at the location of the stored key the duress password tried to delete? (again revealing the key?))

or 3. Something I've not thought of, or don't quite understand?

Eagerly,

TSB

 

Ooops!

Also, I read somewhere that having access to the machine(s) that performed the encryption in the first place, greatly increases the speed/chance of successful decryption?

As well as this, after poking about on the Truecrypt site, and having seen what they were saying about new optimisations allowing us to use the AES NI instruction sets embedded in new Intel Core i5/i7 for improved speed, It gave the option to opt out of this 'feature' to avoid leaving an open source solution. - Does this mean using the in-built Intel acceleration would lead to some form of security vulnerability?

Regards again,

TSB

 

Yeah, it was me who mentioned it. I know this.

The key is stored as a hash which gets XORed/ANDed with the part you type in. Both parts are worthless without the other. The stored part is unencrypted (because it doesn't need to be encrypted) and is stored with the other details TrueCrypt needs, like the details of which cyphers are used and in which order.

yes you can DIF a copy of the drive before and after entering a key to see what changes, but it doesn't matter. Sure you could restore the original version (so erasing part of the key for the real container is useless in this situation), but:
1. Not everyone who wants your data will make a copy of the original drive image
2. Not everyone will mount it as read-only
3. Not everyone will dif the drive and realise anything has changed
4. There is no way to be sure the the fake container isn't the only one on the drive - for all intents and purposes it looks like you have successfully decrypted the drive

No security method is foolproof, so it's worth implementing a few different systems. Any time somebody tells me I'm paranoid and my extra levels of security are ridiculous I just think it's like saying to somebody that they car's alarm and immobiliser is over the top when they have perfectly good central locking.

 

Not to be insulting, but not a damn one of you people is important enough for a government agency to monitor, ever. Similarly speaking, were you to use an encrypted pipe out for everything and keep your drives well encrypted, there would be no method to ever actually recover any information about your usage.

 

Fair point though

 

You dont know who I am

 

If you say so.

 

Being a 'Fed' (or whatever you want to call me) I just have one thing to say.

Most of you live in a bubble.

Stop watching all that CIA/NCIS/CSI rubbish, it's bad for you.

Yes, if you use good enough encryption, then we won't get past it, unless it's serious enough to justify being sent off to a specialist unit. Even then I'm sure they can't get past a lot of encryption. As Tulatin said, no one on here warrants being monitored by any kind of Government unit, that's just ridiculous.

If you blow up or destroy the evidence then you can be charged with obstructing Police or perverting the course of justice, depending on how far into an investigation it is. This can result in a more serious conviction, depending on what you have to hide...

 

There is a case where the spain goverment send some etas hds to the Nsa and after a year they sent the hds back because they couldnt decrypt the hd.

 

Because Windows creates and modifies files on startup and at regular intervals during normal usage, that's why. If you try to show any investigator a partition with no recent modifications and they have any knowledge of TrueCrypt, then they will know it to be a fake and will likely obtain a conviction against you for not revealing keys on demand/concealing evidence or whatever, depending on what laws apply in your jurisdiction.

Making a copy would be standard procedure - so if capnPedro or anyone else with a similar setup tried supplying a duress password, it would only affect a copy resulting in another being taken and (very likely) extra charges being brought.

 

And how do they know there was evidence to begin with? Who says i have to have a hard drive in my self-built computer?

Also, this is all going way off topic. You guys should know better. My question was about the possibility of RAM retaining bits of data, not pron or wether the big brother is watching us.

 

Oh but this conversation has long mutated into something way more interesting than just "How long does data live in RAM?"...

Now we have a discussion on how to give it to the man and not get caught... or at least prevent the man from figuring out we like tranny pr0n...

Everyone!!! Quickly re-format your HDDs now... and remember the Termite trick too!!! We've been infiltrated by the Feds!!!

 

The evidence is that at [time, day, date] a [person] willfully obstructed a Police Officer in the execution of his duty. Whether there was evidence of another offence is irrelevant. The evidence is that you obstructed them from properly investigating another offence.

If say you didn't properly destroy said evidence, but made obvious attempts to (or were witnessed to make attempts to) then you would be committing the offence of attempting to pervert the course of justice.


Back on topic: What kind of data would RAM retain that could get you into trouble? I genuinely have no idea what data RAM retains for periods of time.

 

as has already been mentioned, ram cannot hold the information long enough for it to be used in evidence, the information, if they could freeze it, would be whatever you os has loaded into memory, ie. the how to make a bomb webpage you found on your generic browsers search engine could be stored in memory, or the email your writing to all your generic terrorist friends.

 

As much as i respect the authorities, that's just dodgy. So they can lock me up for destroying my hard drive, for the reason that they *might* have wanted to take a look at it later to look for evidence that *might* or might not have been there to begin with?

The RAM holds whatever you happen to be running at the time, be it text files, websites like Rich mentioned above or anything really, but evidently this data is discharged as soon as you turn off the computer.

 

Just FYI, slightly old now... a butane torch isn't hot enough. Magnesium is though, so it's more like butane torch -> magnesium -> thermite. But a butane torch will do sweet FA.

*hides*

 

In Hungary it might be different. In the UK the Police act on reasonable suspicion. To put it simply:

Fact = 100%
Belief = 75%
Suspicion = 25%

If the Police had suspicion that you were committing offences, of which evidence was held on your computer, and you obstructed an Officer trying to obtain and secure that evidence, then you can be arrested and charged with the offence.

If you had nothing to hide then why would you obstruct an Officer trying to investigate it? And why the hell would you destroy you own equipment in such a reckless way?

 

@wst...

You're right.. I should have written:

Thermite + Propane torch = No more HDD.

But magnesium strips are the way to go... I've seen it lit up with sparklers (yes the fireworks), but this is unreliable.

@DragunovHUN
Just the fact that you went to any length to prevent authorities from finding the information is a crime in itself. You may not be charged with whatever they were originally investigating you for (provided you were able to get rid of all the evidence), but they'll nail you to the wall for obstruction of justice and whatever other charges they can come up with just out of spite.