Thursday, July 14, 2016

Why forensics investigators must handle solid-state drives with care

Don't assume that hard-disk forensics tools work the same on solid-state drives.



Do your homework before performing forensics research on a budget-priced solid-state drive—or before trusting such drives to erase your data.

That's the message from Tom Kopchak, a disk encryption expert at Hurricane Labs, which is a managed security provider in Independence, Ohio.

Kopchak said he's done extensive research on the forensic differences between traditional hard-disk drives and modern SSDs. His work is applicable to law enforcement, electronic discovery (the software process used by attorneys to gather digital evidence), and anyone who wants to make sure their "delete" button does what it says.

Kopchak plans to present his full research, 101 Sentient Storage — Do SSDs have a mind of their own?, on Aug. 5, 2016 at the Defcon 24 conference in Las Vegas. "The goal of this study was to demonstrate and quantify differences across a sample pool of drives in an array of tests conducted in a controlled environment. These tests explored the variations between drive firmware, controllers, interfaces, operating systems, and TRIM state," he wrote in the session description. "This presentation will demonstrate these differences and provide a framework to allow forensics investigators to determine the likelihood of successful deleted file recovery from an evidence bearing solid state drive."

Asked to further explain his work, Kopchak told TechRepublic he's long had an interest in this subject but could not find enough existing research. Although it's only partially related to his work at Hurricane Labs, "This is more of something I've been interested in, and it's one of those areas which kind of lack information that I've been able to find," he said. "It seems there's one [paper] every year, year-and-a-half, or two that comes out for this sort of thing.

"There are a pair of incorrect assumptions which are prevalent. First, law enforcement and forensic technicians too often assume that tools made for HDDs will work exactly the same on SSDs. Second, even when people do understand that SSDs behave different from HDDs, they still assume that all SSDs work the same."

Kopchak also found in his research that pricier, more mature SSDs delete files and leave fewer traces behind than budget models. This is an important consideration for anyone purchasing enterprise drives, he said.

"When you look at something used in an enterprise SAN array for example, fundamentally they'll operate similarly [to hard drives]," he continued. "The work that I did just cracks the surface. It draws attention to investigators needing to be aware of these differences."

As such, black-hat hackers and anyone who is concerned about privacy should probably use a high-end SSD, not a budget model or a traditional hard disk, Kopchak said. The fewer digital trails your computer leaves behind, the harder it is for investigators to recreate your data.

No comments:

Post a Comment