Hi!
I haven't done any new forensics training in about two years.
Can anyone give me some training resources / tips on what to do with SSDs?
I am imaging one right now, and not sure what to expect. Can anyone shine some light on the matter?
Am I likely to recover any deleted files? Will the auto-wearleveling feature mess up my evidence?
A very good read - http//
A very good read - http//
www.jdfsl.org/subscriptions/JDFSL-V5N3-Bell.pdf
I'm sorry but you are kidding aren't you?
Defamation laws prevent me from really saying anything here so I won't go into detail, but I will say I have numerous professional experiences of one of the co-authors "forensic skills" so I have a special place where I might use that paper.
One of the sad things about society is that if you work at a university all of a sudden people believe everything you say 😉
My experience aside that paper was mashed together nearly 3 years ago and the technology has changed significantly in that time period. So even if his research and testing was by some miracle actually sound, it's completely irrelevant today.
Hi!
Can anyone give me some training resources / tips on what to do with SSDs?I am imaging one right now, and not sure what to expect. Can anyone shine some light on the matter?
?
It may have been best to ask this before you started imaging the drive as 'garbage collection', which runs independently of the operating system, will begin wiping unallocated clusters soon after powering on.
Hi!
I haven't done any new forensics training in about two years.
Can anyone give me some training resources / tips on what to do with SSDs?
I am imaging one right now, and not sure what to expect. Can anyone shine some light on the matter?
Am I likely to recover any deleted files? Will the auto-wearleveling feature mess up my evidence?
It behaves exactly like any other HDD or USB storage device. You are very likely to recover deleted files )
The nice thing about SSD's, Flash…etc, it will store more deleted content than a platter. UH???? What???? 😯 Due to the limited writes to these devices, manufactures make it so the computer writes to the entire drive before reallocating the un-allocated space to new data. As stated by "Chris_Ed" I second his statement.
The nice thing about SSD's, Flash…etc, it will store more deleted content than a platter. UH???? What???? 😯 Due to the limited writes to these devices, manufactures make it so the computer writes to the entire drive before reallocating the un-allocated space to new data. As stated by "Chris_Ed" I second his statement.
It depends totally on the drives implementation. They use TRIM and garbage collection to speed up any future writing to the drives. If you write to the whole drive and then start overwriting it then it will be incredibly slow as with solid state drives you have effectively two write cycles as each block needs to be zeroed before it can be written to, instead of simply overwriting blocks like on a hdd. Generally TRIM and Garbage collection are enabled for the purpose of not slowing the drive down, after all who wants a slow drive?
I found with my old drive the whole drive was zeroed in less than a minute. http//
I ran a test in which I copied 10,000 files onto an SSD.
I then deleted 2,000 files and imaged the drive. I could see all 2,000 deleted files.
I repeated this 4 times and ended up with an image that showed no live files but 10,000 deleted files.
I saw no evidence of TRIM or Garbage collection.
The SSD did not have an Operating System on it and it was suggested to me that this would alter the results.
I am afraid I have not had time to test this with an SSD containing an OS but I will update when I have time to perform this test.
Watch this video in its entirety….
http//
Watch this video in its entirety….
http//
youtu.be/vLoYduckmuo
I don't have 45 minutes. Is there a precis available?