Join Us!

Notifications
Clear all

SSD Forensics  

Page 1 / 4
  RSS
scottyxx
(@scottyxx)
New Member

Hi!

I haven't done any new forensics training in about two years.

Can anyone give me some training resources / tips on what to do with SSDs?

I am imaging one right now, and not sure what to expect. Can anyone shine some light on the matter?

Am I likely to recover any deleted files? Will the auto-wearleveling feature mess up my evidence?

Quote
Posted : 25/10/2012 11:18 pm
cgpa1
(@cgpa1)
New Member

A very good read - http//www.jdfsl.org/subscriptions/JDFSL-V5N3-Bell.pdf

ReplyQuote
Posted : 26/10/2012 3:09 am
Adam10541
(@adam10541)
Senior Member

A very good read - http//www.jdfsl.org/subscriptions/JDFSL-V5N3-Bell.pdf

I'm sorry but you are kidding aren't you?

Defamation laws prevent me from really saying anything here so I won't go into detail, but I will say I have numerous professional experiences of one of the co-authors "forensic skills" so I have a special place where I might use that paper.

One of the sad things about society is that if you work at a university all of a sudden people believe everything you say 😉

My experience aside that paper was mashed together nearly 3 years ago and the technology has changed significantly in that time period. So even if his research and testing was by some miracle actually sound, it's completely irrelevant today.

ReplyQuote
Posted : 26/10/2012 8:27 am
Jonathan
(@jonathan)
Senior Member

Hi!
Can anyone give me some training resources / tips on what to do with SSDs?

I am imaging one right now, and not sure what to expect. Can anyone shine some light on the matter?
?

It may have been best to ask this before you started imaging the drive as 'garbage collection', which runs independently of the operating system, will begin wiping unallocated clusters soon after powering on.

ReplyQuote
Posted : 26/10/2012 12:58 pm
Chris_Ed
(@chris_ed)
Active Member

Hi!

I haven't done any new forensics training in about two years.

Can anyone give me some training resources / tips on what to do with SSDs?

I am imaging one right now, and not sure what to expect. Can anyone shine some light on the matter?

Am I likely to recover any deleted files? Will the auto-wearleveling feature mess up my evidence?

It behaves exactly like any other HDD or USB storage device. You are very likely to recover deleted files )

ReplyQuote
Posted : 26/10/2012 1:14 pm
mrpumba
(@mrpumba)
Active Member

The nice thing about SSD's, Flash…etc, it will store more deleted content than a platter. UH???? What???? 😯 Due to the limited writes to these devices, manufactures make it so the computer writes to the entire drive before reallocating the un-allocated space to new data. As stated by "Chris_Ed" I second his statement.

ReplyQuote
Posted : 26/10/2012 4:16 pm
agolding
(@agolding)
Junior Member

The nice thing about SSD's, Flash…etc, it will store more deleted content than a platter. UH???? What???? 😯 Due to the limited writes to these devices, manufactures make it so the computer writes to the entire drive before reallocating the un-allocated space to new data. As stated by "Chris_Ed" I second his statement.

It depends totally on the drives implementation. They use TRIM and garbage collection to speed up any future writing to the drives. If you write to the whole drive and then start overwriting it then it will be incredibly slow as with solid state drives you have effectively two write cycles as each block needs to be zeroed before it can be written to, instead of simply overwriting blocks like on a hdd. Generally TRIM and Garbage collection are enabled for the purpose of not slowing the drive down, after all who wants a slow drive?

I found with my old drive the whole drive was zeroed in less than a minute. http//dig-forensics.blogspot.co.uk/#!/2011/03/solid-state-drives-and-trim.html

ReplyQuote
Posted : 26/10/2012 7:26 pm
ludlowboy
(@ludlowboy)
Member

I ran a test in which I copied 10,000 files onto an SSD.
I then deleted 2,000 files and imaged the drive. I could see all 2,000 deleted files.
I repeated this 4 times and ended up with an image that showed no live files but 10,000 deleted files.
I saw no evidence of TRIM or Garbage collection.

The SSD did not have an Operating System on it and it was suggested to me that this would alter the results.
I am afraid I have not had time to test this with an SSD containing an OS but I will update when I have time to perform this test.

ReplyQuote
Posted : 27/10/2012 1:18 am
mrpumba
(@mrpumba)
Active Member

Watch this video in its entirety….

http//youtu.be/vLoYduckmuo

ReplyQuote
Posted : 27/10/2012 5:43 pm
Jonathan
(@jonathan)
Senior Member

Watch this video in its entirety….

http//youtu.be/vLoYduckmuo

I don't have 45 minutes. Is there a precis available?

ReplyQuote
Posted : 27/10/2012 7:04 pm
mrpumba
(@mrpumba)
Active Member

Watch this video in its entirety….

http//youtu.be/vLoYduckmuo

I don't have 45 minutes. Is there a precis available?

@ Scottyxx - Can anyone give me some training resources / tips on what to do with SSDs?

I am imaging one right now, and not sure what to expect. Can anyone shine some light on the matter?

Am I likely to recover any deleted files? Will the auto-wearleveling feature mess up my evidence?

Isn't everything we do in CF based on time consumption?? In any case, this is a good video describing the operations of an SSD and how it relates to what we do. The question posed here is what to expect of an imaged SSD, and wearleveling - answers some of the questions posed.

ReplyQuote
Posted : 28/10/2012 1:17 am
Adam10541
(@adam10541)
Senior Member

Is there some governing body that says all SSD drives must behave the same?

I would think that there would be varying operations from manufacturer to manufacturer and even between different models from the same manufacturer.

From the few posts here form people that have tested already there are different results. I have an SSD drive which I can see deleted files on, I've not done any sort of testing beyond hooking it up and looking in Xways but the very fact that there are deleted files recoverable seems to fly in the face of some peoples assumptions that all unallocated clusters are zeroed out when the drive is powered up.

ReplyQuote
Posted : 29/10/2012 6:05 am
mscotgrove
(@mscotgrove)
Senior Member

A SSD drive itself has no knowledge if a sector is unallocated space or not. It is upto the device driver on the host to send the drive the Trim message to say 'these sectors are now free'.

I would speculate that if you put an SSD drive on an old Windows 98 system and deleted the files no Trim command would be sent.

If the actual logic for an unallocated sector was part of the SSD logic, then it would need to know all past, and all future file systems.

And as adam10541 says, why should all systems work in the same way.

ReplyQuote
Posted : 29/10/2012 1:42 pm
Chris_Ed
(@chris_ed)
Active Member

A SSD drive itself has no knowledge if a sector is unallocated space or not. It is upto the device driver on the host to send the drive the Trim message to say 'these sectors are now free'.

..

And as adam10541 says, why should all systems work in the same way.

I think you've answered your own question there. TRIM is an ATA command, and I think it would be hard to find an SSD which didn't support ATA commands )

I think that by the time most of us here see an SSD HDD (i.e, post-seizure) then what is there is there. If there has been some wiping before it came to you, well, so be it - but indicators are that if you merely switch it on (for example, via write-blocker) then you aren't activating garbage collection and you aren't removing evidence.

ReplyQuote
Posted : 29/10/2012 3:04 pm
jaclaz
(@jaclaz)
Community Legend

Is there some governing body that says all SSD drives must behave the same?

Yes and no, they should conform to standards (like ATA) but that doesn't mean that additional features cannot be added by single manufacturers.

I would think that there would be varying operations from manufacturer to manufacturer and even between different models from the same manufacturer.

Exactly )

The TRIM command is an ATA standard AND such command is intended to be issued by the OS (to remain in the MS/Windows world no OS before 7/Server 2008 R2 does implement it) BUT it can be initiated allright by the SSD firmware, as well as idle time Garbage Collection see (example)
http//www.oczenterprise.com/whitepapers/ssds-write-amplification-trim-and-gc.pdf
and I presume that most drive manufacturers have different algorithms to reduce write amplification while keeping wear leveling effective
http//en.wikipedia.org/wiki/Garbage_collection_(SSD)
(just for the record at least some Samsung SSD's can/could "understand" autonomously a NTFS filesystem and decide - without any "intervention" by the OS - what to do with sectors an initiate/operate TRIM like commands automtically)

Right now it seems like everything (and the contrary of everything) is possible. 😯

jaclaz

ReplyQuote
Posted : 29/10/2012 5:57 pm
Page 1 / 4
Share: