School of Information Systems

Acquiring Non-volatile Memory

The basic rule in data acquisition is to start with volatile data (data that can easily be lost) first, and then move on to non-volatile data. A common mistake that often occurs during an incident is to turn off the computer first, causing volatile data stored in the RAM to be lost and making analysis impossible. Instead, when an incident occurs, the affected computer or server should be isolated first and the volatile data should be extracted.

Non-volatile memory is a type of memory where data can be written and erased, but it will still be retained even when the power is off and does not require power. Non-volatile memory is also known as temporary memory. Non-volatile memory is a type of computer memory with random access (RAM) that is generally used to store configurations made by firmware, such as BIOS, EFI, or other firmware on embedded devices, such as routers. Generally, NVRAM is manufactured using CMOS (Complimentary Metal-Oxide Semiconductor) technology, which requires low power consumption.

Non-volatile memory refers to any storage media that can retain data for a long time even when power is turned off. Hard drives and flash memory are the two most common types (thumb drives). Capturing a hard disk image is considered the most important aspect of any computer forensics investigation because it contains most of the data that may contain allegations or exculpatory evidence.

This Non-Volatile Data Acquisition is divided into two, namely physical acquisition which involves imaging the entire hard disk with a 1:1 ratio and logical acquisition which involves imaging active data. In conducting computer acquisitions, it is advisable to use physical acquisition because it will clone the entire hard disk including deleted data which can be restored. However, there are some cases where logical acquisition can be done, such as data that is too large (e.g. 80 TB), using a certain Server RAID that cannot be physically imaged.

Thera are some examples of Dynamic RAM (DRAM) such as:

  • Fast Page Mode DRAM (FPM DRAM)
  • Extended Data Output DRAM (EDO DRAM)
  • Synchronous DRAM (SDRAM)
  • Rambus DRAM (RDRAM)
  • Double Data Rate SDRAM (DDR SDRAM)
  • Video RAM (VRAM)
  • Windows RAM (WRAM)
  • Synchronous Graphic RAM (SGRAM)

SRAM (Static Random Access Memory) is a type of RAM (a type of semiconductor memory) that does not use capacitors. Based on its function, it is divided into Asynchronous and Synchronous:

  • EDORAM (Extended Data Out Random Access Memory)
  • SDRAM (Synchronous Dynamic Random Access Memory)
  • RDRAM (Rambus Dynamic Random Access Memory)
  • NV-RAM (Non-Volatile Random Access Memory)
  • VGRAM (Video Graphic Random Access Memory)

Source:

https://idcloudhost.com/kamus-hosting/non-volatile/#:~:text=Non%2Dvolatile%20memory%20merupakan%20memory,ini%20dikenal%20dengan%20temporary%20memory.

https://medium.com/mii-cybersec/computer-forensic-collection-1701aa43d6c9

Joni Suhartono