With the increased use of Solid State Drives (SSD) in desktop and especially in laptop computers, computer forensic experts and the software they use are facing new challenges in getting data off of the drives that they were able to easily obtain from the older hard disk drives (HDD) type that are still the majority hard drive type.
Solid State Drives entered the main stream of public computing in 2007 with their inclusion in various netbook class devices by Dell and Asus among others. Initial drive sizes were 4-8GB. Current drive sizes are topping out at almost 1TB. SSD’s offer fast performance (( 740MB/s sequential speeds. )) and low power consumption, usually 12/ to 1/3 that of their desktop and laptop counterparts. With these facts in mind and their mainstream adoption (( As of October 2010, Apple’s MacBook Air line carry solid state drives, standard. )) of SSD’s, they are showing up more and more in Computer Forensic cases. Two recent articles I found on the web spurred me to write this article. Those articles mentioned that SSD’s were ‘destroying forensic evidence’ (( Source - ‘destroying forensic evidence’ here. )) and that criminals were ‘outsmarting the law’ (( Source - ‘outsmarting the law’ here. )) when they used SSD’s. I thought this to be quite interesting and decided to take a look and see what was causing this problem for forensic examiners. According to the article, High-tech criminals outsmarting the law (( Article ‘High-tech criminals outsmarting the law’ here. )) , when a user performs even a quick format -
“…we saw that shortly after reboot the entirety of the files were damaged and almost all were purged completely, including their filesystem and metadata records,” the study found. “After only a few minutes of sitting idle, only a single file among 316,666 was even 50 per cent recoverable; and only 0.03 per cent of data was recoverable. The contrast is startling.”
This is in contrast to a standard HDD in which nearly all of the files could be recovered using standard methods after a quick format regardless of the system being rebooted. The purging of data also occurs when forensic investigators installed a physical write-blocker. The write-blocker ”allow(s) acquisition of information on a hard drive (when it is copied to another storage device) and are the staple of computer forensic acquisition and are used to ensure there is no accidental damaging of the drive contents.” After examining an SSD for traces of data after it had been quick formatted, the team expected the purging routines to kick in around 30-60 minutes later, a process that must happen on SSDs before new data can be written to those blocks. To their surprise, this happened in only three minutes, after which only 1,064 out of 316,666 evidence files were recoverable from the drive (( Text block from - SSD firmware destroys digital evidence, researchers find. )) . According to a paper written by Graeme Bell and Richard Boddington of Perth’s Murdoch University, and published in the Journal of Digital Forensics a couple of scenarios were posed that high-lite the issues faced -
- Scenario 1a/1b: An innocent member of the public decides to reformat their drive and reinstall Windows because of a virus or slow performance (alternatively, a criminal has a drive containing evidence of their activities and reformats it). They ‘quick format’ the drive, but then decide to make a cup of tea beforecontinuing. Meanwhile, the SSD’s controller chip analyses the new filesystem and determines that few of the disk blocks are in use. The SSD resets most of the data blocks to prepare them for use, purging all of the data that was previously on the disk. When police seize the computer a few minutes later, they find it to be almostcompletely empty of data. A forensic analyst later wonders: was there ever anything illegal there, and if so, did the suspect knowingly purge that illegal data from the drive?
- Scenario 2a/2b: An innocent member of the public (or a criminal) quick formats an SSD or deletes their files,for innocent (or nefarious) reasons. Police seize the computer a few seconds later. Upon being connected to power, the drive begins to erase itself even while the forensic investigator is trying to read data from the drive. The forensic investigator suspects the existence of a ‘logic bomb’ intentionally put in place to prevent data from being used as evidence.
The research team made the following statement in their paper -
Evidence stored on modern internal primary storage devices can be subject to a process we label ‘self corrosion’.What is meant by this is that even in the absence of computer instructions, a modern solid-statestorage device can permanently destroy evidence to a quite remarkable degree, during a short space of time, in a manner that a magnetic hard drive would not. Here, the phenomenon of solid-state drive (SSD) self-corrosionis proven to exist through experimentation using real world consumer hardware in an experimentally reproducible environment
The team made the following recommendations and guidance -
- Formatting of disks is a normal and reasonable activity that an innocent person might choose to do e.g. to improve the performance of an SSD drive, to tidy up the disk etc. yet may completely eradicate evidence from a disk. Such eradication of evidence may occur within minutes.
- We cannot guarantee previously deleted file data to be preserved on an SSD, regardless of whether the drive image was taken during a ‘live’ capture of evidence or following a ‘dead’ capture of evidence.
- Drives can clearly self-modify their data after physical evidence has been gathered, despite best practice efforts by forensic analysts to prevent such behaviour using traditionally effective means such as write-blockers.
- A software or hardware-based write-blocker does not protect against the drive’s internal firmware choosing to wipe data from the drive.
- The speed at which corrosion of digital evidence takes place should be expected to increase even further as garbage collection algorithms become more aggressive in cleaning up, and drives become faster, and more powerful controller chips become available.
- We think it would be unwise to assume that irreversible file erasure suggests intent to destroy evidence in cases where a defendant has quick-formatted a drive prior to police seizure. Thereare reasonable circumstances (viruses, slow performance, upgrading) that might cause normal and innocent people to quick format their drive without realising that garbage collection would cause the appearance of ‘secure deletion’.
- It is possible that the issues found in this paper will later come to affect USB flash drives as well; having invested in technology that makes NAND flash systems run much faster, it wouldbe very peculiar if manufacturers failed to adopt it across their product range. The increasing availability of high-speed interfaces for portable media such as USB3 makes it likely that we will see more of these complex, evidence-corroding drive controllers in portable USB drives infuture.
Computer storage manufacturer Western Digital said it estimated that worldwide sales of SSDs were $1 billion last year, compared to $35 billion for traditional hard drives. But SSD sales are expected to continue growing as computer manufacturers migrate to the new technology. All five parts of a talk given at DefCon 16 in August 2008. The speaker is Scott Moulton a Computer Forensics Expert and Data Recovery Specialist from Woodstock, Georgia.