±Forensic Focus Partners

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 0
New Yesterday: 0
Overall: 27500
Visitors: 95

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

SSD Forensics

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page Previous  1, 2, 3, 4, 5, 6, 7  Next 
  

Re: SSD Forensics

Post Posted: Mon Oct 29, 2012 7:57 am

- Adam10541
Is there some governing body that says all SSD drives must behave the same?

Yes and no, they should conform to standards (like ATA) but that doesn't mean that additional features cannot be added by single manufacturers.
- Adam10541

I would think that there would be varying operations from manufacturer to manufacturer and even between different models from the same manufacturer.

Exactly Smile

The TRIM command is an ATA standard AND such command is intended to be issued by the OS (to remain in the MS/Windows world no OS before 7/Server 2008 R2 does implement it) BUT it can be initiated allright by the SSD firmware, as well as idle time Garbage Collection see (example):
www.oczenterprise.com/...and-gc.pdf
and I presume that most drive manufacturers have different algorithms to reduce write amplification while keeping wear leveling effective:
en.wikipedia.org/wiki/...tion_(SSD)
(just for the record at least some Samsung SSD's can/could "understand" autonomously a NTFS filesystem and decide - without any "intervention" by the OS - what to do with sectors an initiate/operate TRIM like commands automtically)

Right now it seems like everything (and the contrary of everything) is possible. Shocked


jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 


Last edited by jaclaz on Tue Oct 30, 2012 10:25 am; edited 1 time in total

jaclaz
Senior Member
 
 
  

Re: SSD Forensics

Post Posted: Mon Oct 29, 2012 10:07 am

I've found that when the SSD is in a raid configuration nothing gets overwritten on Windows 7 Professional and files can be carved / recovered. Having a RAID setup appears to disable the TRIM 'overwriting' functionality.

However a separate stand alone non RAID drive will lose all the information contained in a deleted file within seconds of it being deleted. 10-20 seconds in my tests.

Of course this outcome will most likely be completely different with different drives. My test drives were 'Corsair Force' drives. I used 2 x 120 GB SSD for the Software RAID 1 pair and a single 60GB SSD drive for the stand alone test.  

samson
Newbie
 
 
  

Re: SSD Forensics

Post Posted: Mon Oct 29, 2012 12:07 pm

[quote="jaclaz"
(just for the record at least some Samsung SSD's can/could "understand" autonomously a NTFS filesystem and decide - without any "intervention" by the OS - what to do with sectors an initiate/operate TRIM like commands automtically)


jaclaz[/quote]

I would be terrified to use such a drive. A drive should be dumb and do as told. Write a sector, read a sector, and told it can clear a sector down. How it handles these commands is entirely upto a drive, but if I write a sector xxx I want to beable to read that sector until I either overwrite it, or tell the drive to clear it down, with a TRIM like command.

A drive that thinks it knows the file system - including future releases is dangerous.

There must also be danger if an NTFS disk is (quick) reformatted with say Linux leaving many NTFS structures in place.
_________________
Michael Cotgrove
www.cnwrecovery.com
cnwrecovery.blogspot.com/ 

mscotgrove
Senior Member
 
 
  

Re: SSD Forensics

Post Posted: Mon Oct 29, 2012 2:35 pm

- mscotgrove

I would be terrified to use such a drive. A drive should be dumb and do as told. Write a sector, read a sector, and told it can clear a sector down. How it handles these commands is entirely upto a drive, but if I write a sector xxx I want to beable to read that sector until I either overwrite it, or tell the drive to clear it down, with a TRIM like command.

As a matter of fact I personally would like an even dumber kind of drive that doesn't have a (closed source/inaccessible) wear leveling algorithm or "transparent" (to the OS, thus completely "opaque") re-mapping of sectors.
Even on a "standard" modern hard disk the re-mapping of "bad" to "spare" or whatever, summed to on board large caches left "in the hands" of firmware of dubious validity/not tested properly is something I have difficulties in sleeping on with ease, and wait until you have a third stage, the so called hybrid drives, where you will have all mixed up cache (possibly on battery powered RAM), "real" sectors (on platter) and in the middle a SSD:
en.wikipedia.org/wiki/Hybrid_drive
or, possibly even more complex, adding in it an additional software layer Shocked :
www.ocztechnology.com/synapse-faq
(which BTW "locks" on the machine hardware)
See also the Apple thingy Neddy posted about:
www.forensicfocus.com/...ic/t=9852/
(cross linking)


jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: SSD Forensics

Post Posted: Tue Oct 30, 2012 1:52 am

Just as a further link about SSD

en.wikipedia.org/wiki/...tate_drive
_________________
Institute for Digital Forensics (IDF) - LinkedIn
Mobile Telephone Examination Board (MTEB) - LinkedIn
Mobile Telephone Evidence & Forensics trewmte.blogspot.com
ForensicMobex now MTEB Linkedin Subgroup 

trewmte
Senior Member
 
 
  

Re: SSD Forensics

Post Posted: Tue Oct 30, 2012 10:30 am

..and an "in house" article Smile :
articles.forensicfocus...-about-it/

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: SSD Forensics

Post Posted: Tue Oct 30, 2012 1:24 pm

I haven't been following this forum for some time now, been too busy with other things. When I finally got back, I was surprised to see SSD and Trim are still being discussed here.

As a few people (good to see them hanging around) already correctly pointed out here, everything and anything is possible with SSD technology.

TRIM may or may not be supported by design. In some cases such support is enabled by a simple firmware upgrade. Some SSD chip manufacturers have been recommending users not to enable TRIM calling it 'a half-backed technology', offering instead their own 'garbage-collection' solution (SandForce comes to mind).

To add more, it is a well known fact that TRIM is not supported if SSD drives are used in RAID... unless you look at OCZ Revo drives sandwiched together in RAID 0 with TRIM fully supported.

So, generally speaking these exceptions prove the rule that everything is possible ,,, well, unless you had a chance to look at the particular technology before you power SSD ON ... or after, to learn how you could have saved some extra evidence Embarassed  

ecophobia
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 3 of 7
Go to page Previous  1, 2, 3, 4, 5, 6, 7  Next