Nonvolatile memory

When a computer is first turned on, it has no idea what to do with itself; it does not know if it has any magnetic media or anything about them, it does not know the date/time, it does not know how much memory (RAM) it has, it does not know whether to try to go to a hard disk first or to a floppy or to other media (such as CD-ROMs), and so forth.

All this information has to be stored somewhere other than a disk (which the computer initially does not even know whether it has or where it is), or the user would have to enter it manually every time. Nonvolatile memory almost always uses Complementary Metal Oxide Semiconductor (CMOS) technology; the name is a reference to the technology being used, which is an electronic memory that consumes very little power so that it can survive for many years with just a small external battery even if the com- puter is unplugged.

That same nonvolatile memory also stores any bootup passwords that some users enable. In theory, unless an aspiring user knows the magic pass- word selected by the authorized user, he or she will not be able to get past this step. In practice, one can remove the battery keeping the information in the CMOS chip alive, whereupon, when the computer is turned on, the unauthorized user will be asked to enter his or her own choice of a new password (in addition to manually having to enter the system-related data, which can be done within a few minutes).

Additionally, many computer manufacturers who have tired of users’ for- getting their CMOS passwords and asking for technical support have provided for backdoor-entry passwords that users can use to gain access to the respec- tive manufacturers’ computers. Needless to say, these backdoor keys have been posted on the Internet for anyone who wants them (see Section 4.11.1).

2.3

The swap file as a source of forensic data

2.3.1 General

The swap file (a.k.a. “paging file” or “virtual memory”) is a major source of forensic information for a computer investigator. To an individual interested

in maintaining the privacy of his or her computer files (e.g., an attorney with clients’ privileged files, a physician with patients’ confidential medical data, a businessman on a trip with a laptop containing his company’s pro- prietary designs), this is a relatively easy threat to remove, although most normal users are only vaguely aware of it.

Basically, the swap file is a large space on one’s hard disk. It typically takes up a few hundred megabytes’, that is, a few hundred million alpha- betical letters’, worth of space. Windows places anything here data that cur- rently resides in RAM memory (the electronic memory that “evaporates” when the power is turned off, as opposed to disk memory which stays) that Windows does not need at a particular instant to make room in memory for other data that is needed at that instant. An instant later, different data may be needed in memory, and Windows will juggle what is in RAM and in the swap disk file so that it has in RAM memory what it needs at any one instant in time. This way, a user with limited RAM can run more with less such memory.

From the perspective of the security-conscious reader, this file is an unmitigated disaster because it can end up including just about any- thing, such as passwords typed on a keyboard and never intended to be stored on disk, copies of sensitive files, and so forth. Even if a user securely deletes all evidence of a sensitive file (see Section 2.3.2), the swap file, if not specifically wiped, may well contain a copy of that same file or portions of it.

The amount of space allocated to the swap file on a disk is deter- mined by Windows itself (in the default situation), but can be altered by the individual user. One would reasonably think that the more physical RAM memory one has, the less swap file size is needed; amusingly, Win- dows feels otherwise and assigns more swap file space when one has more RAM.

One can specify exactly how large a swap file one wishes to have (if any). Go to Start/Settings/Control Panel/System/Performance/Virtual Memory and specify what amount you desire (if any). One can ignore admonitions by Windows about not allowing Windows to decide this. In general, one would be well advised to have as much RAM memory as possi- ble (at least 256 MB for Win95/98/NT/2000), and to disable any virtual memory completely. Doing so still leaves the hard disk with the last version of the swap file (called win386.swp in Windows 95/98/Me or pagefile.sys in Windows TN/2000/XP). This must be securely removed. If one has elected to allow numerous programs to run in the background (e.g., virus checkers, software firewalls), then one’s RAM requirements can exceed the mini- mums suggested above. A good way to find just how much RAM one is actually using under normal circumstances is to run a small utility called SWAPMON by Gary Calpo of Flip Tech International, which is widely avail- able at http://www.pinoyware.com/swapmon/index.shtml.

Even if one elects to have some disk space allocated to the swap file (not a good idea from a security perspective, as per above), it is strongly recom- mended that this amount be fixed by the user and not by Windows (which

is the default setting), despite admonitions to the contrary by Windows. It is far easier for security utilities that wipe clean the swap file to do this on a fixed-size swap file than on one whose size changes all the time. The reason for this is obvious: If the size of the swap file is fixed, then wiping it (i.e., overwriting it) is straightforward. If its size changes all the time, then it is quite possible that its last size is smaller than the size of the previous time that the computer was used; wiping the smaller swap file will leave the evi- dence contained in the disk space that accommodates the difference between the smaller last swap file and the bigger previous one untouched and available to any forensic investigator.

The procedure for setting a fixed swap file is similar to that shown below for setting no swap file: The user simply selects the same value for minimum and maximum size of the swap file.