
SSD firmware destroys digital evidence, researchers find - J3L2404
http://www.macworld.com/article/158234/2011/03/ssdfirmware.html#lsrc.rss_news
======
rlpb
"Forensic analysis" as it works today on magnetic hard drives works is heavily
based on the principles under which these type of drives operate. They take
advantage of the fact that deleting a file does not actually delete a file on
disk, as it is more efficient to simply mark those areas as unused. They are
taking advantage of an optimisation that has been done for decades.

SSDs are completely different. The optimisation no longer works, since flash
memory has no overwrite operation, only a block-erase operation (which is a
slow operation - and the erase blocks are relatively huge). In order to stay
efficient, SSDs _must_ perform background free space management, which
includes erasing unused blocks in advance in order to be ready for new data.

This should be obvious to anyone who understands how flash memory works. SSD
manufacturers have no option here. It's a fundamental side-effect of the
technology.

"Forensic analysis" that depends on an optimisation performed on a system
using a hard drive will no longer work with a different technology that cannot
use that optimisation. They were exploiting something that is not necessarily
going to be possible any more.

If they want a clean equivalent of a "write blocker", they are going to have
to somehow disable the SSD's background management before powering up the
drive. This might not help so much though if the background management has
already erased unused blocks after the user deleted files.

I will accept though that this means that people working in the field will
need to change their procedures.

Summary: forensic analysis only works because of an optimisation that systems
using magnetic hard drives did but systems using SSDs can't. How is this
surprising?

~~~
extension
I wouldn't call it an optimization. Generally, the fastest way to logically
delete data is to just forget that it's there. RAM works the same way, as
would any other medium that doesn't have any special requirements for writing.

Flash is the unusual case since it needs to be "flashed" in bulk before it can
be rewritten.

~~~
rlpb
I think that's just an argument about semantics. You say "fastest". If you
ignore that and just do it the dumb way, then you're deleting data by
overwriting it. Making it "fastest" _is_ the optimisation.

In any case, I still think your point is valid despite disagreeing with you,
and I think it's disappointing that you just received a downmod. I've just
upvoted you back to 1.

~~~
kragen
In NOR Flash, if you overwrite data, the result is the AND (or the OR) of the
old data and the new data; that is, you can write 0 bits, but not 1 bits.
Erasing is a separate and much, much slower process, which is why it's done a
sector at a time instead of a bit at a time.

In NAND flash, overwriting isn't even an option, although I don't understand
why.

------
meroliph
So I get huge speeds, virtually no i/o wait and when I delete something I can
be sure it's gone forever? The only problem left to solve is huge capacities
for these devices at relatively affordable prices.

~~~
sskates
I'm not so sure about this being a good thing from the user's perspective. The
fact that it's possible to recover deleted data from HDDs has saved people
from grief over years of lost work. Not everyone is smart about backups.

~~~
lutorm
If being able to recover files you accidentally delete and not doing backups
is more important to you than speed, then you are still free to use a hard
drive. I bet the vast majority of people would not make that choice.

------
pluies
Tl;dr: when a user chooses to delete a file on an SSD, it actually gets
deleted. Outrage!

------
kovar
Greetings,

There's some truth in here, and also a lot of hype. Plus ca la change, plus ca
la meme chose. We've been losing digital evidence to technology ever since the
first bit was written to a rotating drum.

And, even more interesting, they're completely ignoring the other side of the
coin - some evidence is very hard to destroy on SSDs.

[http://www.tomshardware.com/news/solid-state-flash-
translati...](http://www.tomshardware.com/news/solid-state-flash-translation-
layer-NAND-FAST-11-Sanitization,12252.html)

If you want to securely store and then delete data from SSDs, use encrypted
volumes. Otherwise, don't count on it being unrecoverable.

~~~
pluies
Greetings, non-French comrade! Your quote is a bit off — it reads "the more it
changes it, the more it the same". A better way to write it would be "Plus ça
change, plus c'est la même chose." :) [/language pedantic]

~~~
kovar
Whups, my very rusty French is showing. Thanks!

------
kordless
_"The fact that data has been purged does not mean a human knowingly did it
(e.g. accidental guilt). [But] data purging may make a guilty person look
innocent (e.g. accidental innocence)," says Bell._

That's just the most asinine statement I've ever heard. They might as well
say, "We think you look guilty, and even though we have no idea what you are
doing, or how you are doing it you should come with us now."

~~~
kovar
It isn't asinine at all, at least when considered in light of the
investigative process. "Data was purged" is a fact. Now, you still need to put
that in context, and that context includes hundreds, if not thousands, of
other facts. Only then should LE say "It is time to come with us."

------
lispm
'Deleted data' = 'evidence'?

'Fascism' = 'Peace'?

~~~
kgo
How is this any different than analyzing any other evidence that someone tried
to destroy? Using some infrared or whatever filter do determine what a burnt
document said? Determining that your fireplace has human remains? Does the
acceptance of these techniques indicate we're living in a police state?

~~~
reemrevnivek
It's different because they are not assigning guilt based on forensic analysis
of evidence that someone tried - but failed - to destroy. Instead, they're
assigning guilt because something, which may or may not be evidence, was
destroyed.

It's as if they discovered that you used some documents (now unreadable) which
you'd run through your paper shredder to light a fire, and that you cleaned
out your fireplace after you were done. A clean fireplace? You must be burning
human remains in it!

~~~
kovar
"Facts not in evidence." You're ascribing malice to the judicial system and
making it sound like a conspiracy.

There's a fact - data was destroyed. An investigation may be able to determine
what that data was. Either the human who deleted the data or the firmware can
tell you why.

No guilt.

~~~
bugsy
I delete files all the time and so do you. Describing this normal and routine
occurrence using the nefarious sounding and certainly biased term "destroying
data" is absurd.

~~~
kovar
Greetings,

That is one of the reasons I objected to the article - it uses emotionally
loaded language. We're in agreement there. But continuing in that vein doesn't
advance anyone's knowledge.

------
tlrobinson
I'm not sure I'd using the FUD-inducing "destroy evidence" to describe what's
happening.

~~~
reemrevnivek
I agree. The worst part was this little tidbit:

> As far as SSDs are concerned, the state of the drive cannot be taken to
> indicate that its owner did or did not interact with it in ways that allow
> prosecutors to infer guilt or innocence.

> "The fact that data has been purged does not mean a human knowingly did it
> (e.g. accidental guilt). [But] data purging may make a guilty person look
> innocent (e.g. accidental innocence)," says Bell.

Wait - Prosecutors can infer guilt because I purged my hard drive? Because, of
course, the only thing that I might want to delete personally must be criminal
in nature, and not, say, personal correspondence or confidential information.

This article seems like good news to me. The only bad news that I see is that
the analysts who worked on the article will have more difficult jobs in the
future.

~~~
jemfinch
Huh? You said this:

> Wait - Prosecutors can infer guilt because I purged my hard drive?

Right after quoting this:

> "The fact that data has been purged does not mean a human knowingly did it
> (e.g. accidental guilt).

How did you manage to infer the exact opposite of _what you just quoted_?

------
pnathan
Interesting. There was a paper recently that argues the opposite.

<http://www.usenix.org/events/fast11/tech/full_papers/Wei.pdf>

What's the truth here? Are they arguing at different abstraction layers?

~~~
wmf
The truth is the same in both cases: sometimes "deleted" data is actually
deleted, and sometimes it isn't. The difference is perspective: the user wants
"deleted" data to be deleted and forensics people want it to be preserved.

------
pyre
How long before legislators start drafting up laws to require SSD firmwares to
have commands to turn off the garbage collection?

~~~
lutorm
It's an important issue. We also need to prevent paper from being shreddable
and burnable, to avoid the "paper hole".

------
rbanffy
I strongly suspect that, in the future, SSDs will have to respect a "cooperate
with the police" signal in order to be sold in some places. As for drives that
don't, experts can always disassemble the drive and read the memories
directly. It's not like the flash memories inside them are special (albeit
it's a matter of time - if not already - that smart memory controllers are
built into the chips themselves).

~~~
pyre

      >  disassemble the drive and read the memories directly
    

What will this accomplish if the data has actually been erased? Some sort of
low-level analysis to recover erased data? That seems like something that
would only be at the CIA/NSA level, and they probably wouldn't want to tip
their hand just to put a 'common criminal' behind bars.

~~~
rbanffy
> What will this accomplish if the data has actually been erased?

You can, at least, recover files the owner of the disk just erased before
being handcuffed.

It would be trivial to setup a background task that overwrites all free blocks
of the (physical) disk when the drive is idle. Or insert that in the
filesystem driver, to be done when a file is erased. You could even maintain
two write queues, one high-priority for the data you want to keep, one low-
priority for the data you want not to keep.

------
dotBen
This article assumes that having zero forensic footprint left on your storage
device is a bad thing.

I'm still waiting to be convinced of that presupposition.

~~~
46Bit
For you and me, it's a good thing. But, for the same reasons that the
government never gives it's support to encrypting all web traffic, it's bad
for when they want to pin charges on you. My ideal storage has some sort of
wipe-from-a-jail-cell-when-drive-is-unplugged functionality. I'm not a
criminal, I just don't like to think of my life being open for perusal by any
prosecutor/judge/jury.

------
bugsy
So it has the potential of preserving your privacy and macworld spins that
into a story that it is bad because what if the state wants to violate that
privacy, well it might not be as easy as they would hope and that is a bad
thing. It's very interesting that only one perspective is presented in these
sorts of articles, it smacks of placement as part of an anti-freedom
propaganda campaign orchestrated by governmental interests. Frame the debate
not as privacy violation, but of terrorists getting away with something.

------
jrockway
It's odd to trust a drive's controller and firmware, anyway. How do you prove
that the firmware isn't buggy or intentionally tampered with?

The solution is to open up the drive, take out the flash, and attach it to
your own controller that isn't going to randomly erase stuff.

------
extension
The write blocking issue could be solved if manufacturers added a read-only
jumper to their devices.

~~~
kovar
What is the incentive to the manufacturer to do so? There are some specialty
devices, mostly for law enforcement, that are essentially WORM SD cards.
Evidence, a photograph most often, is written to it but cannot be modified.
These command a serious premium.

Write blockers are pretty common, and not too expensive. The major issue is
that writeblockers lag behind drive technology. Not sure how we'll write block
the first Thunderbolt hard drives other than through software.

~~~
tesseract
A "Thunderbolt hard drive" is a SATA hard drive plugged into a Thunderbolt
interface card.

~~~
kovar
And an eSATA hard drive was often a PATA drive with an eSATA interface.

However, clients don't often like you cracking the case to get at the base
interface.

------
TwoBit
Somebody ought to make an SSD that promises to wipe data ASAP and use that as
a selling point.

------
kmfrk
More on the effect of erasing SSDs:
[http://www.storagenewsletter.com/news/flash/reliably-
erasing...](http://www.storagenewsletter.com/news/flash/reliably-erasing-
ssds).

------
goombastic
Wonderful!

