When working with evidence drives, data integrity is critical. Using ECC RAM, which identifies and corrects common single-bit errors, would help dramatically improve data transfer reliability in digital forensic tools.
Why use ECC memory
Electrical, magnetic or even radioactive interference inside a system, may cause a single bit of DRAM (Dynamic Random-Access Memory) to flip to the opposite state, resulting in an error. While the single-bit error in an ordinary situation could be harmless or have a comparatively mild effect (like a wrongly colored pixel in a .jpeg file), in forensic imaging, it means that the whole image you get is compromised. Because the hash of the image won’t be identical to that of the source.
ECC (Error Checking Code) memory provides extra reliability by adding a parity bit to each byte. This parity bit checks the remaining bits in the byte for integrity. In case one of the bits flips, ECC detects the error and corrects it on the fly.
That’s why most servers and computers where data corruption is not acceptable (e.g. at financial, scientific, medical), use ECC RAM. And the same should be true for digital forensics.
The research to back it
ECC RAM does have a much lower failure rate than standard non-ECC memory. The results of Kingston-held research (see graph above) remain valid. As well as this brilliant in-depth study named DRAM Errors in the Wild: A Large-Scale Field Study.
We find that in many aspects DRAM errors in the field behave very differently than commonly assumed. For example, we observe DRAM error rates that are orders of magnitude higher than previously reported, with FIT rates (failures in time per billion device hours) of 25,000 to 70,000 per Mbit and more than 8% of DIMMs affected per year. We provide strong evidence that memory errors are dominated by hard errors, rather than soft errors, which most previous work focuses on. We find that, out of all the factors that impact a DIMM’s error behavior in the field, temperature has a surprisingly small effect. Finally, unlike commonly feared, we don’t observe any indication that per-DIMM error rates increase with newer generations of DIMMs.(C) DRAM Errors in the Wild: A Large-Scale Field Study
Bianca Schroeder Dept. of Computer Science University of Toronto Toronto, Canada
Eduardo Pinheiro Google Inc.
Wolf-Dietrich Weber Google Inc.
Atola TaskForce and ECC RAM
Because TaskForce is able to sustain 12+ imaging sessions with the cumulative throughput of 15 TB/hour and the system handles enormous amounts of data, we made sure to back its smooth and accurate operation with the best hardware. That’s why our engineers enhanced the reliability of TaskForce with ECC memory. It helps avoid even the tiniest chance of data corruption during imaging, hashing, wiping, etc.
Here is what the ECC RAM module we install in Atola TaskForce looks like:
To ensure that your image is acquired and hashed correctly, TaskForce’s ECC RAM does the following:
- Automatically corrects 1-bit errors and saves you from data corruption
- Logs 2-bit errors in BIOS. A 2-bit error is an extremely rare case when two 1-bit errors happen in the same byte at the same time. While ECC RAM cannot correct a 2-bit error, you can find the event in the BIOS log with a timestamp
This way ECC memory provides an unprecedented level of reliability in a digital forensic imager.
- RAID imaging made easy with TaskForce - May 3, 2022
- Image. Anything. Fast.What makes TaskForce the ultimate forensic imager - February 9, 2022
- RAID configuration detection in Atola TaskForce - April 7, 2021