±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 4 Overall: 34608
New Yesterday: 7 Visitors: 190

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

SSD Forensics

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page Previous  1, 2, 3, 4, 5, 6, 7  Next 
  

Re: SSD Forensics

Post Posted: Fri Oct 26, 2012 6:18 pm

I ran a test in which I copied 10,000 files onto an SSD.
I then deleted 2,000 files and imaged the drive. I could see all 2,000 deleted files.
I repeated this 4 times and ended up with an image that showed no live files but 10,000 deleted files.
I saw no evidence of TRIM or Garbage collection.

The SSD did not have an Operating System on it and it was suggested to me that this would alter the results.
I am afraid I have not had time to test this with an SSD containing an OS but I will update when I have time to perform this test.
_________________
There is nothing either good or bad, but thinking makes it so. 

ludlowboy
Senior Member
 
 
  

Re: SSD Forensics

Post Posted: Sat Oct 27, 2012 10:43 am

Watch this video in its entirety....

youtu.be/vLoYduckmuo  

mrpumba
Senior Member
 
 
  

Re: SSD Forensics

Post Posted: Sat Oct 27, 2012 12:04 pm

- mrpumba
Watch this video in its entirety....

youtu.be/vLoYduckmuo


I don't have 45 minutes. Is there a precis available?
_________________
Forensic Control
twitter.com/ForensicControl
Studio 314, Vox Studios, 1-45 Durham Street, London, SE11 5JH 

Jonathan
Senior Member
 
 
  

Re: SSD Forensics

Post Posted: Sat Oct 27, 2012 7:17 pm

- Jonathan
- mrpumba
Watch this video in its entirety....

youtu.be/vLoYduckmuo


I don't have 45 minutes. Is there a precis available?


@ Scottyxx - Can anyone give me some training resources / tips on what to do with SSDs?

I am imaging one right now, and not sure what to expect. Can anyone shine some light on the matter?

Am I likely to recover any deleted files? Will the auto-wearleveling feature mess up my evidence?


Isn't everything we do in CF based on time consumption?? In any case, this is a good video describing the operations of an SSD and how it relates to what we do. The question posed here is what to expect of an imaged SSD, and wearleveling - answers some of the questions posed.  

mrpumba
Senior Member
 
 
  

Re: SSD Forensics

Post Posted: Mon Oct 29, 2012 1:05 am

Is there some governing body that says all SSD drives must behave the same?

I would think that there would be varying operations from manufacturer to manufacturer and even between different models from the same manufacturer.

From the few posts here form people that have tested already there are different results. I have an SSD drive which I can see deleted files on, I've not done any sort of testing beyond hooking it up and looking in Xways but the very fact that there are deleted files recoverable seems to fly in the face of some peoples assumptions that all unallocated clusters are zeroed out when the drive is powered up.  

Adam10541
Senior Member
 
 
  

Re: SSD Forensics

Post Posted: Mon Oct 29, 2012 8:42 am

A SSD drive itself has no knowledge if a sector is unallocated space or not. It is upto the device driver on the host to send the drive the Trim message to say 'these sectors are now free'.

I would speculate that if you put an SSD drive on an old Windows 98 system and deleted the files no Trim command would be sent.

If the actual logic for an unallocated sector was part of the SSD logic, then it would need to know all past, and all future file systems.

And as adam10541 says, why should all systems work in the same way.
_________________
Michael Cotgrove
www.cnwrecovery.com
www.goprorecovery.co.uk 

mscotgrove
Senior Member
 
 
  

Re: SSD Forensics

Post Posted: Mon Oct 29, 2012 10:04 am

- mscotgrove
A SSD drive itself has no knowledge if a sector is unallocated space or not. It is upto the device driver on the host to send the drive the Trim message to say 'these sectors are now free'.

..

And as adam10541 says, why should all systems work in the same way.


I think you've answered your own question there. TRIM is an ATA command, and I think it would be hard to find an SSD which didn't support ATA commands Smile

I think that by the time most of us here see an SSD HDD (i.e, post-seizure) then what is there is there. If there has been some wiping before it came to you, well, so be it - but indicators are that if you merely switch it on (for example, via write-blocker) then you aren't activating garbage collection and you aren't removing evidence.  

Chris_Ed
Senior Member
 
 

Page 2 of 7
Go to page Previous  1, 2, 3, 4, 5, 6, 7  Next