To cope with this let's say they rent some huge aircraft hangar sized warehouse with all these rows of power outlets and all these thousands of devices connected with these little timers. Some technician watches over this cache and then whenever they flash on every few months he makes a note on the register to say said device is still working for another 3 months. All those power outlets and electric current in one place would make it a huge fire risk, so you'd also need 24 hour security and fire safety otherwise all those cases are going to be lost, not to mention facing a huge compensation claim under the Police Property Act for all the lost property!
How much would all that cost? With the public budgets these days, do you have any idea how difficult it is just to get a simple equipment request approved!
It doesn't work like that.
You don't need to check every three months that the device is actually working and you don't need to power the 15,000 devices all together during the SAME 5 minutes every three months.
The (hypothetical) directive says that you need to power each SSD device for at least five minutes no less than three months apart.
That means that you can do that with a single power supply that can have (365 days, 24 h/day, 11 😯 cycles pr hour [1]) 11*24*365=96360 cycles per year or - in a more common working year (220 days, 8 h/day, 11 cycles per hour) 11*8*220=19360.
In other words you can respect the directive for 15,000 devices (and of course you need anyway the space to store them when you store them unpowered) with the electrical power that a single power supply uses or with 15,000 power supplies (and 15,000 switches/timers).
In practice, it would make more sense to group devices in clusters of - say - 50 or 100 devices, which would bring down the need for switches, 3,000 or 1,500 of them (which can be simple relays) and raise the instant consumption to that of 50 or 100 devices, let's say 100*2 A @ 5 V or 10 W, something in the order of magnitude of 1 kW, let us double that for losses and whatever and you have 2 kW which is less than the minimal contract you can have with the electricity supplier.
If we go back to the directives commonly in use for keeping products that need refrigeration (like food or medicines besides "wet forensics" samples/evidence) the requirements are "simple"
1) the goods must be kept at a temperature or no more than - say - 4° C
2) the refrigerator, if powered off should be able to keep a temperature between 4 C° and 0 C° for at least n hours
3) at least once a day (or even more frequently depending on the specific) the temperature of the refrigerator needs to be checked and its value annotated in a registry [2]
Also, since these goods are moved, there is the so-called Cold chain
https://
everytime you eat a steak, you should appreciate that *someone* noted down the temperature of the various regriferated containers in which it has been at least once for each container and at least once daily since it was still part of the living cow.
Yet, the slaughterhouses, transporters, butchers, restaurant chef's, etc. do not make any fuss about that.
jaclaz
[1] not 12, to account for switching times.
[2] with ISO 17025 you would need additionally to have a set of thermometers and periodically exchange them so that, once or twice a year you can have them calibrated and re-certified in an authorized laboratory
I was curious about this SSD deterioration thing and it doesn't sound quite as simple as made out in the article cited.
I'm still reading, trying to find better articles, but there seems to have been a lot of misunderstanding about the data retention ability, based on a JEDEC presentation about drives that are at their end of their life rather than new.
It seems like 1 year is the standard for consumer drives at 30c and 3 months at 40c for enterprise without power (the lower the temperature the increasingly lower the degradation and the higher the past usage the worse the retention it seems).
I can see an SSD manufacturer citing in their documentation
"Data Retention 10 Years @ Life Begin; 1 Year @ Life End".
From what I've read so far, I suspect that, assuming that evidence is kept in a nice cold store (rather than a warm boiler room), or you've got a particularly knackered SSD, that you probably won't run into a data retention problem.
From what I've read so far, I suspect that, assuming that evidence is kept in a nice cold store (rather than a warm boiler room), or you've got a particularly knackered SSD, that you probably won't run into a data retention problem.
Sure it likely won't ) , the exercise is more about whether it can happen (and after what amount of time, if all trials would be concluded within 1/2 year or less it is a non-problem, if they take several years it may become one, and no, in this case "averages" don't count, we need to have ALL trials be concluded - at least up to the point when the technical debate is carried on - within the minimum expected lifetime, to be on the safe side).
jaclaz
Sure it likely won't ) , the exercise is more about whether it can happen (and after what amount of time, if all trials would be concluded within 1/2 year or less it is a non-problem, if they take several years it may become one, and no, in this case "averages" don't count, we need to have ALL trials be concluded - at least up to the point when the technical debate is carried on - within the minimum expected lifetime, to be on the safe side).
jaclaz
I understand why you're considering/discussing it (rightly so - hence interested enough to search further).
Unless there's going to be an astronomic rise in the funding of the legal system, and police/high-tech crime, then expecting trials to be concluded (or even started) within a year is a complete non-starter (especially if you're talking start to finish). Some might be….but definitely not all. Over here anyway.
The further past the end of life/higher the usage of the SSD it appears the weaker the retention will be. I'm not sure you could put a sensible date on it to guarantee complete data extraction. I don't think manufacturers even guarantee that. I think it's just one of those situations which would require sensible guidelines for most cases (store in a cold room and then attempt to extract within a year ideally - for example). Once you have a forensic image, you've then got more protection, in that, to have a big problem, the argument would have to be the forensic image isn't valid/complete AND ALSO that there has been irrecoverable storage degradation material to the case.
This is the sort of thing that would really benefit from proper guidance from a panel of people who are experts in the real low-level physics/electronics of SSDs (perhaps via JEDEC) perhaps with the aid of some statisticians if necessary. Assuming they'll say 100% guaranteed recovery is something that doesn't exist - then it's probably in the realms of trying to consider all the factors involved - to achieve a very high probability of recovery in most cases (to give as a recommendation - rather than requirement). With perhaps a supplementary short document, with some further guidance on what happens in other scenarios, in plain English, that could be relied upon by judges to inform them, when considering the merit of arguments about data reliability/recovery.
This is the sort of thing that would really benefit from proper guidance from a panel of people who are experts in the real low-level physics/electronics of SSDs (perhaps via JEDEC) perhaps with the aid of some statisticians if necessary. Assuming they'll say 100% guaranteed recovery is something that doesn't exist - then it's probably in the realms of trying to consider all the factors involved - to achieve a very high probability of recovery in most cases (to give as a recommendation - rather than requirement). With perhaps a supplementary short document, with some further guidance on what happens in other scenarios, in plain English, that could be relied upon by judges to inform them, when considering the merit of arguments about data reliability/recovery.
Yep, and of course that depends on local laws and specific procedures needed or used, giandega made a reference
It depends from the law. Last week me and a Policeman, we did forensic copy of few phone, and few hard disk included an SSD.
I was there to represent the suspect. At the end of the job, we signed that the job has done correctly, and the Prosecutor can return the thigs to my client.
I don't know how many years it will last. BUt the basic task has done
to a procedure - I believe - that is called "incidente probatorio" in Italy, which is (or can be) done any time there are reasons why a given test cannot be repeated.
In the case giandega related the reason is that the devices(s) have to be returned to the suspect, but it is very common in "wet forensics" where - example - the amount of found DNA is enough for only one test.
Italian Wikipedia (not too bad via Google Translate), though classroom is of course courtroom
https://
https://
Normally, Italian procedural law provides that all the elements collected during the preliminary investigation phase in the preliminary investigation phase supervised by the investigating judge may not be used later in the classroom debates. Instead with the evidentiary incident the public prosecutor (also at the request of the offended person) and the defense of the suspect may request the early assumption of the means of proof in the phases preceding the hearing. In addition to the magistrate, this is an investigation session in which legal representatives and consultants from various parties participate, and which, unlike normal investigative documents, has evidence that can be used directly in a possible process as if it were a hearing procedural, and is therefore by its nature, a "crystallized" and non-repeatable test.
In simpler words, with the evidentiary incident it is required to acquire a proof ("form" a proof) already during the preliminary investigation phase (or in the preliminary hearing) before these are concluded and the trial phase opens; evidence that subsequently, and possibly, it will be brought before the judge or the GUP.
This procedure is chosen when there are potential time limitations related to the formation of the test and therefore you do not want to postpone it for a future trial, as you want to avoid the risk that, with the passage of time, the source of evidence will be compromised or the authenticity of the test itself is lost. This procedure takes place more rarely than normal investigative measures, or in any case in an extraordinary way, and for this reason it is called "accident".
etc.
jaclaz
I wish more posters would shed some light on the laws (in their countries) that govern the admissibility of evidence in courts.
I wish more posters would shed some light on the laws (in their countries) that govern the admissibility of evidence in courts.
Please … do so in a separate thread. If not, it will be hidden away as off-topic information in this trhead.