While using a computer, all the data manipulated is written temporarily in RAM: texts, saved files, but also passwords and encryption keys. The more recent the activity, the more likely it is for the data to still be in RAM.

After a computer is powered off, the data in RAM disappears rapidly, but it can remain in RAM up to several minutes after shutdown. An attacker having access to a computer before it disappears completely could recover important data from your session.

This can be achieved using a technique called cold boot attack . To prevent this attack, the data in RAM is overwritten by random data when shutting down Tails. This erases all traces from your session on that computer.

Moreover, an attacker having physical access to the computer while Tails is running can recover data from RAM as well. To avoid that, learn the different methods to shutdown Tails rapidly.

As far as we know, cold boot attacks are not a common procedure for data recovery, but it might still be good to be prepared. If no cold boot attack happens directly after shutdown, the RAM empties itself in minutes, and all data disappears.