计算机在关闭之后,内存中储存的临时数据如登陆密码和银行账户是否会立即消失?希腊的研究人员发现,关机之后仍然能提取出内存的关键信息。内存主要用于储存临时数据,切断电源后所有数据都会消失。但研究人员发现,如果只是关机而主电源仍然供电,内存中的数据不会立即消失。

他们在电脑上登陆了Facebook、Gmail、MSN和Skype账户,然后关闭,在5、15和60分钟之后收集内存中的数据碎片,然后利用修复工具拼接数据片段提取信息,他们成功恢复了GMail、Facebook和Hotmail的登陆信息。

英文原文:

Computer memory leaks a turn off, Aug 11, 2012

When you switch off your computer any passwords you used to login to web pages, your bank or other financial account evaporate into the digital ether, right? Not so fast! Researchers in Greece have discovered a security loophole that exploits the way computer memory works and could be used to harvest passwords and other sensitive data from a PC even if it is in standby mode.

Writing in a forthcoming issue of the International Journal of Electronic Security and Digital Forensics, Christos Georgiadis of the University of Macedonia in Thessaloniki and colleagues Stavroula Karayianni and Vasilios Katos at the Democritus University of Thrace in Xanthi explain how their discovery could be used by information specialists in forensic science for retrieving incriminating evidence from computers as well as exploited by criminals to obtain personal data and bank details.

The researchers point out that most computer users assume that switching off their machine removes any data held in random access memory (RAM), this type of fast memory is used by the computer to temporarily hold data currently used by a given application. RAM is often referred to as volatile memory, because anything contained in RAM is considered lost when a computer is switched off. Indeed, all data is lost from RAM when the power supply is disconnected; so it is volatile in this context.

However, Georgiadis and colleagues have now shown that data held in RAM is not lost if the computer is switched off but the mains electricity supply not interrupted. They suggest that forensics experts and criminals might thus be able to access data from the most recently used applications. They point out that starting a new memory-intensive application will overwrite data in RAM while a computer is being used, but simply powering off the machine leaves users vulnerable in terms of security and privacy.

"The need to capture and analyse the RAM contents of a suspect PC grows constantly as remote and distributed applications have become popular, and RAM is an important source of evidence," the team explains, as it can contain telltale traces of networks accessed and the unencrypted forms of passwords sent to login boxes and online forms.

The team tested their approach to retrieving data from RAM after a computer had been switched off following a general and common usage scenario involving accessing Facebook, Gmail, Microsoft Network (MSN) and Skype. They carried out RAM dumps immediately after switch off at 5, 15 and 60 minutes. They then used well-known forensic repair tools to piece together the various fragments of data retrieved from the memory dumps.

The team was able to reconstruct login details from the memory dumps for several popular services being used in the Firefox web browser including Google Mail (GMail), Facebook, Hotmail, and the WinRar file compression application. "We can conclude that volatile memory loses data under certain conditions and in a forensic investigation such memory can be a valuable source of evidence," the team says.

Explore further: Innovation promises to cut massive power use at big data companies in a flash

More information: "A framework for password harvesting from volatile memory" in Int. J. Electronic Security and Digital Forensics, 2012, 4, 154-163.

Journal reference: International Journal of Electronic Security and Digital Forensics

Provided by Inderscience

中文对照翻译:

When you switch off your computer any passwords you used to login to web pages, your bank or other financial account evaporate into the digital ether, right? Not so fast! Researchers in Greece have discovered a security loophole that exploits the way computer memory works and could be used to harvest passwords and other sensitive data from a PC even if it is in standby mode.

当你关机时,内存中储存的临时数据如网页上使用的登录密码、你的银行或者其他金融账号是否会立即消失?不,没这么快!希腊的研究人员发现一个安全漏洞,可以从利用电脑内存来提取密码和其他敏感数据,即使是在待机模式下。

Writing in a forthcoming issue of the International Journal of Electronic Security and Digital Forensics, Christos Georgiadis of the University of Macedonia in Thessaloniki and colleagues Stavroula Karayianni and Vasilios Katos at the Democritus University of Thrace in Xanthi explain how their discovery could be used by information specialists in forensic science for retrieving incriminating evidence from computers as well as exploited by criminals to obtain personal data and bank details.

在即将发行的国际电子安全和数字取证杂志上,塞萨洛尼基的马其顿大学的Christos Georgiadis和他的同事Stavroula Karayianni以及克桑西的色雷斯-谟克利特大学的vasilios Katos将展示了数据取证专家如何通过他们的发现来进行数据取证以及犯罪分子如何收集个人资料和银行信息。

The researchers point out that most computer users assume that switching off their machine removes any data held in random access memory (RAM), this type of fast memory is used by the computer to temporarily hold data currently used by a given application. RAM is often referred to as volatile memory, because anything contained in RAM is considered lost when a computer is switched off. Indeed, all data is lost from RAM when the power supply is disconnected; so it is volatile in this context.

研究人员指出,大多数计算机用户认为他们关机后,内存(RAM)中的所有数据会被自动删除,内存主要用于储存进程的临时数据。RAM通常被称为非永久性存储器(闪存),因为RAM中所有数据在关机时会消失。事实上,RAM中所有数据消失是在断开电源后;所以数据只是在断电情况下是非永久性存储的。

However, Georgiadis and colleagues have now shown that data held in RAM is not lost if the computer is switched off but the mains electricity supply not interrupted. They suggest that forensics experts and criminals might thus be able to access data from the most recently used applications. They point out that starting a new memory-intensive application will overwrite data in RAM while a computer is being used, but simply powering off the machine leaves users vulnerable in terms of security and privacy.

同时,Georgiadis和他的同事认为在不断电情况下关机,内存中的数据并没有立即消失。数据取证专家和犯罪分子可以借此访问最近使用的程序的数据。只有在使用计算机进行一个新的大数据调用才能完全复写内存中的数据,简单的关闭电源对于用户来说毫无安全性和隐私性。

"The need to capture and analyse the RAM contents of a suspect PC grows constantly as remote and distributed applications have become popular, and RAM is an important source of evidence," the team explains, as it can contain telltale traces of networks accessed and the unencrypted forms of passwords sent to login boxes and online forms.

团队认为“ 随着远程分布式系统的流行,需要进行采集和分析的嫌疑人的电脑内存数据不断增多,内存数据逐渐成为一个重要的证据来源”。因为它可以包含访问网络的历史记录和登录框及在线表单中的未加密密码。

The team tested their approach to retrieving data from RAM after a computer had been switched off following a general and common usage scenario involving accessing Facebook, Gmail, Microsoft Network (MSN) and Skype. They carried out RAM dumps immediately after switch off at 5, 15 and 60 minutes. They then used well-known forensic repair tools to piece together the various fragments of data retrieved from the memory dumps. The team was able to reconstruct login details from the memory dumps for several popular services being used in the Firefox web browser including Google Mail (GMail), Facebook, Hotmail, and the WinRar file compression application. "We can conclude that volatile memory loses data under certain conditions and in a forensic investigation such memory can be a valuable source of evidence," the team says.

团队在一些常见情景下,例如登入Facebook,Gmail,MSN和Skype进行了测试,在计算机已经关闭后对内存进行数据分析。在5、15和60分钟之后收集内存中的数据碎片,然后利用数据修复工具拼接数据片段提取信息,他们成功恢复了之前在firefox阅览器中登陆的GMail、Facebook和Hotmail的登陆信息以及winrar中文件压缩数据。研究小组认为“我们可以得出这样的结论:内存必须在一定条件下才能完全移除数据,所以内存数据可以为数据取证提供一个有价值的来源”。