SSD firmware destroys digital evidence, researchers find

Forensic analysis of drives by investigators now uncertain

By John E Dunn, Techworld |  Security, e-discovery, security

Even more startling is that basic drive isolation 'write blockers' are not guaranteed to perform to high standards against SSDs, the first time this technology has ever been experimentally undermined. The firmware built into many and possibly all of these drives allows them to destroy data simply by being powered on, even when not connected to a PC or under the apparent control of an operating system.

"If the drive is purging data far faster than the analyst can extract it, and the process of purging can begin and continue while the analyst is extracting the data, how can the analyst hope to capture a complete, frozen image of the disk that is representative of the disk state at capture time?," the researchers write.

"A few people in the forensics community had some awareness that something funny was going on with some SSDs, but everyone we've shown this to has been shocked at the extent of the findings," said co-author Graeme Bell by email to Techworld.

As far as SSDs are concerned, the state of the drive cannot be taken to indicate that its owner did or did not interact with it in ways that allow prosecutors to infer guilt or innocence.

"The fact that data has been purged does not mean a human knowingly did it (e.g. accidental guilt). [But] data purging may make a guilty person look innocent (e.g. accidental innocence)," says Bell.

The team warns that as USB sticks grow in capacity, manufacturers could start integrating similar purging technologies into them, duplicating the same problem for a second set of storage media. Bell and Boddington also believe that 'garbage collection' routines will become more aggressive over time as manufacturers start using more powerful firmware, chipsets and larger-capacity drives.

In an 18-point summary of their findings, the pair offer no simple fixes to the problem they are the first to experimentally demonstrate, noting that "there is no simple answer to this problem."

How many SSDs might use 'garbage collection' firmware? According to Bell, probably very few older drives but an increasing number of newer ones.

Previously only published in The Journal of Digital Forensics, Security and Law in December 2010, the full report can now be downloaded from the publication's website.

Paradoxically, only last week researchers in California uncovered a separate but related problem with SSDs, namely that it could be hard to securely wipe data from them in a guaranteed, controlled way.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness