"Forensic analysis" as it works today on magnetic hard drives works is heavily based on the principles under which these type of drives operate. They take advantage of the fact that deleting a file does not actually delete a file on disk, as it is more efficient to simply mark those areas as unused. They are taking advantage of an optimisation that has been done for decades.
SSDs are completely different. The optimisation no longer works, since flash memory has no overwrite operation, only a block-erase operation (which is a slow operation - and the erase blocks are relatively huge). In order to stay efficient, SSDs must perform background free space management, which includes erasing unused blocks in advance in order to be ready for new data.
This should be obvious to anyone who understands how flash memory works. SSD manufacturers have no option here. It's a fundamental side-effect of the technology.
"Forensic analysis" that depends on an optimisation performed on a system using a hard drive will no longer work with a different technology that cannot use that optimisation. They were exploiting something that is not necessarily going to be possible any more.
If they want a clean equivalent of a "write blocker", they are going to have to somehow disable the SSD's background management before powering up the drive. This might not help so much though if the background management has already erased unused blocks after the user deleted files.
I will accept though that this means that people working in the field will need to change their procedures.
Summary: forensic analysis only works because of an optimisation that systems using magnetic hard drives did but systems using SSDs can't. How is this surprising?
It also means that the courts will need to accept that the image taken of an SSD will not match a second image. The courts, and the computer forensics community, had a hard time accepting collecting RAM but that's now a pretty standard part of the process. It will be easy to extend RAM analysis procedures to SSDs.
What is this about collecting RAM? Are you saying that if someone's office gets audited for compliance, they'll power off their machines, freeze-spray their DIMMs, extract them, and put them into a DIMM reader to image the RAM contents?
When collecting evidence from computers, the policy used to be "power it down, and do dead-drive forensics". Over the last few years, this has shifted to "grab RAM and only then consider powering it down."
Memory contains all sorts of potential evidence, from encryption keys to malware to passwords. Failing to collect this information can significantly hamper or even kill an investigation.
The research into freezing and then extracting RAM contents was interesting, but not terribly practical.
I wouldn't call it an optimization. Generally, the fastest way to logically delete data is to just forget that it's there. RAM works the same way, as would any other medium that doesn't have any special requirements for writing.
Flash is the unusual case since it needs to be "flashed" in bulk before it can be rewritten.
> Generally, the fastest way to logically delete data is to just forget that it's there. RAM works the same way, as would any other medium that doesn't have any special requirements for writing.
Many media have special requirements for writing. It's true that DRAM and SRAM don't have a separate "erased" state, and neither do fuse PROM, core memory, Williams tubes, acoustic delay lines, or magnetic disk and tape.
But CD-R, Flash, CD-RW, rewritable magneto-optical disks, two-photon storage, and some other memory types have a distinct "erased" state; in some cases, you can't even return to that state. I'm not sure about MRAM, FeRAM, PRAM, and hypothetical memristive memories.
The reason for erasing data is generally to free up space so new data can be written.
Whether this erase procedure happens immediately upon the user's request to delete the information or whether it's added to a queue of areas to erase (the "purging routines" or "garbage collection" mentioned in the article) is a small detail. A modern OS will return control to the user immediately upon issuing the command, and all that matters to the end user is that the erase command is issued before the next write. A firmware
I seriously hope that these researchers aren't advocating a mandate that states that the erase procedure cannot be issued until a write is requested to that space.
I think that's just an argument about semantics. You say "fastest". If you ignore that and just do it the dumb way, then you're deleting data by overwriting it. Making it "fastest" is the optimisation.
In any case, I still think your point is valid despite disagreeing with you, and I think it's disappointing that you just received a downmod. I've just upvoted you back to 1.
In NOR Flash, if you overwrite data, the result is the AND (or the OR) of the old data and the new data; that is, you can write 0 bits, but not 1 bits. Erasing is a separate and much, much slower process, which is why it's done a sector at a time instead of a bit at a time.
In NAND flash, overwriting isn't even an option, although I don't understand why.
So I get huge speeds, virtually no i/o wait and when I delete something I can be sure it's gone forever? The only problem left to solve is huge capacities for these devices at relatively affordable prices.
My read is that the devices are still unfamiliar to investigators. I bet it's just a matter of time before someone starts figuring out how to read blocks that are waiting to be actually erased (which is a time consuming and energy-intensive operation for SLC flash, and sometimes deferred) on particular popular devices. Of course, it's going to be unfamiliar to those who have been working closely with HDDs at a low level for years.
tl;dr - That's just security by obscurity. Someone will figure out how to read unerased data. (That said, those blocks eventually will be erased and recycled, it's just a matter of when.)
The whole (rather breathless) point of the article is that SSDs erases the blocks quite rapidly. It isn't that the old blocks are still laying around but the researchers did not know how to access them, it is that (a) they are erased rapidly under normal conditions and (b) they are erased even when they researchers used a "write blocker" mechanism[1]. IOW, they (the article's author, anyway) were apparently surprised to find that the SDD garbage collected autonomously and regardless of the "write blocker" mechanism).
The (a) case is likely OSes using the "trim" command and the (b) cases are inherent in how SSD firmware works (by necessity). WRT the (b) case, SSDs have to garbage collect. Their write speed, and thus user satisfaction, is dependent on it keeping a large number of erased blocks ready to be written to.
Obviously, there is no reasonable way for a SDD to even know that a "write blocker" is attached, so it is not surprising (to me) that the SDD garbage collects with it attached.
The whole (rather breathless) point of the article is that SSDs erases the blocks quite rapidly.
Yes, so the proper way to analyse an SSD is to just access what's in the flash chips directly. Such methods and equipment will probably need to be developed specifically for each SSD controller chipset. Also, investigators will need to get to an SSD sooner.
If you're wiping the entire drive and the firmware isn't buggy, you should be ok - but being sure that single file(s) are actually deleted is not likely.
They are not incompatible messages at all. This article says that SSDs delete stuff fast; the other says you can't reliably delete particular things. Basically, they're unpredictable. You can't reliably expect a particular file to be purged, and investigators can't expect data to stick around. So it might stick around, it might not, and no one has direct control.
I'm not so sure about this being a good thing from the user's perspective. The fact that it's possible to recover deleted data from HDDs has saved people from grief over years of lost work. Not everyone is smart about backups.
If being able to recover files you accidentally delete and not doing backups is more important to you than speed, then you are still free to use a hard drive. I bet the vast majority of people would not make that choice.
Forensic analysis of your hard drive for forgotten but not erased data is not an acceptable backup policy.
Many people (both criminals and victims of criminals) have also been burned by thinking that data they thought they deleted was recoverable in this way.
There's some truth in here, and also a lot of hype. Plus ca la change, plus ca la meme chose. We've been losing digital evidence to technology ever since the first bit was written to a rotating drum.
And, even more interesting, they're completely ignoring the other side of the coin - some evidence is very hard to destroy on SSDs.
Greetings, non-French comrade! Your quote is a bit off — it reads "the more it changes it, the more it the same". A better way to write it would be "Plus ça change, plus c'est la même chose." :) [/language pedantic]
"The fact that data has been purged does not mean a human knowingly did it (e.g. accidental guilt). [But] data purging may make a guilty person look innocent (e.g. accidental innocence)," says Bell.
That's just the most asinine statement I've ever heard. They might as well say, "We think you look guilty, and even though we have no idea what you are doing, or how you are doing it you should come with us now."
It isn't asinine at all, at least when considered in light of the investigative process. "Data was purged" is a fact. Now, you still need to put that in context, and that context includes hundreds, if not thousands, of other facts. Only then should LE say "It is time to come with us."
It's unfortunate that innocent targets of the police will now go free. I'm sure prosecutors everywhere are lamenting the fact that they can't pad their stats by putting innocent people in jail on flimsy evidence, such as the 'guilt' associated with ensuring your hard drive is clean, encrypted, and generally unavailable for police inspection.
No guilt should be associated with affirming your rights to be secure against unreasonable search and seizure.
> As far as SSDs are concerned, the state of the drive cannot be taken to indicate that its owner did or did not interact with it in ways that allow prosecutors to infer guilt or innocence.
> "The fact that data has been purged does not mean a human knowingly did it (e.g. accidental guilt). [But] data purging may make a guilty person look innocent (e.g. accidental innocence)," says Bell.
Wait - Prosecutors can infer guilt because I purged my hard drive? Because, of course, the only thing that I might want to delete personally must be criminal in nature, and not, say, personal correspondence or confidential information.
This article seems like good news to me. The only bad news that I see is that the analysts who worked on the article will have more difficult jobs in the future.
How is this any different than analyzing any other evidence that someone tried to destroy? Using some infrared or whatever filter do determine what a burnt document said? Determining that your fireplace has human remains? Does the acceptance of these techniques indicate we're living in a police state?
It's different because they are not assigning guilt based on forensic analysis of evidence that someone tried - but failed - to destroy. Instead, they're assigning guilt because something, which may or may not be evidence, was destroyed.
It's as if they discovered that you used some documents (now unreadable) which you'd run through your paper shredder to light a fire, and that you cleaned out your fireplace after you were done. A clean fireplace? You must be burning human remains in it!
"Facts not in evidence." You're ascribing malice to the judicial system and making it sound like a conspiracy.
There's a fact - data was destroyed. An investigation may be able to determine what that data was. Either the human who deleted the data or the firmware can tell you why.
I delete files all the time and so do you. Describing this normal and routine occurrence using the nefarious sounding and certainly biased term "destroying data" is absurd.
That is one of the reasons I objected to the article - it uses emotionally loaded language. We're in agreement there. But continuing in that vein doesn't advance anyone's knowledge.
The truth is the same in both cases: sometimes "deleted" data is actually deleted, and sometimes it isn't. The difference is perspective: the user wants "deleted" data to be deleted and forensics people want it to be preserved.
Both. Yes, they're arguing from different positions.
With a magnetic disk it's straightforward to force data be overwritten at a physical level. With an SSD it is less straightforward and it may not be possible to ensure that the data from a particular file has been erased.
So from the perspective of a diligent user an SSD is riskier than an HD.
However, typical usage of a hard-drive will leave a significant amount of "deleted" data still on the drive, except for unusual circumstances (such as subsequently using the drive to near capacity). While typical usage of an SSD will tend to erase most data fairly soon after it has been "deleted".
So from the perspective of a non-diligent user an HD is riskier than an SSD.
I strongly suspect that, in the future, SSDs will have to respect a "cooperate with the police" signal in order to be sold in some places. As for drives that don't, experts can always disassemble the drive and read the memories directly. It's not like the flash memories inside them are special (albeit it's a matter of time - if not already - that smart memory controllers are built into the chips themselves).
> disassemble the drive and read the memories directly
What will this accomplish if the data has actually been erased? Some sort of low-level analysis to recover erased data? That seems like something that would only be at the CIA/NSA level, and they probably wouldn't want to tip their hand just to put a 'common criminal' behind bars.
> What will this accomplish if the data has actually been erased?
You can, at least, recover files the owner of the disk just erased before being handcuffed.
It would be trivial to setup a background task that overwrites all free blocks of the (physical) disk when the drive is idle. Or insert that in the filesystem driver, to be done when a file is erased. You could even maintain two write queues, one high-priority for the data you want to keep, one low-priority for the data you want not to keep.
For you and me, it's a good thing. But, for the same reasons that the government never gives it's support to encrypting all web traffic, it's bad for when they want to pin charges on you. My ideal storage has some sort of wipe-from-a-jail-cell-when-drive-is-unplugged functionality. I'm not a criminal, I just don't like to think of my life being open for perusal by any prosecutor/judge/jury.
So it has the potential of preserving your privacy and macworld spins that into a story that it is bad because what if the state wants to violate that privacy, well it might not be as easy as they would hope and that is a bad thing. It's very interesting that only one perspective is presented in these sorts of articles, it smacks of placement as part of an anti-freedom propaganda campaign orchestrated by governmental interests. Frame the debate not as privacy violation, but of terrorists getting away with something.
What is the incentive to the manufacturer to do so? There are some specialty devices, mostly for law enforcement, that are essentially WORM SD cards. Evidence, a photograph most often, is written to it but cannot be modified. These command a serious premium.
Write blockers are pretty common, and not too expensive. The major issue is that writeblockers lag behind drive technology. Not sure how we'll write block the first Thunderbolt hard drives other than through software.
SSDs are completely different. The optimisation no longer works, since flash memory has no overwrite operation, only a block-erase operation (which is a slow operation - and the erase blocks are relatively huge). In order to stay efficient, SSDs must perform background free space management, which includes erasing unused blocks in advance in order to be ready for new data.
This should be obvious to anyone who understands how flash memory works. SSD manufacturers have no option here. It's a fundamental side-effect of the technology.
"Forensic analysis" that depends on an optimisation performed on a system using a hard drive will no longer work with a different technology that cannot use that optimisation. They were exploiting something that is not necessarily going to be possible any more.
If they want a clean equivalent of a "write blocker", they are going to have to somehow disable the SSD's background management before powering up the drive. This might not help so much though if the background management has already erased unused blocks after the user deleted files.
I will accept though that this means that people working in the field will need to change their procedures.
Summary: forensic analysis only works because of an optimisation that systems using magnetic hard drives did but systems using SSDs can't. How is this surprising?