SSD Drives Destroy Evidence

Today, posting a short abstract: the most important facts, researches summary , conclusions and links to great documentation and conducted experiments.   

Authors of tests claim that solid-state drives (SSDs) have the ability to destroy evidence under their own will.  While the acquisition of forensic data from standard magnetic disks is fairly good described, is seems that much remain to be done on the field of SSDs. Here I would like to introduce some terms, such as; self-contamination, garbage-collector, or wear-leveling.

The most important, we need to know how the SSD technology works. For this, check google and find any article for most important facts, just to know and understand the principles. During acquisition stage of investigation we need to follow some ‘sound’ methodology; what is obvious is the importance to do not destroy evidence. To minimize alteration to the system, the recovery/collection process should include prevention of overwriting.

Here, the phenomenon of solid-state drive (SSD) self-corrosion is proven to exist through experimentation using real world consumer hardware in an experimentally reproducible environment.

SSD technology uses wear-leveling schema, which means that driver of ssd disk is trying not to continually write on the same place. Then we have something called ‘translation layer’ (Flash Translation Layer_that keeps in mind where the computer thinks is writing (also check TRIM). For performance purposes SSDs manufactures have developed ‘garbage collector’ or ‘self healing’ technique to reset particular sectors of SSD disk to be prepared for incoming writing.For full test review and conclusions please follow Solid State Drives: The Beginning of the End for Current Practice in Digital Forensic Recovery? Graeme B. Bell and Richard Boddington http://www.jdfsl.org/subscriptions/JDFSL-V5N3-Bell.pdf.

Another awesome article reveals additional portion of information:

Today’s SSDs self-destroy court evidence through the process that can be called “self corrosion”. Garbage collection running as a background process in most modern SSDs will permanently erase data marked for deletion, making it gone forever in a matter of minutes after the data has been marked for deletion. It is not possible to prevent garbage collection by moving the disk to another PC or attaching it to a write blocking device. The only way to prevent self-corrosion is physically detaching the disk controller from flash memory chips storing the data, and then accessing the chips directly via custom hardware. 

Taken from http://forensic.belkasoft.com/download/info/SSD%20Forensics%202012.pdf

Blocks of data processed by garbage collector are physically erased. Information from such blocks cannot be recovered even with the use of  hardware and blockers. . Forensic researchers named this process as “self-corrosion” (Q3 2012: State of the art in SSD forensics)

 Preventing the operation of internal garbage collection is only possible by physically disconnecting the built-in controller from actual flash chips, and accessing information stored in  the chips directly.

The digital investigation science is changing on almost daily basic, so we need to stay focused, watch  how the scene is evolving ,be proactive and do not lose the big picture !:)

Security information and event management (SIEM)

SIEM systems perform two main functions, according  to documentation:

Security information management (SIM) : This sub-system (historically), was designed for      compliance purposes(policy) and threat management. SIM was designed to collect, report and prematurely analyze logs (it was not created to provide sophisticated methods of correlation or any). Logs/flows can be taken from any network/security devices but also from servers, databases and applications. Additionally , more often SIEMs are supporting variety of network appliances making the connections more effective and flexible.

Security event management (SEM): SEM is – or was – responsible for aggregating, correlating and analyzing logs for real time needs. It is crucial for incident response, clear and wide visibility into infrastructure and reporting.

During some lectures I was trying to figure out which type of data warehouse SIEM is – if SIEM is a warehouse at all.  Looking for words combination ‘warehouse SIEM’ I found some articles:

…approaches SIEM as a data management issue. …solution is built atop an event data warehouse that leverages a columnar database uniquely designed for time-stamped, unstructured data to be correlated and analyzed,  either in real time or over months or even years. The solution runs on a platform employing massively parallel processing and commodity hardware and storage for  enhanced load and query throughput, very high data compression (…)  and  extremely large data retention (up to petabytes a year). It provides the ability to correlate events across multiple data  sources and systems, either in real-time or on a historical basis.

Taken from : http://www.sensage.com. It seems that SIEM can be some kind of hybrid between OLAP and OLTP warehouses or even a modification of mediatory system – easy access to real time data (structured, parsed and correlated) but also giving information about trends, statistics and other historical patterns (which are capabilities of standard database warehouses). But before moving forward, let look at what ‘standard’ features provide SIEM:

Log management : supports effective correlation (indexing), collection. There are deployed mechanism for fast and efficient searches.  System should also support reporting and capability to attach external data sources – not only those standard (for example syslog or more exclusive opsec).

Compliance/event managment : allows for signatures creation (behavioral anomalies rules also) . What is more, it supports incident handling and documentation.

Visibility and dashboarding : SIEM provides clear dashboards to view system availability and performance (ideal situation) . Alert notificatiosn and trends can be viewed in easy format.

Log source management: system allows for maintenance, tuning, editing and additional extensions (third party software as example).

External data sources/feed: SIEM should be accessible and aggregate also non-standard information taken from outside of infrastructure.

Moving back to warehouses. Basing on this article http://www.networkworld.com  ,we are finding the definition for Security Data Warehouse, which is:

(…)  making security decisions based on mining business intelligence and combining it with security-related event data from security devices.
Today, security analysis more typically relies on what's known as security information and event management (SIEM) tools which can aggregate security and other technical information for a birds-eve view of network activity or detect possible unauthorized actions. (…) but it's now possible to go further through correlation of business activities, based on feeds from other sources too.
 A SIEM may have trouble "dealing with massive amounts of historical data," (…) but by using the Hadoop framework with core components that can handle "terabytes, even petabytes of information," it's possible to achieve better analysis by combining business and security data. " A SIEM becomes one main feed into the Security Data Warehouse. Improved historical analysis is also resulting," (…)

 The conclusion may be: SIEM is the sub-system for bigger mechanism that can provide predictive analytics and possibly track anomalies. Basing on that hypothesis SIEM alone is not typical data warehouse as it provides real time information and trends (rrd), collects information for compliance regulatory but very limited in terms of post-factum response or data mining. To some point it is a hybrid warehouse giving ideas (and even limited capabilities) of big data approach (statistics, historical patterns, rrd dashboards .etc)  but possibly to weak to compete with the typical one. SIEM is a main component in Security data warehouse that is now in developmental and evolutionary status - Big data.

(…) Security Data Warehouse approach is making it more possible to detect phishing attempts by analyzing email and other events, "and that allows you to respond more quickly than in the past."

I would like to stop here, and strongly  encourage you to read following materials.

http://www.sans.org/reading_room/

http://www.sans.org/score/

http://www.hpenterprisesecurity.com/collateral/report/GartnerMQ_SIEM_2011.pdf

http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf - Guide to Computer Security Log Management (Recommendations of the National Institute of Standards and Technology)

Threats - announcement

Today, just a little bit about threats that we are facing today, and that are getting to be more serious in coming years. Short and kind a ‘high-level’ discussion to give the wide context and ideas.

Firstly, it should be said that apart from new sophisticated types of attacks (APT, AET, ... ), we should not forget about legacy infrastructure, which still is fundamental and crucial. Just to mention, firewalls (NGFW are awesome, but still),  IDS/IPS, NIDS/HIPS, AVs, policy, standards, end-user awareness, etc. When saying and listing these ‘standard’ and essential ways of protection (layers of security) I have SIEM infrastructure in mind. It is impossible to have it all, and understand and  have wide and clean visibility into company protection. Event management system and correlation is a must in bigger companies with big infrastructure .etc, somebody may ask what does mean ‘big’ or when company needs specific type of protection. I suppose this is all about risk management. Having those applied into our company we have context and visibility – very often we are able to shorten incident response, and filter out tons of – let say – unknown activity.

Recently, on one of webinars, lecturer mentioned and pointed out, that 24x7 coverage is major component of efficient incident response. Attackers are smart guys, and very often they know when the risk of being caught is the lowest – summer/vacation time, weekends ... etc. Now, I would like to go through several important aspects of ‘modern threats’. BYOD and popularity of social media. In my opinion the increasing popularity and ease of using internet communicators app, smart devices are lowering security (on the other hand comfort level is growing).  Very often people who are using this devices/apps are not technical educated persons – they are not aware of risk and threats waiting for them. Cloud technologies, easy access to global net and fast internet are also a problem for security. Here I should write several words about insider threat. IT espionage, IT sabotage or just spying are known to IT security; and this is a serious problem in field of DLP/DRM.

Moving forward, to have a robust picture of what happened we should have digital forensic on board. Awesome technologies such as E-Discovery or Triage will be great idea for hunting or just quickly checking what happened. In depth-analysis could be performed with tools for post-mortem analysis (X-Ways, Encase, FTK, .etc). On the other hand we have wide range of capture – package appliances, which is a great source of alerts (+SIEM).

Having said that, do not forget about apps (huge problem with application in companies and validations/ white listing .etc). Pentesting and audit should be considerated. Another field and great opportunity for security is vulnerability scanning, code analysis and whitelisting.