Forensic Software f...
 
Notifications
Clear all

Forensic Software for SSD

7 Posts
4 Users
0 Likes
467 Views
(@hightronicdesign)
Posts: 2
New Member
Topic starter
 

Hi all,

first of all, thanks for approving my request to join this Forum.
In fact that this is my first post here, i hope that i am doing all things correct.

I'll try to keep my request short.

So, I am working on my Bachelor thesis right now, which is analyzing the effect of the wear-leveling of SSDs for the digital forensics.

No I am about to collect as much tools/software as possible which is focusing on SSD forensics.

I already found and used for another scientific work some tools, but now I need to go much more in detail and I hope that some of you guys can give me some hints which tools are designed for this scope.

Thanks a lot in advance

 
Posted : 22/01/2018 9:15 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

No I am about to collect as much tools/software as possible which is focusing on SSD forensics.

I already found and used for another scientific work some tools, but now I need to go much more in detail and I hope that some of you guys can give me some hints which tools are designed for this scope.

I am not sure to understand what you are looking for/expect.

At software level a SSD is not particularly different from *any other* block device, most - if not all - the "magic" (deletes, trim, grabage collection and wear leveling) happens in the controller.

Previous works on the matter, some of which are mentioned here
http//www.forensicswiki.org/wiki/Solid_State_Drive_(SSD)_Forensics

And particularly the actual article by Wei and others
https://www.usenix.org/event/fast11/tech/full_papers/Wei.pdf

More or less revolve around the need of using specialized hardware to directly access flash chips (by-passing the controller).

This does not exclude that software tools may exist (whether they are actually available is another thing) that can connect to the controller on the SSD at a lower level than ordinary tools, but surely they will be very "narrow" and specific to a given make/model of controller.

Additionally, the wear-leveling feature may be managed by a FTL (Flash Translarion Layer) that is embedded in the flash chip itself, so anyway mileage may vary depending on specific makes/models.

jaclaz

 
Posted : 22/01/2018 10:27 am
 c1ue
(@c1ue)
Posts: 3
New Member
 

@hightronicdesign

Is your interest associated with the changes in reminiscence due to wear leveling operations in SSD?

If that is what you're looking at - I don't think it is really a tool issue as @jaclaz notes. Any of the well known hardware or software based write block methods will do the trick.

@jaclaz

We have seen anecdotally that there are very different reminiscence times for deleted files or other artifacts in SSDs due to different fundamental behavior. There is a different underlying behavior in SSDs which affect forensic examinations.

 
Posted : 22/01/2018 1:04 pm
MDCR
 MDCR
(@mdcr)
Posts: 376
Reputable Member
 

In the latest youtube videos from Scott Moulton, he mentioned something about reading parameters from a SSD will give you a list of garbage that you cannot trust. Can't remember what it was about but i noted it, so there are some differences.

 
Posted : 22/01/2018 8:07 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Yep, this is exactly my point (and also the actual results of the mentioned works on the mattter).

A - say - Samsung model X will behave differently from - still say - a Kingston model Y.

And the hypothetical software tools (if any exists or can exist) that may inspect them at such a low level will be different.

The non-hypothetical (but still nothing you can buy at the shop around the corner) hardware ones (such as the Ming the Merciless used for the given article) may be useful for chip-offs as long as the chips are the same kind/type.

As hinted however it is possible that specifically the wear leveling layer has been moved in some models from the controller to the actual chip, and then possibly not even specialized hardware might be able to inspect anything.

jaclaz

 
Posted : 22/01/2018 8:56 pm
(@hightronicdesign)
Posts: 2
New Member
Topic starter
 

Thank you all for the answers and sorry for my very late response wink

Based on my empty Samsung SSD here, how would you guys understand the "Wear Leveling Count" here

ID# ATTRIBUTE_NAME FLAG VALUE WORST THRESH TYPE UPDATED WHEN_FAILED RAW_VALUE
9 Power_On_Hours 0x0032 098 098 --- Old_age Always - 6172
12 Power_Cycle_Count 0x0032 099 099 --- Old_age Always - 650
175 Program_Fail_Count_Chip 0x0032 100 100 --- Old_age Always - 0
176 Erase_Fail_Count_Chip 0x0032 100 100 --- Old_age Always - 0
177 Wear_Leveling_Count 0x0013 099 099 --- Pre-fail Always - 9
178 Used_Rsvd_Blk_Cnt_Chip 0x0013 080 080 --- Pre-fail Always - 402
179 Used_Rsvd_Blk_Cnt_Tot 0x0013 081 081 --- Pre-fail Always - 740
180 Unused_Rsvd_Blk_Cnt_Tot 0x0013 081 081 --- Pre-fail Always - 3292
181 Program_Fail_Cnt_Total 0x0032 100 100 --- Old_age Always - 0
182 Erase_Fail_Count_Total 0x0032 100 100 --- Old_age Always - 0
183 Runtime_Bad_Block 0x0013 100 100 --- Pre-fail Always - 0
187 Reported_Uncorrect 0x0032 100 100 --- Old_age Always - 0
190 Airflow_Temperature_Cel 0x0022 075 056 --- Old_age Always - 25
195 Hardware_ECC_Recovered 0x001a 200 200 --- Old_age Always - 0
198 Offline_Uncorrectable 0x0030 100 100 --- Old_age Offline - 0
199 UDMA_CRC_Error_Count 0x003e 253 253 --- Old_age Always - 0
233 Media_Wearout_Indicator 0x003a 199 199 --- Old_age Always - 6390
234 Unknown_Attribute 0x0012 100 100 --- Old_age Always - 0
235 Unknown_Attribute 0x0012 099 099 --- Old_age Always - 45
236 Unknown_Attribute 0x0012 099 099 --- Old_age Always - 83
237 Unknown_Attribute 0x0012 099 099 --- Old_age Always - 218
238 Unknown_Attribute 0x0012 099 099 --- Old_age Always - 740

 
Posted : 28/04/2018 9:00 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Based on my empty Samsung SSD here, how would you guys understand the "Wear Leveling Count" here

Let's start with the pickiness, what you posted is (obviously) not "your empty Samsung SSD" (and empty mens nothing anyway), what you posted is the output of *some* program that interrogated *somehow* *something* inside the Samsung SSD after you issued *some* (unknown/unreported) command.

They look like S.M.A.R.T. parameters, but S.M.A.R.T. values (being not a real standard) have different meanings on different devices and not necessarily a given device may conform to the believed to be standard parts of the non-standard.

Let's take only parameter 9, is it expressed in seconds, minutes or hours (or something else)?

Compare with
https://www.smartmontools.org/wiki/FAQ#Iseesomestrangeoutputfromsmartctl.Whatdoesitmean

jaclaz

 
Posted : 28/04/2018 11:59 am
Share: