Join Us!

Notifications
Clear all

SSD Forensics  

Page 2 / 4
  RSS
samson
(@samson)
New Member

I've found that when the SSD is in a raid configuration nothing gets overwritten on Windows 7 Professional and files can be carved / recovered. Having a RAID setup appears to disable the TRIM 'overwriting' functionality.

However a separate stand alone non RAID drive will lose all the information contained in a deleted file within seconds of it being deleted. 10-20 seconds in my tests.

Of course this outcome will most likely be completely different with different drives. My test drives were 'Corsair Force' drives. I used 2 x 120 GB SSD for the Software RAID 1 pair and a single 60GB SSD drive for the stand alone test.

ReplyQuote
Posted : 29/10/2012 8:07 pm
mscotgrove
(@mscotgrove)
Senior Member

[quote="jaclaz"
(just for the record at least some Samsung SSD's can/could "understand" autonomously a NTFS filesystem and decide - without any "intervention" by the OS - what to do with sectors an initiate/operate TRIM like commands automtically)

jaclaz

I would be terrified to use such a drive. A drive should be dumb and do as told. Write a sector, read a sector, and told it can clear a sector down. How it handles these commands is entirely upto a drive, but if I write a sector xxx I want to beable to read that sector until I either overwrite it, or tell the drive to clear it down, with a TRIM like command.

A drive that thinks it knows the file system - including future releases is dangerous.

There must also be danger if an NTFS disk is (quick) reformatted with say Linux leaving many NTFS structures in place.

ReplyQuote
Posted : 29/10/2012 10:07 pm
jaclaz
(@jaclaz)
Community Legend

I would be terrified to use such a drive. A drive should be dumb and do as told. Write a sector, read a sector, and told it can clear a sector down. How it handles these commands is entirely upto a drive, but if I write a sector xxx I want to beable to read that sector until I either overwrite it, or tell the drive to clear it down, with a TRIM like command.

As a matter of fact I personally would like an even dumber kind of drive that doesn't have a (closed source/inaccessible) wear leveling algorithm or "transparent" (to the OS, thus completely "opaque") re-mapping of sectors.
Even on a "standard" modern hard disk the re-mapping of "bad" to "spare" or whatever, summed to on board large caches left "in the hands" of firmware of dubious validity/not tested properly is something I have difficulties in sleeping on with ease, and wait until you have a third stage, the so called hybrid drives, where you will have all mixed up cache (possibly on battery powered RAM), "real" sectors (on platter) and in the middle a SSD
http//en.wikipedia.org/wiki/Hybrid_drive
or, possibly even more complex, adding in it an additional software layer 😯
http//www.ocztechnology.com/synapse-faq
(which BTW "locks" on the machine hardware)
See also the Apple thingy Neddy posted about
http//www.forensicfocus.com/Forums/viewtopic/t=9852/
(cross linking)

jaclaz

ReplyQuote
Posted : 30/10/2012 12:35 am
trewmte
(@trewmte)
Community Legend

Just as a further link about SSD

http//en.wikipedia.org/wiki/Solid-state_drive

ReplyQuote
Posted : 30/10/2012 11:52 am
jaclaz
(@jaclaz)
Community Legend

..and an "in house" article )
http//articles.forensicfocus.com/2012/10/23/why-ssd-drives-destroy-court-evidence-and-what-can-be-done-about-it/

jaclaz

ReplyQuote
Posted : 30/10/2012 8:30 pm
ecophobia
(@ecophobia)
Active Member

I haven't been following this forum for some time now, been too busy with other things. When I finally got back, I was surprised to see SSD and Trim are still being discussed here.

As a few people (good to see them hanging around) already correctly pointed out here, everything and anything is possible with SSD technology.

TRIM may or may not be supported by design. In some cases such support is enabled by a simple firmware upgrade. Some SSD chip manufacturers have been recommending users not to enable TRIM calling it 'a half-backed technology', offering instead their own 'garbage-collection' solution (SandForce comes to mind).

To add more, it is a well known fact that TRIM is not supported if SSD drives are used in RAID… unless you look at OCZ Revo drives sandwiched together in RAID 0 with TRIM fully supported.

So, generally speaking these exceptions prove the rule that everything is possible ,,, well, unless you had a chance to look at the particular technology before you power SSD ON … or after, to learn how you could have saved some extra evidence oops

ReplyQuote
Posted : 30/10/2012 11:24 pm
trewmte
(@trewmte)
Community Legend

Questions about reliabilty of SSDs have been discussed recently in two articles

Why SSD Drives Destroy Court Evidence, and What Can Be Done About It Part 1
By Yuri Gubanov , Oleg Afonin Article Posted September 26, 2012

http//www.dfinews.com/article/why-ssd-drives-destroy-court-evidence-and-what-can-be-done-about-it-part-1

Why SSD Drives Destroy Court Evidence, and What Can Be Done About It Part 2
By Yuri Gubanov , Oleg Afonin Article Posted October 03, 2012

http//www.dfinews.com/article/why-ssd-drives-destroy-court-evidence-and-what-can-be-done-about-it-part-2

ReplyQuote
Posted : 01/11/2012 9:43 am
Chris_Ed
(@chris_ed)
Active Member

But that's not true of all SSDs. The one I use in one of my forensic workstations, for example, retains deleted data.

ReplyQuote
Posted : 01/11/2012 4:33 pm
mscotgrove
(@mscotgrove)
Senior Member

Chris_Ed

What are your forensic work stations (XP, Windows 7??)

How are the drives connected, directly or via USB or eSata?

ReplyQuote
Posted : 01/11/2012 6:01 pm
PaulSanderson
(@paulsanderson)
Senior Member

I argued that this needed to be implemented at a device driver level many years ago on this forum and that it was daft to assume that the drive understood the operating system - that discussion got quite heated so I stopped contributing to it.

Anyway

to see if trim is enabled in an administrator cmd box type

fsutil behavior query disabledeletenotify

to enable trim

fsutil behavior set disabledeletenotify 0

to disable

fsutil behavior set disabledeletenotify 1

ReplyQuote
Posted : 01/11/2012 7:20 pm
jaclaz
(@jaclaz)
Community Legend

But that's not true of all SSDs.

http//www.forensicfocus.com/Forums/viewtopic/p=6562810/#6562810

Right now it seems like everything (and the contrary of everything) is possible. 😯

http//www.forensicfocus.com/Forums/viewtopic/p=6562853/#6562853

I haven't been following this forum for some time now, been too busy with other things. When I finally got back, I was surprised to see SSD and Trim are still being discussed here.

As a few people (good to see them hanging around) already correctly pointed out here, everything and anything is possible with SSD technology.

Generalizing is (as often is) misleading.

Layman's example

Most land vehicles have wheels.
Most wheeled vehicles have brakes.
Most brakes are commanded by hydraulics.

Hence to cause an accident to a land vehicle you can (mostly) cut it's hydraulic brake lines . 😯

Now, try cutting the hydraulic lines of a wheelbarrow. roll

Each SSD make/model may behave differently and even the same SSD make/model may behave differently in different setups/environments.

jaclaz

ReplyQuote
Posted : 01/11/2012 7:29 pm
ecophobia
(@ecophobia)
Active Member

I completely agree on generalization.
One might see the different meaning of my post.

Aesop

lol

ReplyQuote
Posted : 03/11/2012 10:38 pm
Jonathan
(@jonathan)
Senior Member

Watch this video in its entirety….

http//youtu.be/vLoYduckmuo

I don't have 45 minutes. Is there a precis available?

@ Scottyxx - Can anyone give me some training resources / tips on what to do with SSDs?

I am imaging one right now, and not sure what to expect. Can anyone shine some light on the matter?

Am I likely to recover any deleted files? Will the auto-wearleveling feature mess up my evidence?

Isn't everything we do in CF based on time consumption??

Yes; but I need to decide how to spend that time. As I'm neither aware of you or the video maker I think it's reasonable enough to ask for a precis before I dive in!

ReplyQuote
Posted : 04/11/2012 4:54 pm
Belkasoft
(@belkasoft)
Active Member

Questions about reliabilty of SSDs have been discussed recently in two articles
Why SSD Drives Destroy Court Evidence, and What Can Be Done About It Part 1
By Yuri Gubanov , Oleg Afonin Article Posted September 26, 2012
http//www.dfinews.com/article/why-ssd-drives-destroy-court-evidence-and-what-can-be-done-about-it-part-1
http//www.dfinews.com/article/why-ssd-drives-destroy-court-evidence-and-what-can-be-done-about-it-part-2

I happen to be one of the authors of the article referenced below. It's also available here on FF http//articles.forensicfocus.com/2012/10/23/why-ssd-drives-destroy-court-evidence-and-what-can-be-done-about-it/

While not being a scientific research in a fully scientific view, this is still a pretty good snapshot of the state-of-the-art in SSD forencics by Sept. 2012. As far as I know, little changed since then. 500GB SSD's have been introduced, some Samsung drives broke previous price-per-gigabyte records, but that was about it.

SSD forensics remains being hit-or-miss. With SSD's, we're well into probabilistic forensics territory. TRIM may or may not work depending on how the drive was connected, which operating system, what file system, and what exactly was done to the data being destroyed. Crypto containers stored on SSD volumes are yet another matter and are also hit-or-miss, as some manufacturers enable garbage collection within their containers (normally with an option that's disabled by default) and some don't.

In a word, if a fairly modern SSD was used in a Windows 7 PC, connected internally via ATA, formatted with NTFS, no crypto containers, and some data was deleted, then probably that data is now gone. If any one of these conditions is not satisfied (e.g. Vista, or USB connection, or formatted with FAT, or data was stored within a crypto container, or the disk was corrupted - in which case the TRIM command is not being issued), then there are good chances that even deleted data can be restored with carving.

Otherwise, you'll only get whatever files are available (as in "not deleted").

ReplyQuote
Posted : 12/11/2012 5:03 pm
mykulh
(@mykulh)
New Member

I have always thought that the trim command only runs when the drive is in a 'quite' state, I would like to think that imaging a drive, with all the reads would leave the controller very little time to perform such tasks.
Having said that I would resist connecting a drive up, going to lunch and starting the acquisition on my return.

There may be a little bit of sky falling syndrome on this, as pointed out above, there are lots of different setups and scenarios which would mean a SSD would perform the same as normal mechanical drive and once it is acquired the fact it is a SSD shouldn't really matter for examination.

Like Chris Ed, I have recovered plenty of deleted data from SSD drives, suspects and my own (different reasons of course), so I would like to suggest giving it a go and treat it as a normal HDD.

For future work, I think I will be looking a bit more into Mr Sanderson's comments, if I read it right and you can switch off the OS from issuing any housekeeping commands to the SSD that has to be a good thing for any forensic acquisition workstations.

It would be nice if those lovely makers of hardware write blockers also blocked these types of commands as well, if it is a standard ATA command would that be possible?

Mike

ReplyQuote
Posted : 13/11/2012 12:23 am
Page 2 / 4
Share: