Join Us!

Self-erasing flash ...
 
Notifications
Clear all

Self-erasing flash drives destroy court evidence  

Page 1 / 2
  RSS
trewmte
(@trewmte)
Community Legend

Self-erasing flash drives destroy court evidence
'Golden age' of forensics coming to close

http//www.theregister.co.uk/2011/03/01/self_destructing_flash_drives/

Quote
Posted : 29/03/2011 1:43 am
patboddy
(@patboddy)
New Member

This is terrible people will now be using computers that contain no data.

ReplyQuote
Posted : 29/03/2011 3:04 pm
minime2k9
(@minime2k9)
Active Member

After reading it appears they are saying that defense will be able to claim evidence recovered from SSD's would be inadmissable as they could have been tampered with.
I'd say that it would be for an "expert" to explain that isn't the case, only unallocated would be affected, live files would be unaffected.
Not the doom and gloom it seems.

ReplyQuote
Posted : 29/03/2011 4:14 pm
PaulSanderson
(@paulsanderson)
Senior Member

The golden age of forensics has been coming to an end for years - I remember when we had our first 500MB hard disk at Dr Solomons (early 90's). One of the diretcors said that the days of rotating media were over and in a couple of years time it would all be solid state - a bit premature.

This isn't the issue that the academics are making out - as is often the case the real world doesnt reflect the theory. this is not much different than defrag being run automatically by the OS - something that may or may not have existed in unallocated may or may not be there any more.

We will still be looking at event logs, temp files, registries, email archives containing deleted files…..

ReplyQuote
Posted : 29/03/2011 4:33 pm
Xennith
(@xennith)
Active Member

"Mr Xennith, I put it to you that this drive technology changes data without human intervention"

"I find it exceptionally unlikely that this spreadsheet of fraudulent transactions magicked itself into existence, your assertation is a massive oversimplification of a complex technical process which has no bearing on the veracity of the exhibits I'm presenting here, or of my findings. I am aware of this particular process and have accounted for it.

Perhaps your expert and I should discuss this outside the court?"

Crisis averted.

ReplyQuote
Posted : 30/03/2011 4:50 pm
minime2k9
(@minime2k9)
Active Member

"Mr Xennith, I put it to you that this drive technology changes data without human intervention"

"I find it exceptionally unlikely that this spreadsheet of fraudulent transactions magicked itself into existence, your assertation is a massive oversimplification of a complex technical process which has no bearing on the veracity of the exhibits I'm presenting here, or of my findings. I am aware of this particular process and have accounted for it.

Perhaps your expert and I should discuss this outside the court?"

Crisis averted.

Got to love it, can I use that at court lol?

ReplyQuote
Posted : 30/03/2011 6:06 pm
Xennith
(@xennith)
Active Member

Feel free, just dont come hunt me down if you get sent down the steps for contempt 😉

ReplyQuote
Posted : 30/03/2011 7:20 pm
Rich2005
(@rich2005)
Senior Member

But you just wiped the document that proves that spreadsheet was a hoax/joke/plant, therefore I am now innocent. Defence rests. roll

ReplyQuote
Posted : 30/03/2011 9:16 pm
Xennith
(@xennith)
Active Member

But you just wiped the document that proves that spreadsheet was a hoax/joke/plant, therefore I am now innocent. Defence rests. roll

Well then if you ever find a jury stupid enough to swallow that then we're all doomed.

But theres a 50/50 chance that if you tried that you'd be proven to be lying.

ReplyQuote
Posted : 30/03/2011 11:51 pm
jhup
 jhup
(@jhup)
Community Legend

I could be wrong on this, but I am not aware of any USB flash drive that starts "self cleaning", or as the scientists wrote "self-corrode" without some operating system initiated activity.

Their experiment for garbage collection had the device attached to a computer, and booted the machine with the device attached. A more pure solution would have been to simply provide power to the device.

Some other "painful" remarks in the paper was noted (loaded adjectives and adverb used, zeroing out on flash when it actually is 'oned' out, etc.)

On the other hand, I do know that various operating systems keep logs of device attachment, detachment, and some even includes copious transaction logging, on the device, and off the device.

The article, and scientists presume that forensic investigators will access the data on the flash memory through these devices' controller.

I personally continue to have zero problems of reading memory chips in detail from various flash drives - without the controller.

Best paragraph in the research?

Overall, these results seem remarkable. Experiments 1 and 2 show clearly that SSDs do not behave in the same
manner as HDDs…

Wait… Seriously? A John Deere 6140D works differently than a Lamborghini Gallardo Bicolore? That is amazing! That is remarkable! What a surprising revelation! After all, both have wheels, move forward, and sometimes back - uses fuel to propel forward, and such! That is just fascinating! Ah, what an amazing discovery! Where is the Nobel committee when we need them?

😯

Actually, I take all this back. I have been wrong. The article is actually absolutely true. Not just that, flash memory devices do not even need to be deleted. Just toss them in your drawer marked "old flash drives with bad things on them", and they will self erase. But, if they are encrypted, they need a password to do the self-corrosion. Use a yellow sticky note attached to each such device with the password clearly written, and the device will take care of the rest. twisted

ReplyQuote
Posted : 31/03/2011 4:15 am
Rich2005
(@rich2005)
Senior Member

Well then if you ever find a jury stupid enough to swallow that then we're all doomed.

But theres a 50/50 chance that if you tried that you'd be proven to be lying.

Well i've certainly seen ones where they believed a guy who kept changing his story every time one of his scenarios for what actually happened was proved to not be the case (at least three times from memory). roll

I could be wrong on this, but I am not aware of any USB flash drive that starts "self cleaning", or as the scientists wrote "self-corrode" without some operating system initiated activity.

I believe that some recent ones have their garbage collection routines independent of the TRIM command being sent from the OS. So in that sense, just powering on could start to wipe data. Therefore I think its fair comment for them to be worried/aware of the effect on data stored on the drive. This is aside from the other general point, that even prior to seizure much of what would have resided in unallocated would already be gone due to garbage collection in existing idle time.
I think therefore the article (and similar like it), are as I say, are fair comment, and just another thing to be aware of, and as Paul says may/will just mean we end up spending more time investigating other areas such as volume shadow copies more, if evidence from unallocated now isn't found on these drives.

ReplyQuote
Posted : 31/03/2011 2:09 pm
philh
(@philh)
Junior Member

I believe that some recent ones have their garbage collection routines independent of the TRIM command being sent from the OS.

I think some of the newer SSDs actually have a basic knowledge of the NTFS filesystem built into their firmware, i.e. they're able to determine (presumably based on the $MFT/$BITMAP areas) when old data can safely be scrubbed. I don't know whether this extends to other OS' or if this is specific to Windoze …

The main point that seems to be raised in the papers is that there is no guarantee that MD5/SHA1 Hash values will remain consistent if a device is imaged multiple times (e.g. if examined by defense following an initial examination). Therefore there is a (very) simplistic argument that the evidence is not the same and thus not admissible ?

You would hope that a suitable explanation of the technology would head this argument at the proverbial pass ) I would also think (though I don't have any expert knowledge of SSD firmware) that there are likely to be ways and means to disable SSD garbage collection, e.g. via firmware "debug" switches etc, so hopefully in the future it will be possible to image these devices without worrying about garbage collection - although this route would probably prove difficult due to the wide variety of possible SSD firmwares ?

ReplyQuote
Posted : 31/03/2011 2:50 pm
Xennith
(@xennith)
Active Member

Therefore there is a (very) simplistic argument that the evidence is not the same and thus not admissible ?

CF is the only field where this apparently makes sense (its fine for fingerprints etc to be touched or moved), I dont think an argument that md5s are different will get evidence discounted;

Just do a byte by byte diff between the two images and get the defense to point to the bit that makes it inadmissible or renders your findings incorrect. Explain the principle of garbage collection to their expert.

Defense work off a copy of the police images anyhow, and acpo guidelines dont say that evidence cannot be touched, just that anything that might change the original is documented and done by a competant person.

If anyone expects this to open up a significant loophole or technicality they're barking up the wrong tree. Someone will try it, that person will be bitchslapped down pretty hard.

ReplyQuote
Posted : 31/03/2011 4:18 pm
armresl
(@armresl)
Community Legend

What is the below thought based on?

I think some of the newer SSDs actually have a basic knowledge of the NTFS filesystem built into their firmware, i.e. they're able to determine (presumably based on the $MFT/$BITMAP areas) when old data can safely be scrubbed. I don't know whether this extends to other OS' or if this is specific to Windoze …

ReplyQuote
Posted : 01/04/2011 1:20 am
jhup
 jhup
(@jhup)
Community Legend

Hmmm… I have never experienced something like that.

As far as I know, the purpose of garbage collection is consolidating valid blocks onto fewer pages, and then erasing the freed up pages. But, this is only triggered when something is written, or trim is issued.

The trim command simply hastens this by indicating that a certain set of blocks are no longer needed.

I have never seen file system "erased" flags translate to trim commands by default, but it is possible that additional vendor software would act as such.

I believe that some recent ones have their garbage collection routines independent of the TRIM command being sent from the OS. So in that sense, just powering on could start to wipe data. Therefore I think its fair comment for them to be worried/aware of the effect on data stored on the drive. This is aside from the other general point, that even prior to seizure much of what would have resided in unallocated would already be gone due to garbage collection in existing idle time.
I think therefore the article (and similar like it), are as I say, are fair comment, and just another thing to be aware of, and as Paul says may/will just mean we end up spending more time investigating other areas such as volume shadow copies more, if evidence from unallocated now isn't found on these drives.

ReplyQuote
Posted : 01/04/2011 5:20 am
Page 1 / 2
Share: