Self-erasing flash drives destroy court evidence
'Golden age' of forensics coming to close
http//
This is terrible people will now be using computers that contain no data.
After reading it appears they are saying that defense will be able to claim evidence recovered from SSD's would be inadmissable as they could have been tampered with.
I'd say that it would be for an "expert" to explain that isn't the case, only unallocated would be affected, live files would be unaffected.
Not the doom and gloom it seems.
The golden age of forensics has been coming to an end for years - I remember when we had our first 500MB hard disk at Dr Solomons (early 90's). One of the diretcors said that the days of rotating media were over and in a couple of years time it would all be solid state - a bit premature.
This isn't the issue that the academics are making out - as is often the case the real world doesnt reflect the theory. this is not much different than defrag being run automatically by the OS - something that may or may not have existed in unallocated may or may not be there any more.
We will still be looking at event logs, temp files, registries, email archives containing deleted files…..
"Mr Xennith, I put it to you that this drive technology changes data without human intervention"
"I find it exceptionally unlikely that this spreadsheet of fraudulent transactions magicked itself into existence, your assertation is a massive oversimplification of a complex technical process which has no bearing on the veracity of the exhibits I'm presenting here, or of my findings. I am aware of this particular process and have accounted for it.
Perhaps your expert and I should discuss this outside the court?"
Crisis averted.
"Mr Xennith, I put it to you that this drive technology changes data without human intervention"
"I find it exceptionally unlikely that this spreadsheet of fraudulent transactions magicked itself into existence, your assertation is a massive oversimplification of a complex technical process which has no bearing on the veracity of the exhibits I'm presenting here, or of my findings. I am aware of this particular process and have accounted for it.
Perhaps your expert and I should discuss this outside the court?"
Crisis averted.
Got to love it, can I use that at court lol?
Feel free, just dont come hunt me down if you get sent down the steps for contempt 😉
But you just wiped the document that proves that spreadsheet was a hoax/joke/plant, therefore I am now innocent. Defence rests. roll
But you just wiped the document that proves that spreadsheet was a hoax/joke/plant, therefore I am now innocent. Defence rests. roll
Well then if you ever find a jury stupid enough to swallow that then we're all doomed.
But theres a 50/50 chance that if you tried that you'd be proven to be lying.
I could be wrong on this, but I am not aware of any USB flash drive that starts "self cleaning", or as the scientists wrote "self-corrode" without some operating system initiated activity.
Their experiment for garbage collection had the device attached to a computer, and booted the machine with the device attached. A more pure solution would have been to simply provide power to the device.
Some other "painful" remarks in the paper was noted (loaded adjectives and adverb used, zeroing out on flash when it actually is 'oned' out, etc.)
On the other hand, I do know that various operating systems keep logs of device attachment, detachment, and some even includes copious transaction logging, on the device, and off the device.
The article, and scientists presume that forensic investigators will access the data on the flash memory through these devices' controller.
I personally continue to have zero problems of reading memory chips in detail from various flash drives - without the controller.
Best paragraph in the research?
Overall, these results seem remarkable. Experiments 1 and 2 show clearly that SSDs do not behave in the same
manner as HDDs…
Wait… Seriously? A
…
😯
…
Actually, I take all this back. I have been wrong. The article is actually absolutely true. Not just that, flash memory devices do not even need to be deleted. Just toss them in your drawer marked "old flash drives with bad things on them", and they will self erase. But, if they are encrypted, they need a password to do the self-corrosion. Use a yellow sticky note attached to each such device with the password clearly written, and the device will take care of the rest. twisted
