Ever wondered what the legal definition of "RAM" is? I was perusing the Computer Forensics and Incident Response blog this morning and found an interesting post regarding RAM and the US Courts. In short, a court document (judge's decision) from the case of Columbia Pictures Industries, et al, vs Justin Bunneli, et al, was posted on the web, and contains some interesting discussion regarding RAM.
In short, the document illustrates a discussion in which RAM constitutes "electronically stored information", and can be included in discovery. The document contains statement such as "...Server Log Data is temporarily stored in RAM and constitutes a document...".
Interestingly enough, there is also discussion of "sploilation of evidence" due to the defendant's failure to preserve/retain RAM.
The defendants claimed that, in part, they could not produce the server log data from RAM due to burden of cost...which the judge's decision states that they failed to demonstrate. There are some interesting notes that address issues of RAM as "electronically stored information" from which key data would otherwise not be available (ie, the document states that the server's logging function was not enabled, but the requests themselves were stored in RAM).
Ultimately, the judge denied the plaintiff's request for evidentary sanctions due to the defendant's failure to preserve the contents of RAM, partially due to a lack of prior precedence and a specific request to preserve RAM (the request was for documents).
The PDF document is 36 pages long, and well worth a read. I will not attempt to interpret a legal document here...I simply find the judge's decision that yes, RAM constitutes electronically stored information, however temporary, to be very interesting.
What are your thoughts? How do you think this kind of issue will fare given that there are no longer any freely available tools for dumping the contents of Physical Memory from Windows systems?
Addendum: An appeal brief has been posted by the defendant's lawyers.
Hi Harlan
ReplyDeleteI saw reference to this article elsewhere and there was the suggestion that the Judge may have misunderstood the technology, believing that RAM = HDD = permanent. Having said that, I guess that this is a legally binding decision, unless an appellant court decides otherwise. I'm not from the US so don't know the details of the US legal process or if/how such a decision can be overturned.
Harlan,
ReplyDeleteI'm going to stop posting in my blog so you don't steal my ideas ;-) - but seriously, good post.
I think in reading the opinion that the judge was referring to volatile data (netstat(s), arp cache etc.) and the issue was confused by people who didn't really know what they were talking about; just guessing at that though.
For collection, I'm still using the last version of Forensic DD, and PMdump for 2003.
Bill
Dave,
ReplyDelete...believing that RAM = HDD = permanent...
I'm not sure I completely follow...the second item in the Summary states, "...the data in issue which was formerly temporarily stored in...RAM..."
Further, reference 3 from the top of page 4 of the opinion includes "As the Server Log Data is temporarily stored in RAM..."
I tend to believe that the number of times that the term "temporary" is used throughout the opinion would make it difficult for anyone to sign it, and then later claim that they thought storage in RAM was permanent. Just my opinion, though...
Bill...I thought the issue was interesting enough to mention, as well as link back to your blog.
I think in reading the opinion that the judge was referring to volatile data...
As with what Dave said, I'm not sure that I can agree...the term "Server Log Data" was used often enough that I would sincerely hope that there would not be such confusion. Further, the brief specifically stated that the server logging had not been enabled, so that the data contained in RAM was not actually written to logs on the server.
I still that this is a very interesting court opinion...
RAM is literally a storage device and courts routinely require preservation of active logs stored on disks that continually update. So it is not such a great leap to require the preservation of RAM contents. I'm just wondering what software they are going to use to implement the court's order (assuming they are using W2k3 sp1 or later) and how often. It sounds like to me they have to save ram to a file every 6 hours. Ouch!
ReplyDelete-Rossetoecioccolato.
Bill...I thought the issue was interesting enough to mention, as well as link back to your blog.
ReplyDeleteThanks - I hope the first comment was taken as it was intended (in jest). I appreciate you linking to it - I've gotten a lot of hits as a result.