SSD Forensics

For future work, I think I will be looking a bit more into Mr Sanderson's comments, if I read it right and you can switch off the OS from issuing any housekeeping commands to the SSD that has to be a good thing for any forensic acquisition workstations.

The problem is, while you can configure the OS to not issue new TRIM commands, any pending garbage collection work will be committed by the SSD controller regardless. In fact, garbage collection may begin the moment the SSD is powered on even if no operating system is loaded.

Another side of the same issue is the way the TRIM command and garbage collection are implemented in various SSD controllers. Some controllers will return all zeroes just a moment after a data block is declared as "available" by the TRIM command. Even if the block still contains data, there will be no easy way to read that data, as the SSD controller will substitute it with zeroes. Technically, one can read the data directly off a flash chip, but that requires custom hardware and a lot of extra effort.

That said, some SSD controllers will allow accessing the actual data from pending blocks until the moment they're actually erased by the garbage collection process.

The bottom line is it's worth a try, but there's no guarantee.

As I see it, the real issue is that since - as said - everything and the contrary of everything is possible, at least in theory, and since we are not talking of trifling matters, but of evidence that often needs to be sound enough to be the very foundation for the decision to either condemn or discharge/acquit someone in a civil case or criminal court, there are very few possibilities.

Unless (and *somehow*) a correct, exact, verified and re-verified database of all SSD devices is made available (possibly without the cooperation of manufacturers that AFAIK tend to hide - understandably - behind patents, reserved procedures, and what not the exact way their device work), and such database info is used to adopt on a "case by case" basis the most suited approach, the only "greatest common divisor" could be a "chip-off" procedure, that carries with it quite a few caveats

1. the actual operators will need to gain new skills in hardware handling and "hacking"
2. there seems to be not that many products on the market capable of reading chips
3. in any case there is evidently a lack of specific, verified information on the chip mappings, so that there is no actual certainty about the results of a successful read directly from chip
4. due to the lack of info on the actual specifications/manufacturer wear leveling/remapping algorithms re-converting the "objective" RAW-RAW data from the direct read to at least RAW filesystem data could be daunting (and not guranteed to succeed)

[/listo]

The Ming the Merciless board depicted in one of the articles is nothing but a prototype built by the UCSD
http//www.usenix.org/events/fast11/tech/full_papers/Wei.pdf

There are actual Commercial devices capable of doing that, I know about
http//flash-extractor.com/
(but there could be others)

But the point remains about their documentation and specifically about documentation on the single devices/controllers/chips.

If I am allowed a comparison with data recovery, the tool that is commonly used, the PC-3000 is in itself a "simple" piece of (specialized) hardware, it's "added value" is given by the actual resources/research/data that the actual makers do and update constantly.

But the whole data recovery business has IMHO far less stringent requisites about "validation" then digital forensics, I mean, the worse that can happen if a firmware fix or module load fails is that you go to the customer and tell him/her (it depends on personal styles/policies) is "The data was not recoverable" or "Unfortunately the failure was worse then we initially thought" or the like, but noone goes to prison (or is left free unjustly affter having committed a crime), there is simple loss of data, costly as it might be, but people (and society) can normally overcome that.

I presume that it is way tougher to go to a judge ad tell him (say) "No meaningful data was on the device" with a prosecution (or defense) attorney (and his/her "expert witness") ready to attack you on the procedure you used (that might be, BTW in perfect good faith) incorrect and actually the cause of the loss of evidence.

jaclaz

give benrhysjenkins@gmail.com a message, he did a dissertation on this as his final project i'm sure he will send it to you ) if not leave leave your e-mail with me and i'l ask him to send it D

give [e-mail removed] a message, he did a dissertation on this as his final project i'm sure he will send it to you ) if not leave leave your e-mail with me and i'l ask him to send it D

Are you really sure it is appropriate to publish a third party personal e-mail on a public forum? ?

jaclaz

He is my boyfriend, we both studied BSc (Hons) Forensic Computing so yes he does know.

Thank you for your concern…

He is my boyfriend, we both studied BSc (Hons) Forensic Computing so yes he does know.

Thank you for your concern…

You are welcome ) , I am sure a lot of e-mail harvester will appreciate this.

Just in case, besides the opportunity of posting a third-party e-mail address on a public forum, it is not particularly "smart" (unless you are putting together an e-mail spam honeypot) to publish on a public forum *any* e-mail including your own.

Much more loosely, wouldn't it be easier/nicer to publish the actual dissertation by uploading it to a web hosting service, blog, etc. and post the web address to it?

jaclaz

No.

Thanks

Questions about reliabilty of SSDs have been discussed recently in two articles
Why SSD Drives Destroy Court Evidence, and What Can Be Done About It Part 1
By Yuri Gubanov , Oleg Afonin Article Posted September 26, 2012
http//www.dfinews.com/article/why-ssd-drives-destroy-court-evidence-and-what-can-be-done-about-it-part-1
http//www.dfinews.com/article/why-ssd-drives-destroy-court-evidence-and-what-can-be-done-about-it-part-2

I happen to be one of the authors of the article referenced below. It's also available here on FF http//articles.forensicfocus.com/2012/10/23/why-ssd-drives-destroy-court-evidence-and-what-can-be-done-about-it/

While not being a scientific research in a fully scientific view, this is still a pretty good snapshot of the state-of-the-art in SSD forencics by Sept. 2012. As far as I know, little changed since then. 500GB SSD's have been introduced, some Samsung drives broke previous price-per-gigabyte records, but that was about it.

SSD forensics remains being hit-or-miss. With SSD's, we're well into probabilistic forensics territory. TRIM may or may not work depending on how the drive was connected, which operating system, what file system, and what exactly was done to the data being destroyed. Crypto containers stored on SSD volumes are yet another matter and are also hit-or-miss, as some manufacturers enable garbage collection within their containers (normally with an option that's disabled by default) and some don't.

In a word, if a fairly modern SSD was used in a Windows 7 PC, connected internally via ATA, formatted with NTFS, no crypto containers, and some data was deleted, then probably that data is now gone. If any one of these conditions is not satisfied (e.g. Vista, or USB connection, or formatted with FAT, or data was stored within a crypto container, or the disk was corrupted - in which case the TRIM command is not being issued), then there are good chances that even deleted data can be restored with carving.

Otherwise, you'll only get whatever files are available (as in "not deleted").

I found both of your (Yuri, Oleg) contributions in this area very useful. Good article, well done.

Much more loosely, wouldn't it be easier/nicer to publish the actual dissertation by uploading it to a web hosting service, blog, etc. and post the web address to it?

No.

Oh jaclaz, you so crazy with your request to allow the material to be viewed and critically appraised by everyone.

roll

C'mon guys, gmlw0908 helpfully suggested a potentially useful source of information. Whether or not she's happy to post an email address publicly or share the paper more broadly is really up to her - I don't see any need for these responses. If we genuinely want to encourage students to share their research, this isn't the way to do it.

Jamie