±Forensic Focus Partners

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 3
New Yesterday: 5
Overall: 27497
Visitors: 58

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

SSD Forensics

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page Previous  1, 2, 3, 4, 5, 6, 7  Next 
  

Re: SSD Forensics

Post Posted: Mon Nov 12, 2012 6:03 am

- trewmte
Questions about reliabilty of SSDs have been discussed recently in two articles:
Why SSD Drives Destroy Court Evidence, and What Can Be Done About It: Part 1
By Yuri Gubanov , Oleg Afonin Article Posted: September 26, 2012
www.dfinews.com/articl...-it-part-1
www.dfinews.com/articl...-it-part-2

I happen to be one of the authors of the article referenced below. It's also available here on FF articles.forensicfocus...-about-it/

While not being a scientific research in a fully scientific view, this is still a pretty good snapshot of the state-of-the-art in SSD forencics by Sept. 2012. As far as I know, little changed since then. 500GB SSD's have been introduced, some Samsung drives broke previous price-per-gigabyte records, but that was about it.

SSD forensics remains being hit-or-miss. With SSD's, we're well into probabilistic forensics territory. TRIM may or may not work depending on how the drive was connected, which operating system, what file system, and what exactly was done to the data being destroyed. Crypto containers stored on SSD volumes are yet another matter and are also hit-or-miss, as some manufacturers enable garbage collection within their containers (normally with an option that's disabled by default) and some don't.

In a word, if a fairly modern SSD was used in a Windows 7 PC, connected internally via ATA, formatted with NTFS, no crypto containers, and some data was deleted, then probably that data is now gone. If any one of these conditions is not satisfied (e.g. Vista, or USB connection, or formatted with FAT, or data was stored within a crypto container, or the disk was corrupted - in which case the TRIM command is not being issued), then there are good chances that even deleted data can be restored with carving.

Otherwise, you'll only get whatever files are available (as in "not deleted").
_________________
Digital Evidence Extraction Software
belkasoft.com 

Belkasoft
Senior Member
 
 
  

Re: SSD Forensics

Post Posted: Mon Nov 12, 2012 1:23 pm

I have always thought that the trim command only runs when the drive is in a 'quite' state, I would like to think that imaging a drive, with all the reads would leave the controller very little time to perform such tasks.
Having said that I would resist connecting a drive up, going to lunch and starting the acquisition on my return.

There may be a little bit of sky falling syndrome on this, as pointed out above, there are lots of different setups and scenarios which would mean a SSD would perform the same as normal mechanical drive and once it is acquired the fact it is a SSD shouldn't really matter for examination.

Like Chris Ed, I have recovered plenty of deleted data from SSD drives, suspects and my own (different reasons of course), so I would like to suggest giving it a go and treat it as a normal HDD.

For future work, I think I will be looking a bit more into Mr Sanderson's comments, if I read it right and you can switch off the OS from issuing any housekeeping commands to the SSD that has to be a good thing for any forensic acquisition workstations.

It would be nice if those lovely makers of hardware write blockers also blocked these types of commands as well, if it is a standard ATA command would that be possible?


Mike  

mykulh
Member
 
 
  

Re: SSD Forensics

Post Posted: Tue Nov 13, 2012 12:37 pm

- mykulh
For future work, I think I will be looking a bit more into Mr Sanderson's comments, if I read it right and you can switch off the OS from issuing any housekeeping commands to the SSD that has to be a good thing for any forensic acquisition workstations.

The problem is, while you can configure the OS to not issue new TRIM commands, any pending garbage collection work will be committed by the SSD controller regardless. In fact, garbage collection may begin the moment the SSD is powered on even if no operating system is loaded.

Another side of the same issue is the way the TRIM command and garbage collection are implemented in various SSD controllers. Some controllers will return all zeroes just a moment after a data block is declared as "available" by the TRIM command. Even if the block still contains data, there will be no easy way to read that data, as the SSD controller will substitute it with zeroes. Technically, one can read the data directly off a flash chip, but that requires custom hardware and a lot of extra effort.

That said, some SSD controllers will allow accessing the actual data from pending blocks until the moment they're actually erased by the garbage collection process.

The bottom line is: it's worth a try, but there's no guarantee.
_________________
Digital Evidence Extraction Software
belkasoft.com 

Belkasoft
Senior Member
 
 
  

Re: SSD Forensics

Post Posted: Tue Nov 13, 2012 2:32 pm

As I see it, the real issue is that since - as said - everything and the contrary of everything is possible, at least in theory, and since we are not talking of trifling matters, but of evidence that often needs to be sound enough to be the very foundation for the decision to either condemn or discharge/acquit someone in a civil case or criminal court, there are very few possibilities.

Unless (and *somehow*) a correct, exact, verified and re-verified database of all SSD devices is made available (possibly without the cooperation of manufacturers that AFAIK tend to hide - understandably - behind patents, reserved procedures, and what not the exact way their device work), and such database info is used to adopt on a "case by case" basis the most suited approach, the only "greatest common divisor" could be a "chip-off" procedure, that carries with it quite a few caveats:
  1. the actual operators will need to gain new skills in hardware handling and "hacking"
  2. there seems to be not that many products on the market capable of reading chips
  3. in any case there is evidently a lack of specific, verified information on the chip mappings, so that there is no actual certainty about the results of a successful read directly from chip
  4. due to the lack of info on the actual specifications/manufacturer wear leveling/remapping algorithms re-converting the "objective" RAW-RAW data from the direct read to at least RAW filesystem data could be daunting (and not guranteed to succeed)

The Ming the Merciless board depicted in one of the articles is nothing but a prototype built by the UCSD:
www.usenix.org/events/...rs/Wei.pdf

There are actual Commercial devices capable of doing that, I know about:
flash-extractor.com/
(but there could be others)

But the point remains about their documentation and specifically about documentation on the single devices/controllers/chips.

If I am allowed a comparison with data recovery, the tool that is commonly used, the PC-3000 is in itself a "simple" piece of (specialized) hardware, it's "added value" is given by the actual resources/research/data that the actual makers do and update constantly.

But the whole data recovery business has IMHO far less stringent requisites about "validation" then digital forensics, I mean, the worse that can happen if a firmware fix or module load fails is that you go to the customer and tell him/her (it depends on personal styles/policies) is "The data was not recoverable" or "Unfortunately the failure was worse then we initially thought" or the like, but noone goes to prison (or is left free unjustly affter having committed a crime), there is simple loss of data, costly as it might be, but people (and society) can normally overcome that.

I presume that it is way tougher to go to a judge ad tell him (say) "No meaningful data was on the device" with a prosecution (or defense) attorney (and his/her "expert witness") ready to attack you on the procedure you used (that might be, BTW in perfect good faith) incorrect and actually the cause of the loss of evidence.


jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: SSD Forensics

Post Posted: Fri Nov 16, 2012 6:10 am

give benrhysjenkins @ gmail.com a message, he did a dissertation on this as his final project i'm sure he will send it to you Smile if not leave leave your e-mail with me and i'l ask him to send it Very Happy  

gmlw0908
Member
 
 
  

Re: SSD Forensics

Post Posted: Fri Nov 16, 2012 12:10 pm

- gmlw0908
give [e-mail removed] a message, he did a dissertation on this as his final project i'm sure he will send it to you Smile if not leave leave your e-mail with me and i'l ask him to send it Very Happy


Are you really sure it is appropriate to publish a third party personal e-mail on a public forum? Question

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: SSD Forensics

Post Posted: Sat Nov 17, 2012 6:29 am

He is my boyfriend, we both studied BSc (Hons) Forensic Computing so yes he does know.

Thank you for your concern...  

gmlw0908
Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 5 of 7
Go to page Previous  1, 2, 3, 4, 5, 6, 7  Next