Notifications

Clear all

Issues with: Forensic Acquisition Of Solid State Drives

AmNe5iA · 2018-03-14T17:54:47Z

Recently Forensic Focus published the following article.Forensic Acquisition of Solid State Drives with Open Source Tools/Much of this article flew in the face of what I understood as the issues regarding the TRIM command and garbage collection on SSD.I understand the main issue as being that if files are deleted, the OS send the TRIM command to the SSD which can start the whole garbage collection mechanism. In the same way you can avoid files being actively deleted by pulling power to the drive, you can do the same with an SSD that has received the TRIM command but as soon as you power the SSD on again the garbage collection resumes, regardless of whether or not it is connected to a write blocker. You effectively get stuck in a situation where you believe the contents of the deleted files still remain on the SSD but the very process of plugging it in to image it, results in the contents of those files being purged. I assumed, when I opened this article that this would be the issue being dealt with. It is not.The author seems to believe that the TRIM command will be sent/resent only when mounted. As far as i am aware simply mounting a filesystem on an SSD would not start the process of sending TRIM commands. In addition I was also under the impression that TRIM command,s could only be sent over certain connections. For example TRIM command can be sent via SATA connection but not by a USB connection.As far as I am aware to resend TRIM commands you'd have to mount the filesystem (whilst enabling the 'discard' option) AND THEN also run a command like fstrimIs that right?And, if you had mounted the filesystem over a USB connection, the TRIM command wouldn't even reach the SSD.Is that right?In addition, it is my understanding that any ongoing garbage collection would not be prevented by not mounting the filesystem.I'm not really sure what he has proved or achieved in this paper if my assumptions/beliefs are correct.Also, in this paper he states that certain cables prevent reliably hashing the same SSDs (Section 7.3.1). They all prove reliable when they are used to hash a partition but not when hashing a volume. How do you hash a volume? You can hash a patrtion easily enough, 'md5sum /dev/sda1' but how has he hashed the volume? ' md5sum /mnt/sda1'???? I suspect that is the real reason the results are not reliable, not because of any specific cables.Can someone please explain this all to me?

Page 3 / 6 Prev Next

General (Technical, Procedural, Software, Hardware etc.)

Last Post by Aquachimere 7 years ago

52 Posts

6 Users

0 Reactions

11.8 K Views

RSS

Jefferreira

(@jefferreira)

Active Member

Joined: 8 years ago

Posts: 19

15/03/2018 7:11 pm

Is it possible, that a power management configuration (BIOS or OS level) interfered with your test? The drive won't perform a garbage collection when under read stress or powered down soon afterwards.

It is a possibility, but it raises another question… How can 4 different computers, for the period of 30 days, generate the same hash value from an SSD? Four different forensic live CDS were used, plus Ubuntu with auto mount disabled and my fedora workstation with auto mount disabled. I had to plug and unplig the SSD from computer to computer to check the integrity… And the integrity was consistent.

I don't know what else to say.

ReplyQuote

jaclaz

(@jaclaz)

Illustrious Member

Joined: 18 years ago

Posts: 5133

15/03/2018 7:23 pm

How can 4 different computers, for the period of 30 days, generate the same hash value from an SSD? Four different forensic live CDS were used, plus Ubuntu with auto mount disabled and my fedora workstation with auto mount disabled. I had to plug and unplig the SSD from computer to computer to check the integrity… And the integrity was consistent.

This is not a question, it is a state of fact, and what I would personal consider "normality", I don't think anyone is doubting this part, as I see it you daily used a "proper procedure" to re-hash (over and over) the same devices/data and the resulting hashes, I may say unsurprisingly, were always the same.

This proved that using a T35es on various computers running different Linux distro's (all with automount disabled) never altered the SSD's and that SSD's do not change contents (and thus hashes) by themselves when stored, not powered, in a cabinet[1].

jaclaz

[1] at least not for periods up to 30 days and if powered daily, would add the mathematician wink

A mathematician, a physicist, and an engineer are riding a train through Scotland.

The engineer looks out the window, sees a black sheep, and exclaims, "Hey! They've got black sheep in Scotland!"

The physicist looks out the window and corrects the engineer, "Strictly speaking, all we know is that there's at least one black sheep in Scotland."

The mathematician looks out the window and corrects the physicist, " Strictly speaking, all we know is that is that at least one side of one sheep is black in Scotland."

ReplyQuote

Jefferreira

(@jefferreira)

Active Member

Joined: 8 years ago

Posts: 19

15/03/2018 7:31 pm

Jaclaz that was both accurate and funny D

ReplyQuote

thefuf

(@thefuf)

Reputable Member

Joined: 17 years ago

Posts: 262

15/03/2018 8:30 pm

How can 4 different computers, for the period of 30 days, generate the same hash value from an SSD?

Again If an SSD implements the deterministic read after Trim feature, then the hash will likely be the same. An SSD with the non-deterministic Trim or with the filesystem-aware firmware is a different issue.

ReplyQuote

Jefferreira

(@jefferreira)

Active Member

Joined: 8 years ago

Posts: 19

15/03/2018 8:39 pm

Again If an SSD implements the deterministic read after Trim feature, then the hash will likely be the same. An SSD with the non-deterministic Trim or with the filesystem-aware firmware is a different issue.

The list of the SSDs used for the experiments is on section 6.4. Hardware…

Web Page Name

are any of the SSDs listed deterministic read after Trim feature,? I honestly don't know, and as a result I will not be able to comment. (

ReplyQuote

Aquachimere

(@aquachimere)

Eminent Member

Joined: 7 years ago

Posts: 32

28/03/2018 8:58 am

Hi,

very interesting discussion, so , i have one question about the TD3

the drives connected to the TD3 are mounted ? and is there a risk of TRIM activation?

what is the feedback from the ssd? should it be imaged otherwise than with the TD3?

thanks

ReplyQuote

Jefferreira

(@jefferreira)

Active Member

Joined: 8 years ago

Posts: 19

28/03/2018 10:57 am

the drives connected to the TD3 are mounted ? and is there a risk of TRIM activation?

The TD3 mounts the drive, therefore it will cause changes to the drive. At least that is what happened with us.

ReplyQuote

jaclaz

(@jaclaz)

Illustrious Member

Joined: 18 years ago

Posts: 5133

28/03/2018 11:07 am

the drives connected to the TD3 are mounted ? and is there a risk of TRIM activation?

The TD3 mounts the drive, therefore it will cause changes to the drive. At least that is what happened with us.

But was a TD3 actually used in the experiment?

jaclaz

ReplyQuote

Jefferreira

(@jefferreira)

Active Member

Joined: 8 years ago

Posts: 19

28/03/2018 11:10 am

Yes, a TD3 was used in the experiments.

It was removed from the article because it was a failed experiment.

We did not have a chance to run enough experiments with the TD3

Questions related to the article should be discussed in the article's comments.

ReplyQuote

jaclaz

(@jaclaz)

Illustrious Member

Joined: 18 years ago

Posts: 5133

28/03/2018 11:20 am

Questions related to the article should be either discussed in the article's comments.

… or here.

jaclaz

ReplyQuote

Page 3 / 6 Prev Next

8 Forums
15.7 K Topics
92.3 K Posts
257 Online
41.1 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed