Notifications
Clear all

SSD Forensics

48 Posts
19 Users
0 Likes
6,225 Views
(@scottyxx)
Posts: 13
Active Member
Topic starter
 

Hi!

I haven't done any new forensics training in about two years.

Can anyone give me some training resources / tips on what to do with SSDs?

I am imaging one right now, and not sure what to expect. Can anyone shine some light on the matter?

Am I likely to recover any deleted files? Will the auto-wearleveling feature mess up my evidence?

 
Posted : 25/10/2012 10:18 pm
cgpa1
(@cgpa1)
Posts: 17
Active Member
 

A very good read - http//www.jdfsl.org/subscriptions/JDFSL-V5N3-Bell.pdf

 
Posted : 26/10/2012 2:09 am
Adam10541
(@adam10541)
Posts: 550
Honorable Member
 

A very good read - http//www.jdfsl.org/subscriptions/JDFSL-V5N3-Bell.pdf

I'm sorry but you are kidding aren't you?

Defamation laws prevent me from really saying anything here so I won't go into detail, but I will say I have numerous professional experiences of one of the co-authors "forensic skills" so I have a special place where I might use that paper.

One of the sad things about society is that if you work at a university all of a sudden people believe everything you say 😉

My experience aside that paper was mashed together nearly 3 years ago and the technology has changed significantly in that time period. So even if his research and testing was by some miracle actually sound, it's completely irrelevant today.

 
Posted : 26/10/2012 7:27 am
(@jonathan)
Posts: 878
Prominent Member
 

Hi!
Can anyone give me some training resources / tips on what to do with SSDs?

I am imaging one right now, and not sure what to expect. Can anyone shine some light on the matter?
?

It may have been best to ask this before you started imaging the drive as 'garbage collection', which runs independently of the operating system, will begin wiping unallocated clusters soon after powering on.

 
Posted : 26/10/2012 11:58 am
Chris_Ed
(@chris_ed)
Posts: 314
Reputable Member
 

Hi!

I haven't done any new forensics training in about two years.

Can anyone give me some training resources / tips on what to do with SSDs?

I am imaging one right now, and not sure what to expect. Can anyone shine some light on the matter?

Am I likely to recover any deleted files? Will the auto-wearleveling feature mess up my evidence?

It behaves exactly like any other HDD or USB storage device. You are very likely to recover deleted files )

 
Posted : 26/10/2012 12:14 pm
mrpumba
(@mrpumba)
Posts: 116
Estimable Member
 

The nice thing about SSD's, Flash…etc, it will store more deleted content than a platter. UH???? What???? 😯 Due to the limited writes to these devices, manufactures make it so the computer writes to the entire drive before reallocating the un-allocated space to new data. As stated by "Chris_Ed" I second his statement.

 
Posted : 26/10/2012 3:16 pm
(@agolding)
Posts: 31
Eminent Member
 

The nice thing about SSD's, Flash…etc, it will store more deleted content than a platter. UH???? What???? 😯 Due to the limited writes to these devices, manufactures make it so the computer writes to the entire drive before reallocating the un-allocated space to new data. As stated by "Chris_Ed" I second his statement.

It depends totally on the drives implementation. They use TRIM and garbage collection to speed up any future writing to the drives. If you write to the whole drive and then start overwriting it then it will be incredibly slow as with solid state drives you have effectively two write cycles as each block needs to be zeroed before it can be written to, instead of simply overwriting blocks like on a hdd. Generally TRIM and Garbage collection are enabled for the purpose of not slowing the drive down, after all who wants a slow drive?

I found with my old drive the whole drive was zeroed in less than a minute. http//dig-forensics.blogspot.co.uk/#!/2011/03/solid-state-drives-and-trim.html

 
Posted : 26/10/2012 6:26 pm
(@ludlowboy)
Posts: 71
Trusted Member
 

I ran a test in which I copied 10,000 files onto an SSD.
I then deleted 2,000 files and imaged the drive. I could see all 2,000 deleted files.
I repeated this 4 times and ended up with an image that showed no live files but 10,000 deleted files.
I saw no evidence of TRIM or Garbage collection.

The SSD did not have an Operating System on it and it was suggested to me that this would alter the results.
I am afraid I have not had time to test this with an SSD containing an OS but I will update when I have time to perform this test.

 
Posted : 27/10/2012 12:18 am
mrpumba
(@mrpumba)
Posts: 116
Estimable Member
 

Watch this video in its entirety….

http//youtu.be/vLoYduckmuo

 
Posted : 27/10/2012 4:43 pm
(@jonathan)
Posts: 878
Prominent Member
 

Watch this video in its entirety….

http//youtu.be/vLoYduckmuo

I don't have 45 minutes. Is there a precis available?

 
Posted : 27/10/2012 6:04 pm
Page 1 / 5
Share: