Thumb drives/SSD US...
 
Notifications
Clear all

Thumb drives/SSD USB forensics

6 Posts
6 Users
0 Likes
261 Views
(@wotsits)
Posts: 253
Reputable Member
Topic starter
 

I recall reading some time ago that because of the way SSD memory is designed anything that was ever on there no matter how many times it's been overwritten will always still be on there.

Is it really the case that if a file on there gets deleted, then the entire memory over written several times, that file will still be recovered fully in tact?

 
Posted : 26/06/2015 4:19 am
Adam10541
(@adam10541)
Posts: 550
Honorable Member
 

Lots of questions on a range of different subjects coming lately, can I ask if you are a student or just interested in a wide variety of subjects?

 
Posted : 26/06/2015 5:51 am
Passmark
(@passmark)
Posts: 376
Reputable Member
 

wotsits,

Think about what you are asking?
Does a SSD have infinite capacity? The answer is of course no. If you fill the entire drive with zeros, then the entire drive is full of zeros & the old files are gone.

Overwriting just a single file on the disk is a different story however. Bits of the old file could indeed be left on the drive due to wear levelling. But on the other hand most SSD actively delete unused blocks. So you might in fact get less deleted data from a SSD, compared to a HDD.

There is lots of research published on this if you do some searching.

 
Posted : 26/06/2015 6:06 am
(@belkasoft)
Posts: 169
Estimable Member
 

We have a comprehensive whitepaper on the subject http//belkasoft.com/en/ssd-2014

Basically, it answers all the questions asked in the original post while adding even more uncertainty about how things will actually work in a particular situation. To that whitepaper, I can add that we have recently tested a Windows tablet equipped with eMMC storage, and discovered that eMMC has both similarities (TRIM, remapping, garbage collection) and differences (no DRAT/DZAT support) to SSD drives.

 
Posted : 27/06/2015 1:33 am
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
 

wotsits,

You could test out your own question pretty easily

1) Buy an SSD drive and fill it with files you created and know by name.

2) Delete all of the files from the SSD.

3) Use CCleaner, a free tool, to "wipe" the drive. You can setup 1 pass or 35 pass wipes to test your theories.

4) Use FTK Imager, another free tool, to look at the now deleted and wiped contents of the SSD drive.

5) Identify which if any files still remain on the SSD drive.

 
Posted : 27/06/2015 3:41 am
(@mscotgrove)
Posts: 938
Prominent Member
 

I think what may be 'confusing' wotsits is that a logical sector on an SSD is not the same as a physical one. It is therefore possible that some sectors may still contain data, but will not actually be visible unless you do a chip off operation. (Chip off then brings many other problems such as XOR patterns and encryption of data blocks.)

The question should be based around how can one be 100% sure a deleted file has been wiped, and is not sitting as 'spare' sectors on the SSD.

In your tests suggested in the last post, you also want to be aware of the effect of TRIM, enabled or not enabled.

 
Posted : 27/06/2015 11:06 am
Share: