SSD Usage for stori...
 
Notifications
Clear all

SSD Usage for storing Images - Legal/Functional Concerns

9 Posts
5 Users
0 Likes
525 Views
citizen
(@citizen)
Posts: 38
Eminent Member
Topic starter
 

Looking at using SSD over thunderbolt for Mac Acquisitions. We use SATA in practice today. The concern regarding the SSD is focused on not being able to properly prepare a disk to be used for acquisitions.

See http//cseweb.ucsd.edu/~m3wei/assets/pdf/FMS-2010-Secure-Erase.pdf

My questions for FF community is whether practically this has created any real world challenges from a preparation/acquisition perspective?

Thanks.

 
Posted : 03/06/2016 7:36 pm
(@dandaman_24)
Posts: 172
Estimable Member
 

1. Use a new SSD for each extraction / case

2. Store the EO1's on the SSD then on return to the office transfer to a new HDD to be given to client

 
Posted : 03/06/2016 7:48 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

1. Use a new SSD for each extraction / case

2. Store the EO1's on the SSD then on return to the office transfer to a new HDD to be given to client

And what would be following step?
3. throw away the used once SSD
OR
3. wipe it as much as you can and re-use it for next case.

?

jaclaz

 
Posted : 03/06/2016 8:53 pm
(@dandaman_24)
Posts: 172
Estimable Member
 

1. Use a new SSD for each extraction / case

2. Store the EO1's on the SSD then on return to the office transfer to a new HDD to be given to client

And what would be following step?
3. throw away the used once SSD
OR
3. wipe it as much as you can and re-use it for next case.

?

jaclaz

Not much thought gone into option 2 on my part.

 
Posted : 03/06/2016 9:24 pm
citizen
(@citizen)
Posts: 38
Eminent Member
Topic starter
 

Thanks guys.

 
Posted : 06/06/2016 6:03 pm
citizen
(@citizen)
Posts: 38
Eminent Member
Topic starter
 

https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20presentations/DEFCON-24-Tom-Kopchak-SSD-Forensics-Research-WP.pdf

For reference.

 
Posted : 08/08/2016 5:12 pm
minime2k9
(@minime2k9)
Posts: 481
Honorable Member
 

Depends as to what you mean by problems.
There seems to be some in the profession that say by not wiping a drive prior to creating an image file in E01 or similar format that the earlier data may somehow corrupt the image file, which is basically b******ks.
The other problem could be that you have to provide the disk to a 3rd party (if your acting for a company) and don't want to leave any remnants of previous data that may belong to another 3rd party. If this is the problem, you could always image to an encrypted container on the disk (such as veracrypt) and then delete over the encrypted volume after. Any fragments of the encrypted volume would be useless anyway.
Lastly, if its only for your internal use in a secure lab, who cares just re-use the disk and make sure it doesn't go anywhere!

 
Posted : 09/08/2016 8:43 pm
tracedf
(@tracedf)
Posts: 169
Estimable Member
 

What is your concern?

If your concern is leaking customer data, you can encrypt your drives as minime2k9 mentioned. This would ensure that any data left behind is essentially garbage so you don't have to worry about leaking data from one customer to another. Otherwise, only ship new or wiped (non-SSD) drives to customers.

If you're worried about the integrity of the image, don't. Using a standard format such as E01 or Ex01 is all you need. Remnant data on the drive will have no effect on the contents of your image file(s). I believe the concern over preparing the evidence drive stems from a practice of doing drive-to-drive copies rather than creating forensic images.

 
Posted : 09/08/2016 9:08 pm
citizen
(@citizen)
Posts: 38
Eminent Member
Topic starter
 

What is your concern?

Really what my OP says. In practice it is prudent to keep on top of contemporary challenges might be occurring over time with respect to this newer technology.

Btw…thank you for the added insights.

 
Posted : 10/08/2016 4:32 pm
Share: