Well then if you ever find a jury stupid enough to swallow that then we're all doomed.
But theres a 50/50 chance that if you tried that you'd be proven to be lying.
Well i've certainly seen ones where they believed a guy who kept changing his story every time one of his scenarios for what actually happened was proved to not be the case (at least three times from memory). roll
I could be wrong on this, but I am not aware of any USB flash drive that starts "self cleaning", or as the scientists wrote "self-corrode" without some operating system initiated activity.
I believe that some recent ones have their garbage collection routines independent of the TRIM command being sent from the OS. So in that sense, just powering on could start to wipe data. Therefore I think its fair comment for them to be worried/aware of the effect on data stored on the drive. This is aside from the other general point, that even prior to seizure much of what would have resided in unallocated would already be gone due to garbage collection in existing idle time.
I think therefore the article (and similar like it), are as I say, are fair comment, and just another thing to be aware of, and as Paul says may/will just mean we end up spending more time investigating other areas such as volume shadow copies more, if evidence from unallocated now isn't found on these drives.
I believe that some recent ones have their garbage collection routines independent of the TRIM command being sent from the OS.
I think some of the newer SSDs actually have a basic knowledge of the NTFS filesystem built into their firmware, i.e. they're able to determine (presumably based on the $MFT/$BITMAP areas) when old data can safely be scrubbed. I don't know whether this extends to other OS' or if this is specific to Windoze …
The main point that seems to be raised in the papers is that there is no guarantee that MD5/SHA1 Hash values will remain consistent if a device is imaged multiple times (e.g. if examined by defense following an initial examination). Therefore there is a (very) simplistic argument that the evidence is not the same and thus not admissible ?
You would hope that a suitable explanation of the technology would head this argument at the proverbial pass ) I would also think (though I don't have any expert knowledge of SSD firmware) that there are likely to be ways and means to disable SSD garbage collection, e.g. via firmware "debug" switches etc, so hopefully in the future it will be possible to image these devices without worrying about garbage collection - although this route would probably prove difficult due to the wide variety of possible SSD firmwares ?
Therefore there is a (very) simplistic argument that the evidence is not the same and thus not admissible ?
CF is the only field where this apparently makes sense (its fine for fingerprints etc to be touched or moved), I dont think an argument that md5s are different will get evidence discounted;
Just do a byte by byte diff between the two images and get the defense to point to the bit that makes it inadmissible or renders your findings incorrect. Explain the principle of garbage collection to their expert.
Defense work off a copy of the police images anyhow, and acpo guidelines dont say that evidence cannot be touched, just that anything that might change the original is documented and done by a competant person.
If anyone expects this to open up a significant loophole or technicality they're barking up the wrong tree. Someone will try it, that person will be bitchslapped down pretty hard.
What is the below thought based on?
I think some of the newer SSDs actually have a basic knowledge of the NTFS filesystem built into their firmware, i.e. they're able to determine (presumably based on the $MFT/$BITMAP areas) when old data can safely be scrubbed. I don't know whether this extends to other OS' or if this is specific to Windoze …
Hmmm… I have never experienced something like that.
As far as I know, the purpose of garbage collection is consolidating valid blocks onto fewer pages, and then erasing the freed up pages. But, this is only triggered when something is written, or trim is issued.
The trim command simply hastens this by indicating that a certain set of blocks are no longer needed.
I have never seen file system "erased" flags translate to trim commands by default, but it is possible that additional vendor software would act as such.
I believe that some recent ones have their garbage collection routines independent of the TRIM command being sent from the OS. So in that sense, just powering on could start to wipe data. Therefore I think its fair comment for them to be worried/aware of the effect on data stored on the drive. This is aside from the other general point, that even prior to seizure much of what would have resided in unallocated would already be gone due to garbage collection in existing idle time.
I think therefore the article (and similar like it), are as I say, are fair comment, and just another thing to be aware of, and as Paul says may/will just mean we end up spending more time investigating other areas such as volume shadow copies more, if evidence from unallocated now isn't found on these drives.
What is the below thought based on?
I think some of the newer SSDs actually have a basic knowledge of the NTFS filesystem built into their firmware, i.e. they're able to determine (presumably based on the $MFT/$BITMAP areas) when old data can safely be scrubbed. I don't know whether this extends to other OS' or if this is specific to Windoze …
IIRC the paper, originally discussed in this thread, refers to such behaviour. There are also a number of references on the Internet that indicate such behaviour, for example
The first article clearly suggests that the SSD has a built-in knowledge of the filesystem. Athough the second article doesn't directly mention this, it would make sense that in order for the device to pro-actively garbage collect (i.e. without user/OS intervention) it must be aware of the filesystem so that it can make informed decisions regarding data that can be safely deleted.
As far as I know, the purpose of garbage collection is consolidating valid blocks onto fewer pages, and then erasing the freed up pages. But, this is only triggered when something is written, or trim is issued.
Indeed. But I believe the issue is arising with newer SSD devices where the manufacturer has implemented some form of pre-emptive garbage collection - in this case it may be possible that the SSD device is able to garbage collect indepent of any user/OS intervention or request.
I could be wrong on this, but I am not aware of any USB flash drive that starts "self cleaning", or as the scientists wrote "self-corrode" without some operating system initiated activity.
Fujitsu Introduces Its Tamatebako Self-destructing Flash Drive
http//
http//
I am not sure if the drive needs to be plugged in to operate, Fujitsu says
"You can also set the time frame, which ranges from 10 minutes to up to a week, for it to automatically delete data"
Apparently it has its own onboard chip since it also uses encryption.
As far as I know, the purpose of garbage collection is consolidating valid blocks onto fewer pages, and then erasing the freed up pages. But, this is only triggered when something is written, or trim is issued.
Indeed. But I believe the issue is arising with newer SSD devices where the manufacturer has implemented some form of pre-emptive garbage collection - in this case it may be possible that the SSD device is able to garbage collect indepent of any user/OS intervention or request.
As additional comments to philh remarks. Garbage collection has been a topic even for SIM Cards when Java Card specification in 2000 referred to the notion of 'garbage collection' (suggesting it was a topic that was debated prior to the specifications being released) but the JC specs did not standardise the position leaving it open for manufacturers to implement garbage collection, post-issuance updates, de-fragmentation and reclamation etc for SIMs. One inference is that programmers must not break the 'Java programming language's required pointer-safety'.
Principles to be remembered by Java Card programmers
- an object allocated should not ever assume it to be deallocated
- even where the object becomes unreachable
- and continues to use resources
2002, Orga produced an interesting short paper on dynamic memory mamangement in support of its Java Card SIMs. The paper disclosed that to avoid breaching the objectives of the Java Card specifications, it introduced "….garbage collection…., so the SIM must be able to perform this operation in a “transparent” mode (i.e. this operation must be performed in such a way that it is not “visible” to the application developer)."
More specifically, Orga stated, "Upon deletion garbage collection is automatically performed on each of the card’s operating system so that the memory that is no longer used is available for new allocation."
Orga also implemented de-fragmentation on its Java Card SIMs noting "Since memory de-fragmentation entails moving around blocks of memory, a rollback system is automatically provided for in the card’s operating system so that any interruption of the process will not corrupt the card’s data."
A possible outcome of this that may have a potential impact on evidence is where garbage collection is operated in association with, say, post-issuance updates, previously deleted text and phonebook contacts in pages (even where only a few pages exist) in a block or blocks the entire block/s could be reclaimed with no external visible signs of such an occurence being in operation until the data disappears. This could mean the loss of deleted data or even some stored data.
[Well i've certainly seen ones where they believed a guy who kept changing his story every time one of his scenarios for what actually happened was proved to not be the case (at least three times from memory). roll
Did he come from/move to the US cause if he did, I was the opposing expert in one of his cases. He, literally, had three different theories as to whether a device had been wiped and each theory after the first was an attempt to deal with his previously discredited theory.
In spite of this, the judge was going to let him testify to part of his theory and let the jury decide who to believe. And now, this guy goes across the country serving on panels where he discusses this case, even though part of his testimony was thrown out and the veracity of that which had not been was untested because the parties settled before trial.