Solid State drives (SSD) introduced dramatic changes to the principles of computer forensics. Forensic acquisition of computers equipped with SSD storage is very different from how we used to acquire PCs using traditional magnetic media. Instead of predictable and highly possible recovery of information the suspect attempted to destroy, we are entering the muddy waters of stochastic forensics where nothing can be assumed as a given.
Stochastic Forensics
The way today?s SSD drives operate allows little space for positive assumptions. With SSD drives, the only thing we can assume is that an investigator can access existing information stored on the disk. Deleted files and data the suspect attempted to destroy (for example by formatting the disk?even in ?Quick Format? mode) may be lost forever in a matter of minutes.1 And even if the computer is powered off immediately after a destructive command has been issued (e.g. a few minutes after the Quick Format), there is no easy way to prevent the disk from destroying the data once the power is back on. The situation is somewhat of a paradox, remeniscent of Schr?dinger's cat: one will never know if the cat is alive before opening the box.2
The golden age of forensics is going to end. ?Given the pace of development in SSD memory and controller technology, and the increasing proliferation of manufacturers, drives, and firmware versions, it will probably never be possible to remove or narrow this new grey area within the forensic and legal domain,? scientists from Australia's Murdoch University wrote. ?It seems possible that the golden age for forensic recovery and analysis of deleted data and deleted metadata may now be ending.?1
Cannot Delete
The way SSD drives are constructed imposes several design limitations. Existing types of flash memory allow for a limited number of write operations before wearing off. Modern SSD drives employ smart wear leveling techniques3?that, instead of re-using existing blocks of memory, will write to a different block when data stored in a certain block is being modified. This in turn will leave blocks containing potentially sensitive information scattered all over the memory chip.
To further increase effective lifespan and improve wear leveling on SSD drives, many manufacturers install chips that can hold up to 25% more data than their advertised capacities.4 This extra capacity is not addressable by means of the operating system, or by any other reasonable means (e.g. without using custom hardware to access the flash chips directly). This also makes the content on SSD drives impossible to wipe as securely as required by some government and military standards via traditional means.
To mitigate this issue, some SSD manufacturers implemented an extension to the ATA ANSI specification to enable secure destruction of information stored on all flash chips.5?The ATA Secure Erase (SE) command, when implemented correctly,4wipes the entire contents of the drive at a hardware level.
nflx jennifer hudson chicago blackhawks dick clark elie wiesel giuliana rancic giuliana rancic
No comments:
Post a Comment