Open Poremba-Dissertation.Pdf

Total Page:16

File Type:pdf, Size:1020Kb

Open Poremba-Dissertation.Pdf The Pennsylvania State University The Graduate School ARCHITECTING BYTE-ADDRESSABLE NON-VOLATILE MEMORIES FOR MAIN MEMORY A Dissertation in Computer Science and Engineering by Matthew Poremba c 2015 Matthew Poremba Submitted in Partial Fulfillment of the Requirements for the Degree of Doctor of Philosophy May 2015 The dissertation of Matthew Poremba was reviewed and approved∗ by the following: Yuan Xie Professor of Computer Science and Engineering Dissertation Co-Advisor, Co-Chair of Committee John Sampson Assistant Professor of Computer Science and Engineering Dissertation Co-Advisor, Co-Chair of Committee Mary Jane Irwin Professor of Computer Science and Engineering Robert E. Noll Professor Evan Pugh Professor Vijaykrishnan Narayanan Professor of Computer Science and Engineering Kennith Jenkins Professor of Electrical Engineering Lee Coraor Associate Professor of Computer Science and Engineering Director of Academic Affairs ∗Signatures are on file in the Graduate School. Abstract New breakthroughs in memory technology in recent years has lead to increased research efforts in so-called byte-addressable non-volatile memories (NVM). As a result, questions of how and where these types of NVMs can be used have been raised. Simultaneously, semiconductor scaling has lead to an increased number of CPU cores on a processor die as a way to utilize the area. This has increased the pressure on the memory system and causing growth in the amount of main memory that is available in a computer system. This growth has escalated the amount of power consumed by the system by the de facto DRAM type memory. Moreover, DRAM memories have run into physical limitations on scalability due to the nature of their operation. NVMs, on the other hand, provide high scalability well into the future and have decreased static power, one of the major sources of power consumption in contemporary systems. For all of these reasons, NVMs have the potential to be an attractive alternative or even complete replacement for DRAM as main memory. For these types of devices to be feasible, there are some obstacles that must be overcome in order for there to be a compelling reason for NVMs to augment or replace DRAM. Although the static power and scalability are better, NVMs suffers from lower performance, higher dynamic power, and lower endurance than DRAM. Furthermore, the availability of architectural and comprehensive circuit models to explore how these issues can be resolved at a high level are lacking. This dissertation addresses these issues by proposing several models for NVMs at both the architectural and circuit level. The architectural model, NVMain, is built around the assumptions that NVMs may not be complete replacements and thus provides flexibility to model complex memory systems including hybrid and distributed levels of memory. The circuit-level model, DESTINY, combines NVMs with more recent three-dimensional circuit design proposals to obtain performance and energy balanced memory designs. These two models are leveraged to explore several NVM memory designs. The first design employs a hybrid DRAM and NVM and addresses an issue of caching large amounts of NVM data in the DRAM portion. The second design considers reworking memory bank design to provide an extremely high-density NVM bank with the capability to access individual sub-units of the memory bank. The final design leverages the high parallelism from access to individual sub-units to schedule memory requests in a more efficient manner. iii Table of Contents List of Figures vii List of Tables x Acknowledgments xi Chapter 1 Introduction 1 1.1 Background . 5 1.2 Related Work . 7 Chapter 2 Simulation Framework for Non-volatile Memories 10 2.1 Introduction . 10 2.2 Motivation . 11 2.3 Implementation . 12 2.3.1 Energy Modeling . 12 2.3.2 Non-volatile Memory Support . 12 2.3.3 Fine-grained Memory Architecture . 13 2.3.4 Memory System Flexibility . 13 2.3.5 Verification . 14 2.3.6 Timing Verification . 14 2.3.7 Energy Verification . 15 2.3.8 Data Verification . 15 2.3.9 Simulation Speed . 15 2.4 Case Studies . 16 2.4.1 MLC Simulation Accuracy . 16 2.4.2 Hybrid Memory System . 17 2.4.3 DRAM Cache . 19 2.5 Conclusions . 20 iv Chapter 3 Bank-level Modeling of 3D-stacked NVM and Embedded DRAM 21 3.1 Introduction . 21 3.2 Motivation . 22 3.2.1 Emerging Memory Technologies . 22 3.2.2 Modeling Tools . 23 3.3 Model Implementation . 24 3.3.1 eDRAM Model . 24 3.3.2 3D Model . 25 3.4 Validation Results . 26 3.4.1 3D SRAM Validation . 27 3.4.2 2D and 3D eDRAM Validation . 28 3.4.3 3D RRAM Validation . 29 3.5 Case Studies using DESTINY . 30 3.5.1 Finding the optimal memory technology . 30 3.5.2 Finding the optimal layer count in 3D stacking . 31 3.6 Conclusion . 31 Chapter 4 Improving Effectiveness of Hybrid-Memory Systems with High-Latency Caches 33 4.1 Motivation . 35 4.2 Implementation . 38 4.2.1 Managing the Fill Cache . 40 4.2.2 Re-routing Requests . 41 4.2.3 DRAM Cache Load . 42 4.2.4 Coalescing Fills . 42 4.2.5 Modifications to DRAM Cache . 43 4.3 Published Results . 44 4.3.1 Experimental Setup . 44 4.3.2 DRAM Cache Architectures . 45 4.3.3 Hardware Prefetcher . 46 4.3.4 Benchmark Selection . 47 4.3.5 Baseline Results . 48 4.3.6 Average Request Latency . 48 4.3.7 Prefetcher Effectiveness . 50 4.3.8 Set Indexing Effectiveness . 50 4.3.9 Coalesced Requests . 51 4.3.10 Sensitivity of Fill Cache Size . 51 4.3.11 Application Classification . 52 4.4 Conclusion . 53 Chapter 5 Leveraging Non-volatility Properties for High Performance, Low Power Main Memory 54 5.1 Introduction . 55 5.2 Motivation . 56 5.2.1 Non-Volatile Memory Design . 56 5.2.2 The Non-Volatility Property . 57 v 5.3 Implementation . 59 5.3.1 Partial-Activation . 59 5.3.2 Multi-Activation . 60 5.3.3 Backgrounded Writes . 60 5.3.4 Ganged Subarray Groups . 61 5.4 Published Results . 62 5.4.1 Memory Controller and Scheduling . 64 5.4.2 Multi-Issue Memory Controller . 64 5.4.3 Address Interleaving . 65 5.4.4 Number of Column Divisions and Subarray Groups . 65 5.4.5 Impact of Backgrounded Writes . 67 5.4.6 Energy Comparison . 68 5.4.7 Design Optimization . 68 5.4.8 Sensitivity Study . 69 5.4.9 Future Devices . 70 5.4.10 Application to STT-RAM and RRAM . 71 5.4.11 Comparison with Contemporary DRAM . 71 5.5 Design Implementation . 72 5.5.1 Overhead Costs . 73 5.5.2 Area Overhead . 73 5.5.3 Yield and NVM Lifetime . 74 5.6 Conclusion . 75 Chapter 6 Early Activation Scheduling for Main Memories 76 6.1 Motivation . 77 6.1.1 Baseline System Design . 78 6.1.2 Oracle Analysis . 80 6.2 Results and Analysis . 80 6.2.1 Missed Prediction Implications . 80 6.2.2 Limiting Amounts of Early-ACTs.
Recommended publications
  • Class Notes Class: IX Topic: INPUT, OUTPUT, MEMORY and STORAGE DEVICES of a COMPUTER SYSTEM Subject: INFORMATION TECHNOLOGY
    Class Notes Class: IX Topic: INPUT, OUTPUT, MEMORY AND STORAGE DEVICES OF A COMPUTER SYSTEM Subject: INFORMATION TECHNOLOGY Q1. A collection of eight bits is called BYTE Q2. Which of the following is an example of non-volatile memory? a) ROM b)RAM c) LSI d) VLSI Q3. Which of the following is unit of measurement used with computer system? a) Byte b) Megabyte c) Gigabyte d) All of the above Q4. Which of the following statement is false? a) Secondary storage in non-volatile. b) Primary storage is volatile. c) When the computer is turned off, data and instructions stored in primary storage are erased. d) None of the above. Q5. The secondary storage devices can only store data but they cannot perform a) Arithmetic operation b) Logic operation c) Fetch operation d) Either of above Q6. Which of the following does not represent an I/O device a) Speaker which beep b) Plotter C) Joystick d) ALU Q7. Which of the following is a correct definition of volatile memory? a) It loses its content at high temperatures. b) It is to be kept in airtight boxes. c) It loses its contents on failure of power supply d) It does not lose its contents on failure of power supply Q8. One thousand byte represent a a) Megabyte b) Gigabyte c) Kilobyte d) None of these Q9.What does a storage unit provide? a) A place to show data b) A place to store currently worked on information b) A place to store information Q10. What are four basic components of a computer? a) Input devices, Output devices, printing and typing b) Input devices, processing unit, storage and Output devices c) Input devices, CPU, Output devices and RAM Q11.
    [Show full text]
  • The Era of Expeditious Nanoram-Based Computers Enhancement of Operating System Performance in Nanotechnology Environment
    International Journal of Applied Engineering Research ISSN 0973-4562 Volume 13, Number 1 (2018) pp. 375-384 © Research India Publications. http://www.ripublication.com The Era of Expeditious NanoRAM-Based Computers Enhancement of Operating System Performance in Nanotechnology Environment Mona Nabil ElGohary PH.D Student, Computer Science Department Faculty of Computers and Information, Helwan University, Cairo, Egypt. 1ORCID: 0000-0002-1996-4673 Dr. Wessam ElBehaidy Assistant Professor, Computer Science Department, Faculty of Computers and Information, Helwan University, Cairo, Egypt. Ass. Prof. Hala Abdel-Galil Associative Professor, Computer Science Department Faculty of Computers and Information, Helwan University, Cairo, Egypt. Prof. Dr. Mostafa-Sami M. Mostafa Professor of Computer Science Faculty of Computers and Information, Helwan University, Cairo, Egypt. Abstract They announced that by 2018 will produce the first NanoRAM. The availability of a new generation of memory that is 1000 times faster than traditional DDRAM which can deliver This new NanoRam has many excellent properties that would terabytes of storage capacity, and consumes very little power, make an excellent replacement for the current DDRAM: being has the potential to change the future of the computer’s non-volatile, its large capacity, high speed read / write cycles. operating system. This paper studies the different changes that All the properties are introduced in the next section. will arise on the operating system functions; memory By replacing this NanoRAM instead of DDRAM in the CPU, management and job scheduling (especially context switch) this will affect the functionality of the operating system; such when integrating NanoRAM into the computer system. It is as main memory management, virtual memory, job scheduling, also looking forward to evaluating the possible enhancements secondary storage management; and thus the efficiency of the of computer’s performance with NanoRAM.
    [Show full text]
  • Let's Talk About Storage & Recovery Methods for Non-Volatile Memory
    Let’s Talk About Storage & Recovery Methods for Non-Volatile Memory Database Systems Joy Arulraj Andrew Pavlo Subramanya R. Dulloor [email protected] [email protected] [email protected] Carnegie Mellon University Carnegie Mellon University Intel Labs ABSTRACT of power, the DBMS must write that data to a non-volatile device, The advent of non-volatile memory (NVM) will fundamentally such as a SSD or HDD. Such devices only support slow, bulk data change the dichotomy between memory and durable storage in transfers as blocks. Contrast this with volatile DRAM, where a database management systems (DBMSs). These new NVM devices DBMS can quickly read and write a single byte from these devices, are almost as fast as DRAM, but all writes to it are potentially but all data is lost once power is lost. persistent even after power loss. Existing DBMSs are unable to take In addition, there are inherent physical limitations that prevent full advantage of this technology because their internal architectures DRAM from scaling to capacities beyond today’s levels [46]. Using are predicated on the assumption that memory is volatile. With a large amount of DRAM also consumes a lot of energy since it NVM, many of the components of legacy DBMSs are unnecessary requires periodic refreshing to preserve data even if it is not actively and will degrade the performance of data intensive applications. used. Studies have shown that DRAM consumes about 40% of the To better understand these issues, we implemented three engines overall power consumed by a server [42]. in a modular DBMS testbed that are based on different storage Although flash-based SSDs have better storage capacities and use management architectures: (1) in-place updates, (2) copy-on-write less energy than DRAM, they have other issues that make them less updates, and (3) log-structured updates.
    [Show full text]
  • Nanotechnology ? Nram (Nano Random Access
    International Journal Of Engineering Research and Technology (IJERT) IFET-2014 Conference Proceedings INTERFACE ECE T14 INTRACT – INNOVATE - INSPIRE NANOTECHNOLOGY – NRAM (NANO RANDOM ACCESS MEMORY) RANJITHA. T, SANDHYA. R GOVERNMENT COLLEGE OF TECHNOLOGY, COIMBATORE 13. containing elements, nanotubes, are so small, NRAM technology will Abstract— NRAM (Nano Random Access Memory), is one of achieve very high memory densities: at least 10-100 times our current the important applications of nanotechnology. This paper has best. NRAM will operate electromechanically rather than just been prepared to cull out answers for the following crucial electrically, setting it apart from other memory technologies as a questions: nonvolatile form of memory, meaning data will be retained even What is NRAM? when the power is turned off. The creators of the technology claim it What is the need of it? has the advantages of all the best memory technologies with none of How can it be made possible? the disadvantages, setting it up to be the universal medium for What is the principle and technology involved in NRAM? memory in the future. What are the advantages and features of NRAM? The world is longing for all the things it can use within its TECHNOLOGY palm. As a result nanotechnology is taking its head in the world. Nantero's technology is based on a well-known effect in carbon Much of the electronic gadgets are reduced in size and increased nanotubes where crossed nanotubes on a flat surface can either be in efficiency by the nanotechnology. The memory storage devices touching or slightly separated in the vertical direction (normal to the are somewhat large in size due to the materials used for their substrate) due to Van der Waal's interactions.
    [Show full text]
  • AXP Internal 2-Apr-20 1
    2-Apr-20 AXP Internal 1 2-Apr-20 AXP Internal 2 2-Apr-20 AXP Internal 3 2-Apr-20 AXP Internal 4 2-Apr-20 AXP Internal 5 2-Apr-20 AXP Internal 6 Class 6 Subject: Computer Science Title of the Book: IT Planet Petabyte Chapter 2: Computer Memory GENERAL INSTRUCTIONS: • Exercises to be written in the book. • Assignment questions to be done in ruled sheets. • You Tube link is for the explanation of Primary and Secondary Memory. YouTube Link: ➢ https://youtu.be/aOgvgHiazQA INTRODUCTION: ➢ Computer can store a large amount of data safely in their memory for future use. ➢ A computer’s memory is measured either in Bits or Bytes. ➢ The memory of a computer is divided into two categories: Primary Memory, Secondary Memory. ➢ There are two types of Primary Memory: ROM and RAM. ➢ Cache Memory is used to store program and instructions that are frequently used. EXPLANATION: Computer Memory: Memory plays a very important role in a computer. It is the basic unit where data and instructions are stored temporarily. Memory usually consists of one or more chips on the mother board, or you can say it consists of electronic components that store instructions waiting to be executed by the processor, data needed by those instructions, and the results of processing the data. Memory Units: Computer memory is measured in bits and bytes. A bit is the smallest unit of information that a computer can process and store. A group of 4 bits is known as nibble, and a group of 8 bits is called byte.
    [Show full text]
  • Computer Conservation Society
    Issue Number 88 Winter 2019/20 Computer Conservation Society Aims and Objectives The Computer Conservation Society (CCS) is a co-operative venture between BCS, The Chartered Institute for IT; the Science Museum of London; and the Science and Industry Museum (SIM) in Manchester. The CCS was constituted in September 1989 as a Specialist Group of the British Computer Society. It is thus covered by the Royal Charter and charitable status of BCS. The objects of the Computer Conservation Society (“Society”) are: To promote the conservation, restoration and reconstruction of historic computing systems and to identify existing computing systems which may need to be archived in the future; To develop awareness of the importance of historic computing systems; To develop expertise in the conservation, restoration and reconstruction of historic computing systems; To represent the interests of the Society with other bodies; To promote the study of historic computing systems, their use and the history of the computer industry; To publish information of relevance to these objectives for the information of Society members and the wider public. Membership is open to anyone interested in computer conservation and the history of computing. The CCS is funded and supported by a grant from BCS and from donations. There are a number of active projects on specific computer restorations and early computer technologies and software. Younger people are especially encouraged to take part in order to achieve skills transfer. The CCS also enjoys a close relationship with the National Museum of Computing. Resurrection The Journal of the Computer Conservation Society ISSN 0958-7403 Number 88 Winter 2019/20 Contents Society Activity 2 News Round-Up 9 The Data Curator 10 Paul Cockshott From Tea Shops to Computer Company: The Improbable 15 Story of LEO John Aeberhard Book Review: Early Computing in Britain Ferranti Ltd.
    [Show full text]
  • Parallel Computer Architecture and Programming CMU / 清华 大学
    Lecture 20: Addressing the Memory Wall Parallel Computer Architecture and Programming CMU / 清华⼤学, Summer 2017 CMU / 清华⼤学, Summer 2017 Today’s topic: moving data is costly! Data movement limits performance Data movement has high energy cost Many processors in a parallel computer means… ~ 0.9 pJ for a 32-bit foating-point math op * - higher overall rate of memory requests ~ 5 pJ for a local SRAM (on chip) data access - need for more memory bandwidth to avoid ~ 640 pJ to load 32 bits from LPDDR memory being bandwidth bound Core Core Memory bus Memory Core Core CPU * Source: [Han, ICLR 2016], 45 nm CMOS assumption CMU / 清华⼤学, Summer 2017 Well written programs exploit locality to avoid redundant data transfers between CPU and memory (Key idea: place frequently accessed data in caches/buffers near processor) Core L1 Core L1 L2 Memory Core L1 Core L1 ▪ Modern processors have high-bandwidth (and low latency) access to on-chip local storage - Computations featuring data access locality can reuse data in this storage ▪ Common software optimization technique: reorder computation so that cached data is accessed many times before it is evicted (“blocking”, “loop fusion”, etc.) ▪ Performance-aware programmers go to great effort to improve the cache locality of programs - What are good examples from this class? CMU / 清华⼤学, Summer 2017 Example 1: restructuring loops for locality Program 1 void add(int n, float* A, float* B, float* C) { for (int i=0; i<n; i++) Two loads, one store per math op C[i] = A[i] + B[i]; } (arithmetic intensity = 1/3) void mul(int
    [Show full text]
  • Unit 5: Memory Organizations
    Memory Organizations Unit 5: Memory Organizations Introduction This unit considers the organization of a computer's memory system. The characteristics of the most important storage technologies are described in detail. Basically memories are classified as main memory and secondary memory. Main memory with many different categories are described in Lesson 1. Lesson 2 focuses the secondary memory including the details of floppy disks and hard disks. Lesson 1: Main Memory 1.1 Learning Objectives On completion of this lesson you will be able to : • describe the memory organization • distinguish between ROM, RAM, PROM, EEPROM and • other primary memory elements. 1.2 Organization Computer systems combine binary digits to form groups called words. The size of the word varies from system to system. Table 5.1 illustrates the current word sizes most commonly used with the various computer systems. Two decades ago, IBM introduced their 8-bit PC. This was Memory Organization followed a few years later by the 16-bit PC AT microcomputer, and already it has been replaced with 32- and 64-bit systems. The machine with increased word size is generally faster because it can process more bits of information in the same time span. The current trend is in the direction of the larger word size. Microcomputer main memories are generally made up of many individual chips and perform different functions. The ROM, RAM, Several types of semi- PROM, and EEPROM memories are used in connection with the conductor memories. primary memory of a microcomputers. The main memory generally store computer words as multiple of bytes; each byte consisting of eight bits.
    [Show full text]
  • Hard Disk Drive Specifications Models: 2R015H1 & 2R010H1
    Hard Disk Drive Specifications Models: 2R015H1 & 2R010H1 P/N:1525/rev. A This publication could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein – which will be incorporated in revised editions of the publication. Maxtor may make changes or improvements in the product(s) described in this publication at any time and without notice. Copyright © 2001 Maxtor Corporation. All rights reserved. Maxtor®, MaxFax® and No Quibble Service® are registered trademarks of Maxtor Corporation. Other brands or products are trademarks or registered trademarks of their respective holders. Corporate Headquarters 510 Cottonwood Drive Milpitas, California 95035 Tel: 408-432-1700 Fax: 408-432-4510 Research and Development Center 2190 Miller Drive Longmont, Colorado 80501 Tel: 303-651-6000 Fax: 303-678-2165 Before You Begin Thank you for your interest in Maxtor hard drives. This manual provides technical information for OEM engineers and systems integrators regarding the installation and use of Maxtor hard drives. Drive repair should be performed only at an authorized repair center. For repair information, contact the Maxtor Customer Service Center at 800- 2MAXTOR or 408-922-2085. Before unpacking the hard drive, please review Sections 1 through 4. CAUTION Maxtor hard drives are precision products. Failure to follow these precautions and guidelines outlined here may lead to product failure, damage and invalidation of all warranties. 1 BEFORE unpacking or handling a drive, take all proper electro-static discharge (ESD) precautions, including personnel and equipment grounding. Stand-alone drives are sensitive to ESD damage. 2 BEFORE removing drives from their packing material, allow them to reach room temperature.
    [Show full text]
  • Protecting Non-Volatile Memory Against Both Hard and Soft Errors
    FREE-p: Protecting Non-Volatile Memory against both Hard and Soft Errors Doe Hyun Yoon† Naveen Muralimanohar‡ Jichuan Chang‡ [email protected] [email protected] [email protected] Parthasarathy Ranganathan‡ Norman P. Jouppi‡ Mattan Erez† [email protected] [email protected] [email protected] †The University of Texas at Austin ‡Hewlett-Packard Labs Electrical and Computer Engineering Dept. Intelligent Infrastructure Lab. Abstract relies on integrating custom error-tolerance functionality within memory devices – an idea that the Emerging non-volatile memories such as phase- memory industry is historically loath to accept because change RAM (PCRAM) offer significant advantages but of strong demand to optimize cost per bit; (2) it ignores suffer from write endurance problems. However, prior soft errors (in both peripheral circuits and cells), which solutions are oblivious to soft errors (recently raised as can cause errors in NVRAM as shown in recent studies; a potential issue even for PCRAM) and are and (3) it requires extra storage to support chipkill that incompatible with high-level fault tolerance techniques enables a memory DIMM to function even when a such as chipkill. To additionally address such failures device fails. We propose Fine-grained Remapping with requires unnecessarily high costs for techniques that ECC and Embedded-Pointers (FREE-p) to address all focus singularly on wear-out tolerance. three problems. Fine-grained remapping nearly eliminates storage overhead for avoiding wear-out In this paper, we propose fine-grained remapping errors. Our unique error checking and correcting (ECC) with ECC and embedded pointers (FREE-p). FREE-p component can tolerate wear-out errors, soft errors, and remaps fine-grained worn-out NVRAM blocks without device failures.
    [Show full text]
  • Flash Memory and Micro SD Card
    Flash Memory and Micro SD Card Presented by: Krishna Goyal (200601195) Anirudh Tripathi (200601141) OUTLINE • Memory • Volatile and Nonvolatile memory • EPROM and EEPROM memory • Flash memory • NAND and NOR Flash memory • Flash Memory operations • Advantage and Disadvantage of Embedded Over Stand Alone Flash Memory • Micro SD card • Summary • References Memory • The terms “storage” or “memory” refer to the parts of a digital computer that retain physical state (data) for some interval of time, possibly even after electrical power to the computer is turned off. • A computer system's memory is crucial to its operation; without memory, a computer could not read programs or retain data. Memory stores data electronically in memory cells contained in chips. It is usually measured in kilobytes, megabytes, or gigabytes. • Memory is classified into volatile and non-volatile memory. Memory Classification VOLATILE NON-VOLATILE SRAM ROM PROM DRAM EPROM EEPROM NVRAM Flash Memory Floppy Disk MRAM Hard Disk Magnetic Devices Volatile Memory • The most widely used form of primary storage today is a volatile form of random access memory, meaning that when the computer is shut down, anything contained in random access memory (RAM) is lost. • DRAM used for main memory • SRAM used for cache Non-Volatile memory • EEPROM, EPROM, FeRAM, FLASH, NVSRAM and ROM are different types of non-volatile memory. • The main differences are in the memories relative cost per bit and the flexibility to accommodate code changes. • nonvolatile memory, NVM or non-volatile storage, is computer memory that can retain the stored information even when not powered. EPROM • Erasable Programmable Read Only Memory also known as UV-EPROM is a form of non-volatile memory.
    [Show full text]
  • The Acquisition and Analysis of Random Access Memory
    Currently “In Submission” to JDFP (some content may change before publication) THE ACQUISITION AND ANALYSIS OF RANDOM ACCESS MEMORY Timothy Vidas Naval Postgraduate School Monterey, CA ABSTRACT Mainstream operating systems (and the hardware they run on) fail to purge the contents of portions of volatile memory when that portion is no longer required for operation. Similar to how many file systems simply mark a file as deleted instead of actually purging the space that the file occupies on disk, Random Access Memory (RAM) is commonly littered with old information in unallocated space waiting to be reused. Additionally, RAM contains constructs and caching regions that include a wealth of state related information. The availability of this information along with techniques to recover it, provide new methods for investigation. This article discusses the benefits and drawbacks of traditional incident response methods compared to an augmented model that includes the capture and subsequent analysis of a suspect system’s memory, provides a foundation for analyzing captured memory, and provides suggestions for related work in an effort to encourage forward progress in this relatively new area of digital forensics. KEYWORDS: memory, random access memory, memory analysis, digital forensics, Windows forensics, incident response, best practices Tim Vidas is a Research Associate at the Naval Postgraduate School. He has been focusing research in the field of digital forensics for a few years and is now primarily working on in the area of trusted operating systems and kernels. In addition to research, he likes to teach and has a wide set of IT related interests. He maintains several affiliations like ACM, CERT, and Infragard and holds several certifications such as CISSP, Sec+ and EnCE.
    [Show full text]