Today, posting
a short abstract: the most important facts, researches summary , conclusions
and links to great documentation and conducted experiments.
Authors of
tests claim that solid-state drives (SSDs) have the ability to destroy evidence
under their own will. While the
acquisition of forensic data from standard magnetic disks is fairly good
described, is seems that much remain to be done on the field of SSDs. Here I
would like to introduce some terms, such as; self-contamination,
garbage-collector, or wear-leveling.
The most
important, we need to know how the SSD technology works. For this, check google
and find any article for most important facts, just to know and understand the
principles. During acquisition stage of investigation we need to follow some ‘sound’
methodology; what is obvious is the importance to do not destroy evidence. To minimize
alteration to the system, the recovery/collection process should include
prevention of overwriting.
Here, the phenomenon of solid-state drive (SSD) self-corrosion is proven to exist through experimentation using real world consumer hardware in an experimentally reproducible environment.
SSD
technology uses wear-leveling schema, which means that driver of ssd disk is
trying not to continually write on the same place. Then we have something
called ‘translation layer’ (Flash Translation Layer_that keeps in mind where
the computer thinks is writing (also check TRIM). For performance purposes SSDs
manufactures have developed ‘garbage collector’ or ‘self healing’ technique to
reset particular sectors of SSD disk to be prepared for incoming writing.For full
test review and conclusions please follow Solid State Drives: The Beginning of
the End for Current Practice in Digital Forensic Recovery? Graeme B. Bell and
Richard Boddington http://www.jdfsl.org/subscriptions/JDFSL-V5N3-Bell.pdf.
Another
awesome article reveals additional portion of information:
Today’s SSDs self-destroy court evidence through the process that can be called “self corrosion”. Garbage collection running as a background process in most modern SSDs will permanently erase data marked for deletion, making it gone forever in a matter of minutes after the data has been marked for deletion. It is not possible to prevent garbage collection by moving the disk to another PC or attaching it to a write blocking device. The only way to prevent self-corrosion is physically detaching the disk controller from flash memory chips storing the data, and then accessing the chips directly via custom hardware.
Blocks of data processed by garbage collector
are physically erased. Information from such blocks cannot be recovered even
with the use of hardware and blockers. . Forensic researchers named this
process as “self-corrosion” (Q3 2012: State of the art in SSD forensics)
Preventing the operation of internal garbage collection is only possible by physically disconnecting the built-in controller from actual flash chips, and accessing information stored in the chips directly.
The digital investigation science is
changing on almost daily basic, so we need to stay focused, watch how the
scene is evolving ,be proactive and do not lose the big picture !:)
Brak komentarzy:
Prześlij komentarz