SSDs Cause Crisis For Digital Forensics 491
rifles only writes "Firmware built into many solid state drives (SSDs) to improve their storage efficiency could be making forensic analysis at a later date by police forces and intelligence agencies almost impossible to carry out to legally safe standards, Australian researchers have discovered. They found that SSDs start wiping themselves within minutes after a quick format (or a file delete or full format) and can even do so when disconnected from a PC and rigged up to a hardware blocker." So either SSDs are really hard to erase, or really hard to recover. I'm so confused.
Good. (Score:5, Insightful)
Deleted, should mean deleted.
Encrypt your data (Score:5, Insightful)
Well... (Score:5, Insightful)
So either SSDs are really hard to erase, or really hard to recover. I'm so confused.
All I know is that if SSDs were really hard to erase, and I was in the business of recovering data that other people didn't want recovered, this is exactly the kind of story that I would tell them so that they would continue using SSDs.
Not that I'm paranoid or anything.
Re:trim/discard (Score:4, Insightful)
Deleting a file should tell the OS that I don't need that data. That's what deleting is.
Re:Solution is simple, but not easy (Score:5, Insightful)
Bingo. Forensic tech are used to being able to just plug in a write-blocker and assume the disk will remain intact and unchanged, which is the "legally safe" part they are complaining about. Since SSDs do lots more under the hood than spinning rust drives, they can't guarantee the device is unchanged unless they disassemble it, which might be considered tampering and leaves room for the other side's lawyers to ask "and then you took a soldering iron to a delicate IC?".
It also requires a lot more know-how than "Use this magic cable when copying drives for investigation".
Re:Why can't they make up their minds (Score:5, Insightful)
It's not hard really. The drives autoclean themselves. So when you delete the inode reference to a given data file, it will be completely much more quickly that on a normal magnetic drive (which won't reclaim the space till it's needed). On the other hand it won't respond to commands that would FORCE a magnetic drive to completely wipe the file.
So if you're in your secret lab and you hear that the evil enemy is an hour away, you just type "rm /*" and wander off to escape. By the time they get there all your data will be completely wiped. On the other hand if they are breaking down the door to your secret lab and you have only seconds left you can't type "shred /home/joeari/secretfile" and expect it to be perma-deleted like you could with a magnetic drive.
They recover deleted sectors more quickly, but can't be forced to do so in a controlled manner.
Re:Well... (Score:4, Insightful)
What wear levelling gives with one hand (performance and life) at the expense of the OS never knowing in which memory cell the data has -actually- been stored; making targeted deletion runreliable..
and, most importantly:
$ cat /dev/urandom >> /dev/ssdX
Just needs to be run once to -really- bollox an investigation..
Re:Why can't they make up their minds (Score:5, Insightful)
The do not completely erase when you hit them with a commercial erase tool because the commercial erase tool does not give the drive a chance to "take a breath". If you hit it with a DOD wipe instead of overwriting old blocks the drive will give you new until it runs out of spares and after that will slowly overwrite some old. At the end some data will remain.
You need to hit it with short write bursts which are alternated by rest periods so that the controller can reorganise the flash especially if you use the TRIM ATA command to mark stuff as "really deleted". As a result the data will be wiped to a standard which no hard drive can achieve.
I can write a perl 10-liner that feeds DD to do that in about half an hour. So any geek can erase one. However the commercial and most importantly certified by banking and govt tools cannot just yet. They definitely will as there is no rocket science here. Until this happens you will hear both sides of the story depending who you talk to.
By the way the same will apply to overlapping recording and drives with flash cache. A "dumb" wipe will not wipe them. At the same time a script any sysadmin can write in his spare time can wipe them so effectively that no forensics can get the data back.
Re:So what's the problem? (Score:5, Insightful)
Well to be fair, that's only part of the problem. Say you're a stupid criminal. You store all your records of your criminal acts on your computer which happens to have an SSD drive. You've never deleted your records of your criminal acts, but just before the police busted through the door you were deleting some old pictures of your cat, Fluffy. So in order to maintain evidence chain of custody, the police immediately turn off you computer and turn it over to a tech. The tech's first two actions should always be the same. He should plug your drive into a a special read only device that will first do an MD5sum or other fingerprint of the whole contents of the drive, and then do a bit for bit copy of the drive.
The idea here is that the police can prove that nothing was done to alter the data present at the time of seizure. Power was removed from the system and the drive was immediately fingerprinted and copied. Assuming the fingerprints match, there should be no question that the copy on which the actual analysis is done is identical to the original drive. The problem is that you were deleting pictures of Fluffy when the Police came in. It's highly likely that as the drive does its self cleaning routine the fingerprint of the data will change. They fingerprint, get a value, but while they're copying the drive self cleans the bits associated with your cat pics. Bam, the copy has a different fingerprint. Now there's reasonable doubt about the usefulness of the evidence you stupidly left unencrypted in your desktop folder.
Now I'm not saying this is a problem, and that they need to modify the design of SSDs. I didn't get the impression that article said that either. What they are saying is "Hey, we need to come up with another way to do this, becasue what we've been doing will no longer stand up in court."
Re:And the downside here is... (Score:4, Insightful)
I think it's about impoliteness when asking favors. Friends help each other: I'm quite ok fixing my non-technical friend's WLAN, just as he's ok with giving me a hand when I'm moving houses. That's the social norm, and thus asking someone for a favor also indicates how you feel about them.
So if you don't like someone, if you would under normal circumstances not want to spend time with them - then you don't ask them for favors. That would be plain rude.
If you don't have an actual friend to provide tech services - just purchase said services.
Re:Why can't they make up their minds (Score:4, Insightful)
On the other hand it won't respond to commands that would FORCE a magnetic drive to completely wipe the file.On the other hand it won't respond to commands that would FORCE a magnetic drive to completely wipe the file.
So why isn't a "wipe everything, including the spares" command part of the SATA standard command set? I can think of many times I'd like to completely erase a drive. Basically, any time I run the equivalent of "fdisk, o" in whatever OS I'm using, I'm explicitly telling the drive, "I value nothing here". That would be a prime time to optionally tell a drive to totally erase itself.
There are even non-security-related reasons for doing this. IIRC, the reiserfs recovery tools would scan a partition to look for data laid out in reiserfs-formatted chunks and undelete them. That's normally exactly what you want. However, suppose you're using reiserfs and running a VM that also uses reiserfs on its virtual disk, which lives inside a file on your main filesystem. The recovery tools would see those structures, too, and merge them back into your directory structure. This is typically disastrous.
When programming in low-level languages, it's nice to know that the only thing in your process's heap is data you've explicitly put there. The same holds true for hard drives. While we're obviously pretty good at keeping the wheat separated from the chaff, it'd be nice if you could guarantee that there was no chaff to start with.
Re:And the downside here is... (Score:2, Insightful)
It's nearly orthogonal. Confidence and power are what counts. Being nice or a jerk, while displaying weakness or impotency, won't get you anywhere. Being a jerk sometimes projects the illusion of strength, true; but it's not necessary. Being nice without being wishy-washy and fawning is best for a long-term relationship.
Re:trim/discard (Score:5, Insightful)