Digital Forensics:Why SSD Drives Destroy Court Evidence
Why SSD Drives Destroy Court Evidence, and What Can Be Done About It.Q3 2012: State of the art in SSD forensics By Yuri Gubanov
Abstract
Solid State drives (SSD) introduced dramatic changes to the principles of computer forensics. Forensic acquisition of computers equipped with SSD storage is very different of how we used to acquire PCs using traditional magnetic media. Instead of predictable and highly possible recovery of information the suspect attempted to destroy, we are entering the muddy waters of stochastic forensics where nothing can be assumed as a given.
 |
| SSD |
Stochastic Forensics
The way today's SSD drives operate allows little space for positive assumptions. With SSD drives, the only thing we can assume is that an investigator can access existing information stored on the disk. Deleted files and data the suspect attempted to destroy (by e.g. formatting the disk - even in "Quick Format" mode) may be lost forever in a matter of minutes [1]. And even if the computer is powered off immediately after a destructive command has been issued (e.g. in a few minutes after the Quick Format), there is no easy way to prevent the disk from destroying the data once the power is back on. The situation is somewhat of a paradox, reminding of Schrödinger's cat: one will never know if the cat is alive before opening the box [2].
Schrödinger's cat, image from Wikipedia
The golden age of forensics is going to end. "Given the pace of development in SSD memory and controller technology, and the increasingly proliferation of manufacturers, drives, and firmware versions, it will probably never be possible to remove or narrow this new grey area within the forensic and legal domain," the scientists, from Australia's Murdoch University, wrote. "It seems possible that the golden age for forensic recovery and analysis of deleted data and deleted metadata may now be ending." [1]
TRIM: Myths and Reality
A common misconception is that discarded blocks of an SSD drive are immediately erased. This is not usually the case. Instead, the way the TRIM command operates is considering the contents of discarded blocks as indeterminate (the "don't care" state) until the moment these blocks are physically erased by a separate background process, the garbage collector. In other words, the TRIM command does not erase the content of discarded blocks by itself. Instead, it adds them to a queue of pending blocks for being cleared by the garbage collector. |
| TRIM, image from http://www.corsair.com/us/blog/how-to-check-that-trim-is-active/ |
https://belkasoft.com/why-ssd-destroy-court-evidence
Download Link1 by Yuri Gubanov
หมายเหตุ:เนื้อหาในเว็บไซต์นี้มีขึ้นเพื่อวัตถุประสงค์ในการให้ข้อมูลและเพื่อการศึกษาเท่านั้น
* หากมีข้อมูลข้อผิดพลาดประการใด ขออภัยมา ณ ที่นี้ด้วย รบกวนแจ้ง Admin เพื่อแก้ไขต่อไป
ขอบคุณครับ
#WindowsForensic #ComputerForensics #dfir #forensics #digitalforensics #computerforensic #investigation #cybercrime #fraud
