Solid State Drive adoption in computers, tablets and devices, is presenting new challenges to the CF community. Good article by Mike Sheward explaining to some depth some of the current Forensic concerns and issues with SSD. Interesting testing and hash results with FTK imager and a write blocker.
“Rock Solid: Will Digital Forensics Crack SSD’s?”
Mike Sheward, 5 January 2012
http://resources.infosecinstitute.com/ssd-forensics/ – last access 23 January 2012 – ( Full Article )
“.. SSDs are different. Writing a virgin cell merely requires a write cycle. Rewriting a cell requires two cycles: an erase cycle and a write cycle. The erase cycle is governed by the physics, and takes time. Performance is improved by “pre-clearing” no longer needed cells (e.g., free space on the disk) during otherwise unused device cycles.
– snip –
A recent paper from Graeme Bell and Richard Boddington of Murdoch University in Perth, Solid State Drives: The Beginning of the End for Current Practices of Digital Forensic Recovery, documented several consequences of this implementation approach with respect to standard best practices for digital forensic acquisitions. In short, the autonomous pre-clearing function rendered free space unrecoverable on short order from the time that the drive was powered-on.
– snip –
As noted by Bell and Boddington, the automatic nature of the resetting function on space determined by the controller to be unallocated has several implications for standard forensics procedures:
data in unallocated space will quickly disappear on such a device (Quick format will actually cause the drive contents to be erased on short order)
the data recorded by a forensic acquisition with a write-blocker will be inconsistent with a subsequent acquisition until the reset process has completed. The cryptographic checksums (e.g., MD-5, SHA-1) generated on successive acquisitions will thus be inconsistent ..”
“Solid-State Disk Behavior Underlying Digital Forensics”
Robert Gezelter, InfoSecIsland.com , 7 March 2011
https://www.infosecisland.com/blogview/12375-Solid-State-Disk-Behavior-Underlying-Digital-Forensics.html – last access 1 April 2011 – ( Full Article )
“Solid State Drives: The Beginning of the End for Current Practice in Digital Forensic Recovery?”
Graeme B. Bell and Richard Boddington, 2010
Journal of Digital Forensics, Security and Law, Vol. 5(3)
Interesting paper by Wei at all.
“.. Sanitizing storage media to reliably destroy data is an essential aspect of overall data security. We have empirically measured the effectiveness of hard drive-centric sanitization techniques on flash-based SSDs. For sanitizing entire disks, built-in sanitize commands are effective when implemented correctly, and software techniques work most, but not all, of the time. We found that none of the available software techniques for sanitizing individual files were effective. To remedy this problem, we described and evaluated three simple extensions to an existing FTL that make file sanitization fast and effective. Overall, we conclude that the increased complexity of SSDs relative to hard drives requires that SSDs provide verifiable sanitization operations ..”
“Reliably Erasing Data From Flash-Based Solid State Drives”
Michael Wei, Laura M. Grupp, Frederick E. Spada, and Steven Swanson
http://www.usenix.org/events/fast11/tech/full_papers/Wei.pdf – last access 16 March 2011 – ( The Paper )
“.. In research that has important findings for banks, businesses and security buffs everywhere, scientists have found that computer files stored on solid state drives are sometimes impossible to delete using traditional disk-erasure techniques.
Even when the next-generation storage devices show that files have been deleted, as much as 75 percent of the data contained in them may still reside on the flash-based drives, according to the research, presented at the Usenix FAST 11 conference in California. In some cases, the SSDs, or sold-state drives, incorrectly indicate the files have been “securely erased” even though duplicate files remain in secondary locations.
The difficulty of reliably wiping SSDs stems from their radically different internal design. Traditional ATA and SCSI hard drives employ magnetizing materials to write contents to a physical location that’s known as the LBA, or logical block address. SSDs, by contrast, use computer chips to store data digitally and employ an FTL, or flash translation layer, to manage the contents. When data is modified, the FTL frequently writes new files to a different location and updates its map to reflect the change ..”
“Flash drives dangerously hard to purge of sensitive data”
Dan Goodin, The Register UK, 21 February 2011
http://www.theregister.co.uk/2011/02/21/flash_drive_erasing_peril/ – last access 16 March 2011 – ( News Article )