
Why SSD Drives Destroy Court Evidence, and What Can Be Done About It (2012) - computator
http://forensic.belkasoft.com/en/why-ssd-destroy-court-evidence
======
computator
The two most interesting insights I got from this article are that:

(1) SSDs are good for privacy for _average_ users since they are cleaning up
dirty blocks in the background.

However, IMO, privacy-conscious users who are running a daily free-space wipe,
a conventional hard disk is superior because it guarantees that all dirty
blocks are erased. A free-space wipe on an SSD can't guarantee that reserved
or remapped blocks get erased.

(2) He says, " _Somewhat counter-intuitively, information deleted from certain
types of encrypted volumes (some configurations of BitLocker, TrueCrypt, PGP
and other containers) may be easier to recover ... if the investigator knows
either the original password or binary decryption keys for the volume_ ".

If you delete a file in your encrypted volume (but don't do a free-space wipe
inside your encrypted volume), then someone who knows your key could
potentially recover that file. But that's always been true -- it's true for
both SSD and conventional drives.

What I think the author is saying is that someone who use an encrypted volume
doesn't benefit from the SSD's cleaning of dirty blocks in the background
because the entire encrypted volume looks like it's in use to the SSD
controller.

But I don't see how he concludes that it's "easier". You lose the benefit of
the SSD's garbage collection, but to recover a deleted file from inside an
encrypted volume (assuming you have the user's key) is neither easier nor more
difficult with an SSD vs. a conventional disk.

~~~
sigterm
> A free-space wipe on an SSD can't guarantee that reserved or remapped blocks
> get erased.

I think most controllers implement a secure erase feature that guarantees the
data have been erased from NAND.

> the entire encrypted volume looks like it's in use to the SSD controller

I have always wondered how encrypted volume worked on an SSD. It seems this
will lead to serious performance issues due to ineffective garbage collection.

~~~
computator
> _most controllers implement a secure erase_

Yes, a secure erase of the _entire_ disk. That does not help with erasing the
free space (a free-space wipe). Erasing the free space can't be done purely at
the controller level since the controller can't tell which blocks are free and
which used.

~~~
jcromartie
But you _can_ image the logical filesystem on the SSD, do the free-space wipe,
and then restore the image to the wiped SSD. If you could find a way to
automate on a Mac with FileVault then you'd be popular.

~~~
JulianMorrison
Don't even image it, tar it up. That way you get defragmentation too.

------
j4kp07
Misleading title.

Newer technology has no inherrent responsibility to live by old forensic
standards of past generations. A Solid State Drive (not, Solid State Drive
Drive) does not "destroy" court evidence. Firstly, show me the court record
where the data was first introduced. Secondly, lookup the legal terms for
destroying court records/evidence then explain to me how this scenario
applies.

Yes, I'm splitting hairs, but so does your title.

~~~
wil421
>A Solid State Drive (not, Solid State Drive Drive) does not "destroy" court
evidence.

This struck me also. The author was writing as if the newer devices should be
the same as older HDs. IMHO destroying potential court evidence is a good
thing for the user. Sort of like a 5th amendment drive.

------
warmfuzzykitten
I would think that feature is an added benefit and nothing should be done
about it except ensure TRIM is enabled and active. We should not be running
our private lives with a goal of assisting lawsuits and prosecution,
particularly actions against ourselves.

~~~
Sanddancer
Spoliation of evidence is one of those things that courts really, really
dislike. If you're found to have intentionally destroyed evidence, the court
can give instructions to the jury essentially saying to assume any destroyed
evidence was showing guilt.

~~~
Spooky23
If you have a routine practice of erasing things, you're fine. It's not an
issue to erase your hard disks, or shred your paper documents.

But it is problematic when you do so when there is a reasonable expectation if
litigation.

------
pwnna
Are there any chances that governments could compel SSD manufacturers to
introduce artificial backdoors allowing for data recovery?

Or is that a certainty?

I see that being pretty difficult as you would need to have 2x the storage in
an SSD without being easily detected by anyone taking it apart.

~~~
autokad
i would be shocked if they did not already have a back door in place

~~~
malandrew
But they could never use such a technique against a savvy tech user who knows
that the erase command deletes the internal encryption key on an SSD. Using
the technique in any court case would be tantamount to publicizing it and
destroying the reputation of the hard drive manufacturer in question, as
everyone would know a back door exists in their devices.

~~~
Canada
Never say never.

There would always be doubt, and some kind of parallel construction would
surely be used to protect the secret technique.

I could see it being used in hundreds of cases per year for a decade before
anyone could prove anything. Just like ubiquitous internet surveillance. And
even when irrefutable proof surfaces, the very same people who staunchly said
"that could never happen" will say "of course, how could you even be
surprised?"

------
_mgr
For anyone that's interested -
[http://ro.ecu.edu.au/cgi/viewcontent.cgi?article=1124&contex...](http://ro.ecu.edu.au/cgi/viewcontent.cgi?article=1124&context=adf)

The above is a terrible write-up of my undergrad research project /
dissertation.

~~~
computator
> above is a terrible write-up

To clarify, do you mean that the OP (the Belkasoft article) is a terrible
write-up of your work, or that the link you provided (of which you're a co-
author?) is a terrible write-up?

~~~
_mgr
The link I provided, of which I am a co-author. Technically I didn't write the
paper though.

------
sbierwagen
Interesting that this is essentially a fight between two arms of the
government: spooks, who want to delete information forever, and cops, who
never want any information deleted at all.

~~~
jlarocco
Actually, most computer forensics has nothing to do with the government.

My girlfriend does it for a large company, and almost all of it is relatively
boring stuff, like recovering email and documents when they get sued and
loading it into Clearwell or EnCase for the attorneys to review.

~~~
newaccountfool
I'm currently doing a Degree in Digital Forensics, would you mind me asking
what your girlfriends salary is like?

~~~
sirdogealot
I really wish we could do away with the formalities involved when asking "what
do you make?".

It just seems so ancient. I have no problem telling anybody my average income
and exactly what it is I do.

It's not like the servant is asking the king how much he makes anymore. We're
all pretty much the same monetarily these days.

~~~
aunty_helen
I used to think this too, I was quite open about how well I was doing and how
much I made.

Now not so much. I've seen what it does to people. They turn against you.

Some of my friends make half of what I do but they hang out with me and think
of me as their equal. So why is it that I make so much more??? This is the
question that they cannot answer for themselves and it makes them bitter.
Shit, I've even had it from my own parents.

The human mind has a hard time putting itself in the position of others. Do
yourself a favour, tell people but observe how their attitudes change. You
aren't going follow my advice until you've seen it for yourself anyway.

~~~
zo1
_" This is the question that they cannot answer for themselves and it makes
them bitter."_ They can answer it, they just don't want to because they know
it would make them feel uncomfortable. Facing one's own flaws and self-
perceived failings is a difficult task.

~~~
gclaramunt
OTOH, is not enjoyable making your friends uncomfortable...

~~~
zo1
If internet porn has taught me anything, it's that no matter what it is, or
how weird it may be, someone out there gets off watching/doing it.

------
random_number
Hi,

I'm the author of the first reference cited by this article, and the coiner of
the term 'self-corrosion' for this phenomenon. First of all, thank you to the
author of the headline article for their interesting article and for citing
our research.

I'd say our main findings were a little bit different to what is described in
the article, though I'd agree with most of what was written there.

We discovered that SSD drives can wipe themselves (with their own GC) even in
the absence of TRIM commands and despite the use of forensic write-blockers
that block both writes and trims being sent on the ATA/SATA bus. To my mind,
that's what is really shocking - you get this phenomenon even when the very
best forensic tools are used and even on OS's that aren't using TRIM. (My
coauthor was a professional forensic investigator armed with professional
equipment).

For example, imagine if you had some data on your disk that was fragmented all
over the disk. If the disk has a garbage collector that wants to consolidate
flash sectors so it can erase the leftover space after consolidation (e.g. to
improve performance), then you're going to get deleted data being purged
without any TRIM command being involved after the consolidate/erase operation.

If I remember right (it's been a few years), some firmwares also detect fast-
formatting operations in OS's that don't support TRIM and use that as a clue
to trigger automatic GC. That was the really stunning one for us. A fast
format by the user led to the disk wiping itself just minutes later under
forensic conditions.

Of course this sounds great for privacy, self-wiping and so on, but the
problem is that it could look like this accidental wiping was an intentional
attempt to destroy evidence (e.g. manual wipe, logic bomb or something).
That's where things get tricky.

It looks like the link isn't working, here's a working link:

[http://graemebell.net/publications//upload/bellbodd2010-prep...](http://graemebell.net/publications//upload/bellbodd2010-preprint.pdf)

or

[http://researchrepository.murdoch.edu.au/3714/1/solid_state_...](http://researchrepository.murdoch.edu.au/3714/1/solid_state_drives.pdf)

That paper was written for any educated person to understand, not just
forensic experts, so I hope you enjoy it if you do take a look. We talk about
both the technical and legal side of things in the paper.

Thanks for reading, and I'll check in on this comment later in case anyone has
questions.

~~~
wmf
I strongly suspect what you saw in this paper was Samsung's[1] auto-trim
(people often use inaccurate terms like "idle garbage collection") that reads
the NTFS allocation bitmap and trims free space, a feature that was only
included on a few SSDs because it is a potentially unsafe rampant layering
violation. In the history of SSDs, almost none have auto-trim, so the results
from this paper are highly non-representative of SSDs in general.

[1] Note that the Corsair SSD used in this paper is rebranded from Samsung.

~~~
random_number
"I strongly suspect what you saw in this paper was Samsung's[1] auto-trim "

Yes, that was the reason for picking that drive (the research budget for the
project was a mere $500!), since I was pretty confident the effect might show
up from it.

However, it was a lucky guess that it would show up in the presence of a write
blocker and in the time frame of a forensic investigation (normally the first
thing that happens is they quickly copy the disk), since those are unusual
constraints.

I think I prefer to call the technology the same as the manufacturer's name:
idle garbage collection - since TRIM has a clear meaning in this context, and
the drive is not automatically generating TRIM commands and it doesn't behave
exactly as though the O/S had issued them either (e.g. most but not all gets
wiped). Hope we can agree to disagree on that one!

Thanks for your comment

~~~
wmf
My problem with the terminology is that garbage collection already has a well-
defined but different meaning in SSDs.

------
stcredzero
SSDs are _very different_ from spinning platters. Instead of creating
complicated devices that try to mimic spinning platters, why not have a
different storage model entirely?

~~~
wmf
Yeah, why _not_ rewrite every filesystem?

But there is [http://www.fusionio.com/blog/under-the-hood-of-the-
iomemory-...](http://www.fusionio.com/blog/under-the-hood-of-the-iomemory-sdk)

~~~
stcredzero
_Yeah, why not rewrite every filesystem?_

Just write one new one. Or use ioMemory. I don't understand that one well
enough to decide yet.

------
kabdib
Didn't mention read disturbance. MLC and TLC flash (esp. the latter) have
semi-destructive reads, so that you need to re-write a block after several
thousand reads as well as on any write.

So you can't treat a drive as a ROM, even if you disabled physical writes
somehow. Of course, you _probably_ have enough read cycles available to do
quite a few full scans of a drive...

------
TrainedMonkey
"Modern SSD drives employ smart wear leveling techniques [3] that, instead of
re-using existing blocks of memory, will write to a different block when data
stored in a certain block is being modified."

Can this behavior be exploited to enable a hardware based file versioning
system? For example, SSD explicitly exposes to OS, where new blocks are
written and which blocks they are overwriting. This would allow FS to cheaply
track multiple versions of files. When a portion of a file is overwritten with
some new change, this version is discarded and SSD is instructed that rest of
blocks that were storing changes for that version of the file are expendable
as well. Depending on SSD capacity and usage, a simple algorithm of
overwriting oldest block first, would provide several versions for each
changed file virtually for free.

~~~
computer
What you're describing is basically copy-on-write:
[https://en.wikipedia.org/wiki/Copy_on_write](https://en.wikipedia.org/wiki/Copy_on_write),
which is a part of most modern filesystems (ZFS, BTRFS, etc). That makes it
software-based, but the idea is the same: you can easily make snapshots, roll
back to previous versions, etc.

------
pmorici
I'm confused why they went to the trouble of building a custom FPGA setup, you
can just buy a Universal chip programmer that can read the contents of flash
for around $1,000. The article also doesn't address the fact that many SSD
drives encrypt data before writing it to the flash which makes this approach
impossible.

[http://www.dataman.com/](http://www.dataman.com/)

------
sean-duffy
"SSD Drives" \- Solid-State Drive Drives?

~~~
54mf
Solid State _Disk_ Drives. :)

~~~
TheSpiceIsLife
There are no 'disks' in an SSD

