The authors point out that the data recovery from RAM is often used in modern forensic science, because fragments of registry, encryption keys and other valuable information can be found in RAM, but experts are working only with the turned on computer. However, it is necessary to copy RAM when sealing up both switched on and off computers, the researchers believe. Sealing up RAM for further data recovery can be done by freeze.
The reason is that, due to design constraints of modern RAM memory modules, the data bits can be recovered within a few minutes after switching off the computer.
It is interesting that RAM data is harder to recover if the computer is left on and keeps working. In this case the critical RAM areas can be overwritten with new data, and then the required information will more likely be lost. Therefore forfeit computer must not be load until memory is copied. You have to use a specially prepared liveCD for that.
Using this method, the researchers tested whether it is possible to recovery passwords for Facebook, Skype, Gmail and MSN from the memory of a switched off computer, provided that the computer is switched off immediately after the close of the program, in 5 minutes, 15 minutes and 60 minutes. The results are shown in the diagram.
Click here to learn more abolut our Texas State data recovery centers