Windows Realistically, can police retrieve data from RAM?

@OP like said before unless the RAM is quickly cooled to -50 or below the data will be lost within seconds.

I like the idea of the two truecrypt containers and i doubt you could be charged with obstruction on that as they would not be able to show that you have destroyed anything as the rest of the drive would be encrypted garbage.

And as for the CIA/NSA/Secret government ppls. If you actually had somethng they wanted short of the thermite i'm sure they can decrypt it. They have the most advanced computing equitment in the world and billions of dollars to throw at problems.

TL;DR Don't go around doing things to get the attention of authoritys.

 

RE: TrueCrypt and duress passwords.
Surely an IT Forensic specialist will be able to tell that there has been no significant activity in the container you've opened for them? Things like pagefiles/swapfiles/*.tmp and all the other gumpf windows likes to write and delete on a regular basis?

Having your duress container actually be your normal working pc mode and having another hidden container that you only ever access when you need to update "Obama Death Plans v3.87a-2p3" might work better.

As for the "How paranoid is paranoid enough" question, it depends whether the authorities already have an eye on you and whether you are trying to hide some dodgy pr0n or trying to hide detailed plots and schedules for the detonation of a biological weapon at the NSAs headquarters. Are you trying to avoid a night in the cells or life in an orange jump-suit getting a waterboarding for breakfast?

I've read studies on attack vectors that are simply astonishing Doctor Who type WOAH affairs, but the possibility that they would "realistically" used by the police against you is Zero, but there are agencies out there that might, depending on who you are and the nature of what you want to hide.

If The Man already knows or suspects you are involved in gummibear smuggling and then they find that your encrpyted drive doesn't have any tmp files or any gummibear related material (Because you're a TrueCrypt genius) then they will either whip out the thumb screws or jail you for 2 years, depending on the regime.

"We suspect this man is guilty of international terrorism but can't find proof"

Anyone keeping up with the news should know what the US, UK and other parts of "Civilised Society" do to people who meet that criteria.

"We suspect this man of having dodgy pr0n but can't find proof"

^ a whole lot different.

As for those people claiming that no-one here is important enough to be of interest to the authorities are forgetting about those authorities out there which are a lot more totalitarian than the US.

There are almost certainly people on this forum who would be put to death based solely on their beliefs in certain parts of the world.

 

No - it's an encrypted container, of course you can't see what's inside it. You're confusing a file and a partition there as well - these are actual partitions (like your C:\ drive) the difference being that they're encrypted.

So why is there a much smaller encrypted partition on the disk? hm.... I wonder...

If The Man already knows or suspects you are involved in gummibear smuggling and then they find that your encrpyted drive doesn't have any tmp files or any gummibear related material (Because you're a TrueCrypt genius) then they will either whip out the thumb screws or jail you for 2 years, depending on the regime.

Well, in America you get put away for as long as they want, but in the UK I think you get held for up to 28 days depending on how much evidence they can/can't find and then released. If they get you for not giving them your password (such as http://www.bbc.co.uk/news/uk-england-11479831) then you go to prison for a short amount of time.

Well, I think that if there are jihadis or others who could be put to death for their techniques, they probably wouldn't be looking for security advice on bit-tech - there are far more secure and anonymous ways such as freenet to get security information.

 

I think one of those blenders from "will it blend" would be more appropriate for a hard-drive. It's reusable and non-hazardous, unless you put your hand inside. There's no preparation needed; unlike thermite where you need to find the right spot that wont cause any environmental/property damage, just put the drive in the blender and by the time they break your door down it will be dust.

 

RAM is volatile memory it is wiped when the machine is turned off. So in summary no it cant

 

The memory is wiped a couple of seconds after powering off, perhaps you could speed this up by;
making sure the temperature is rather high (i know, it hurts your eyes when you read that the computer should be running hot), inverting the whole "cooling down ram to retrieve information".
maybe one could connect the ram to ground at specific points on the stick (check scheme first), thus draining it way faster and reducing the time from a couple of seconds to around 1-2 seconds or less.

as for the paranoia issue, i'd probably construct a deadlock mechanism using encryptors (as mentioned in other posts), where the key unlocking a drive is being held by another drive which has its key held by the first. the only thing preventing a lock is a mechanic function, be it a switch, electric pulse or a fat lady singing (could be a small ultrasonic circuit which is constantly plugged in, emitting specifically modified pulses (8 bits worth, so that it can't be confused with "naturally occuring ultrasonic sounds"). ultrasonic so that it can't be heard by humans).
now, this mechanic function could be held in place/operating while the case is in its original location/position. when the main chord is disconnected/the case moved the function is resetted, key lost, thus performing the deadlock.

don't think the police can say anything, as you blame it on your paranoia and that you've created this construction to prevent robbers from accessing the data which is stored should they brake in and take the computer. and i doubt that the police upon confiscating the computer would ask "btw, is there anything we need to know before removing the mains chord/moving the computer?"

that's how i'd "solve" it. probably there are ways to decrypt the information, however i really doubt that the police would use these resources and fundings on drives which they suspect contain man-on-mule pr0n, or small time filesharers.

shut up! i'm not paramoid!

edit:
if you want a more elaborate explanation on the deadlock, just google "deadly diamond of death". not kidding, one of the most awesome names out there! (actually it's a common problem occuring when one is playing with multiple inheritance, rt etc.)

edit 2: lol @ "paramoid".

 

if you want to securely wipe your computer use dariks boot n nuke

and use the gutman option this overwrites everything on your computer 32times

if you use a 256bit aes,twofish,serpent encryption on your computer it would be impossible for the police to break throug

there was a story a while ago in the paper where someone was jailed for 7months and the police have had to send his hdd's off to amercia to see if they can be broken this is after 1 or 2 years if i remember right

 

always thought hard drives wr hard to destroy...better to have defences setup and be ready to kill them lol...by the way,worrying thread and the advice is even more worrying lol be good

 

where do i sign up?

 

Mega overkill! But i love it.

 

re

1.When you turn off the computer the data is not instantly deleted from ram it takes for about 1 minute depending of the temperature of the rams ... the police actually lets your pc turned on and wits for the it forensics team to come , the it team will first make an backup image of your data in ram ... if your pc is turned off just before the police comes in they will freeze the rms at -50 degrees celsius to ensure that the data stays , the time tht the it squad comes the data will be lost but if they are comming for your computer they will come with the it squat directly , they will freeze the ram , get the hdd's all usb sticks or external hdd's and cd's floppys mp3's smartphones etc....

True crypt is a very good software if you know how to use it ..... for a good protection with truecrypt you must set a 50 character password make 1 bogus os and 1 real even if you give them the password from the bogus they can still see that is also another truecrypt container in your hdd but is a chance that they wont look for it ..... some people uses 4 partitions 1 is a fake os the other is the real os the third is the personal data all of them are encrypted but the fourth that contains the encryption key of the personal data container so what they do with this: they put a command in the startup of the fake os to securely wipe the encryption key of the personal data container ..... but this happens when you log in the os , the police will never log in your os thei will connect your hdd to their pc's and examine them with theyr own os(linux) so this method it serves at nothing

Ram has a very important roll in this because it stores the truecrypt encryption password when you store it...

The most secure way is to use truecrypt with a STRONG(lowercase,uppercase,numbers,special characters,spaces,voyels,consones) 50 character password or longer
erase your files with the guttmann method even if its encrypted wipe it for good
defragment your hdd (defraggler is a good software)
disable hibernation and restore points
find a way to fill your ram before shutting down the system
don't directly shut down your pc , restart it and do a memory test from bios or live cd's and then turn off the pc , but don't touch the truecrypt

and seriously if police comes just burn your rams breaking them wont solve nothing

i'm using:
ultradefrag (it defrags my hdd before logging into windows)
defraggler (when i want to defragment one folder or file)
tuneup utilities (it defrags and erases all temp and internet history when the pc is idle)
secure disk utility (can securely delete files and freespace using the methods: dod , NIS , guttman )
windows bitlocker
truecrypt
click and clean(chrome extension that erases my cookies and internet history)

i log into windows using a usb stick (winkey)

when i'm doing something dangerous on the i-net i'm using a virtual machine wich virtual hdd is stored in an truecrypt container .... in the virtual machine i installed portable firefox , clean disk security , sandboxie , truecrypt and deepfreeze , for example if i want to do something illegal with firefox i start firefox private mode in the sandbox , the sandbox container is in a truecrypt encrypted container when i finnish the job i turn off firefox , clean the sandboxie container with clean disk security i dismount the truecrypt container that has the sandboxie in i do another erase of temp files and windows files with disk clean security deepfreeze will ensure that the next time i turn on the virtual machine it will be as new i turn off the virtual machine and i dismount the truecrypt container that contains the virtual hdd of the virtual machine.

BTW. how to fill your ram: its a soft called AR RAM Disk link:http://www.softpedia.com/get/System/System-Miscellaneous/AR-Soft-RAM-Disk.shtml

What it does???
It enables you to create a virtual disk using your ram .... you could actually create a virtual disk with the size off all your vailable ram nd fill it til it's full but make sure you disable windows virtual dedicated memory or something like that(the option that enables windows to use your hdd to store data when you don't have enough ram?)

SORRY FOR MY ENGLISH , IM NOT ENGLISH NOR AMERICAN HOPE THAT I WAS USEFULL TO YOU

 

It's most unlikely that a PC forensics team will participate in a raid without very good reason - they are a scarce (and overworked) resource in most forces. Even if they do, it would be rather easy to "accidentally" switch the PC off (or switch the circuit off at the mains - if you have an RCD then just tripping it accidentally would do wonders as well).

As alluded to above, how likely is it for the police to come equipped with frozen carbon dioxide (or nitrogen) and the appropriate equipment to allow them to thermally isolate and cool your RAM within a minute? Try reviewing some extreme overclocking guides or the entry on liquid RAM coolers here.

You shouldn't need a passphrase that long and it needs to be something you can remember (and type!) regularly.

If you have multiple OS partitions in a TrueCrypt container it will be blindingly obvious simply due to the presence of a boot menu. Using a hidden partition with a virtual OS inside (to avoid having any references to its files in the "visible" OS) would seem the safest option.

Perfectly true - any attempt at data destruction will be futile and at worst could lead to a charge of attempting to destroy evidence.

As Peter Gutmann himself has noted (in the Epilogue to his Secure Deletion of Data paper) this is completely unnecessary:

"In the time since this paper was published, some people have treated the 35-pass overwrite technique described in it more as a kind of voodoo incantation to banish evil spirits than the result of a technical analysis of drive encoding techniques. As a result, they advocate applying the voodoo to PRML and EPRML drives even though it will have no more effect than a simple scrubbing with random data. In fact performing the full 35-pass overwrite is pointless for any drive..."

If you're going to go that far, then don't forget the pagefile also - either disable it (which may cause problems) or have a small pagefile held on ramdisk (several ramdisk options are mentioned in my post here).

PS: Welcome to the forums...

 

It depends on whether power is cut to the chips instantly and whether the RAM is zeroed on the next boot (if a reboot is quick)...

Back in the 8bit days we used to see how long we could switch a computer off and switch it back on without losing all the data in RAM.

Our test was to load an image into RAM and then examine the memory after start up to extract the original image.

The hard limit was about thirty seconds for a Commodore 64, but by then the image was pretty broken up. At half that you could hardly tell the computer had been switched off.

 

Just read the linked article on the BBC. Page two http://www.theregister.co.uk/2009/11/24/ripa_jfl/page2.html says:

"In his final police interview, CTC officers suggested JFL's refusal to decrypt the files or give them his keys would lead to suspicion he was a terrorist or paedophile."

Just nitpicking here, but they must mean "sexual predator", surely, if the two options are supposed to be of anywhere near equal srs?

Anyway, this is a really interesting thread, I've enjoyed reading all the knowledge and different opinions. I'd considered Bitlocker plus TrueCrypt in the past for sensitive data but would probably only use it on a laptop in case of loss or theft.

From my reading, I remember mention of RAM being considered unreadable and for normal operations going uninvestigated.

Anyone here actually been in a raid situation?

 

Wow this is awesome stuff, I had no idea you could get a self-wiping drive! But the question is, how does that affect performance, is this going to be dead slow?

 

Yeah man, Last year Icecrown Citadel, Lich King 25Man Heroic, was good times


... I'll stop trolling xD

 

This thread just scares me...... WTF would you have on your computer that you didnt want any one let alone the police to see.... That's WORRYING

 

I think hes running a pirated OS.

Enjoyed reading this thread though interesting stuff.

 

Well there's:

• website login details;
• bank/financial login details (no, you cannot assume a police officer to be trustworthy, particularly when hundreds/thousands of pounds may be at stake);
• private correspondence with family and friends (even if you're the type who doesn't give a damn about your own privacy, you should care about theirs);
• "legal threshold" material like Tigger the Tiger videos.

 

you folk are so funny!!...... dont you know that the goverment sends little robots through your airvents at night to read your mind???