The SSD dilemma - SANS Internet Storm Center

The SSD dilemma
As early as 15 years ago, when memory sticks and SD cards started to become more and more prevalent, forensic researchers began looking into how evidence can be recovered from such storage media. Due to features like "wear leveling" and garbage collection, which automatically re-arrange content on the storage media even without instruction by the host computer, the consensus was that it is very difficult to make true forensic bit-level copies of flash storage media, and that it is even harder to obtain reliable copies of "unallocated space". Since then, both the size and usage of solid state disks (SSD) have grown significantly. Laptops and tablets are today often sold with SSD storage by default, and do no longer contain any spinning disk drives. Recent research shows the full dilemma that this rapid adoption brought with it: In an outstanding paper, Graeme Bell and Richard Boddington show the effects of what they call "self-corrosion": how simply applying power to a SSD disk or memory stick can be sufficient for the on-board micro controller to start re-arranging and zeroing out storage sectors, and how this affects evidence preservation and recovery of deleted files. If you are pressed for time, scroll to chapter 6 on page 12, and just read their "Recommendations and Guidance". An equally interesting paper by researchers from UCSD shows the other angle of the same problem: How difficult it is to reliably erase content from SSD drives. The authors show that software used to wipe single files mostly does not work at all with SSDs, and that traditional software used to wipe entire drives often does not reliably erase the SSD media, either. Conclusions: If you are into forensics and evidence preservation, keep track of and familiarize yourself with all the types of SSD media in use in your company, and how they behave during forensic acquisition, before you actually need to do so in earnest on a real case. If your company is still using the "wipe and re-use" processes developed for magnetic disks also for SSD media, update your procedures to include instructions for SSD media. Since the UCSD paper quoted above shows quite dismal results even when using the built-in "Secure Erase" command of the SSD device, you might have to come up with a combination of several erasing methods to more reliably scrub the disk. The best solution today is to deploy full disk encryption (TrueCrypt, etc) to portable devices with SSD media, because this addresses several risks (loss/theft/inability to wipe) in one swoop. If you have pointers to recent research or suggestions on how to deal with forensic acquisition or secure wiping of SSD media, please let us know or comment below.	Daniel 385 Posts ISC Handler Sep 29th 2011
Thread locked Subscribe	Sep 29th 2011 1 decade ago
There is a typo in the hyperlink for the "outstanding paper".	Hal 50 Posts
Quote	Sep 29th 2011 1 decade ago
I see one potential exception to the forensics discussion that might apply to many corporate people. I would be very curious to see how software-based full disk encryption affects things. Theoretically, software-based full disk encryption would prevent introspective algorithms running on the SSD that parse NTFS data structures from seeing those data structures and thus from initiating pre-emptive wiping. It sounds like Bit Locker under Windows 7 supports TRIM (see http://blogs.msdn.com/b/e7/archive/2009/05/05/support-and-q-a-for-solid-state-drives-and.aspx), but it is possible that alternative software-based full disk encryption products (i.e. McAfee FDE, Checkpoint Pointsec, etc.) don't issue TRIM commands, and thus would permit traditional forensics in conjunction with a recovery key if the partition were intact. This might permit corporate scenarios (where the disk is recovered intact and a recovery key is present and the software-based full disk encryption product in question doesn't support TRIM) to proceed in a similar manner to forensics on HDDs.	Anonymous
Quote	Sep 29th 2011 1 decade ago
From my experience with OCZ Vertex 2 and Intel 320/510, the secure erase tool deletes the controller AES key. Therefore all the data on the SSD is USELESS. This is as good as using TrueCrypt when it comes to re-using a SSD inside the company.	Anonymous
Quote	Sep 29th 2011 1 decade ago
There has been some very interesting discussion on both the OCZ forum and on the Gentoo Linux forum regarding SSD's used with full disk encryption (FDE) and TRIM. With FDE, every sector is filled with random bits. If you read those random bits with going thru the crypto, you see random bit, whether that sector is in use or not. But if you use TRIM, it pre-erases the flash block, filling it with zeros when viewed without going thru crypto. And yes, FDE defeats the NTFS garbage collection present in some SSDs. I have finally decided to run FDE without TRIM and suffer the time penalty for not having a pool of pre-erased flash blocks. If disk performance falls off enough, I can always image the drive, do a secure erase, then copy the image back to the drive. SSDs actually have more capacity that is visable to the user precisely so that a pool of pre-erased flash blocks can be kept handy for handling short bursts of writes quickly. Whenever you write to a sector, the SSD controller returns it to the free list, but it may take a little while before it gets erased and becomes re-usable.	Moriah 133 Posts
Quote	Sep 30th 2011 1 decade ago
SSD's are my passion now; And being close to Law Enforcement even as I am Retired, I find them to be very good but a bit troublesome as well. The Previous posters are Rightfully concerned about data security. But I found a useful little tool that I paid For the unlock code by making a donation. The tool is By a Guy in Australia. He's at Elpamsoft his tool is called SSD Tweaker. With the unlock code and your username you can effectively force the TRIM to be run and re-use areas of the SSD that were marked by the controller to not use again. The Freeware version does not allow the TRIM to be re-set. I hope this is an acceptable post. ..	Moriah 20 Posts
Quote	Oct 12th 2011 1 decade ago

As early as 15 years ago, when memory sticks and SD cards started to become more and more prevalent, forensic researchers began looking into how evidence can be recovered from such storage media. Due to features like "wear leveling" and garbage collection, which automatically re-arrange content on the storage media even without instruction by the host computer, the consensus was that it is very difficult to make true forensic bit-level copies of flash storage media, and that it is even harder to obtain reliable copies of "unallocated space".

Since then, both the size and usage of solid state disks (SSD) have grown significantly. Laptops and tablets are today often sold with SSD storage by default, and do no longer contain any spinning disk drives.

Recent research shows the full dilemma that this rapid adoption brought with it:

In an outstanding paper, Graeme Bell and Richard Boddington show the effects of what they call "self-corrosion": how simply applying power to a SSD disk or memory stick can be sufficient for the on-board micro controller to start re-arranging and zeroing out storage sectors, and how this affects evidence preservation and recovery of deleted files. If you are pressed for time, scroll to chapter 6 on page 12, and just read their "Recommendations and Guidance".
An equally interesting paper by researchers from UCSD shows the other angle of the same problem: How difficult it is to reliably erase content from SSD drives. The authors show that software used to wipe single files mostly does not work at all with SSDs, and that traditional software used to wipe entire drives often does not reliably erase the SSD media, either.

Conclusions:

If you are into forensics and evidence preservation, keep track of and familiarize yourself with all the types of SSD media in use in your company, and how they behave during forensic acquisition, before you actually need to do so in earnest on a real case.
If your company is still using the "wipe and re-use" processes developed for magnetic disks also for SSD media, update your procedures to include instructions for SSD media. Since the UCSD paper quoted above shows quite dismal results even when using the built-in "Secure Erase" command of the SSD device, you might have to come up with a combination of several erasing methods to more reliably scrub the disk. The best solution today is to deploy full disk encryption (TrueCrypt, etc) to portable devices with SSD media, because this addresses several risks (loss/theft/inability to wipe) in one swoop.

If you have pointers to recent research or suggestions on how to deal with forensic acquisition or secure wiping of SSD media, please let us know or comment below.

Daniel

385 Posts
ISC Handler

Sep 29th 2011

There is a typo in the hyperlink for the "outstanding paper".

Hal

50 Posts

I see one potential exception to the forensics discussion that might apply to many corporate people. I would be very curious to see how software-based full disk encryption affects things. Theoretically, software-based full disk encryption would prevent introspective algorithms running on the SSD that parse NTFS data structures from seeing those data structures and thus from initiating pre-emptive wiping. It sounds like Bit Locker under Windows 7 supports TRIM (see http://blogs.msdn.com/b/e7/archive/2009/05/05/support-and-q-a-for-solid-state-drives-and.aspx), but it is possible that alternative software-based full disk encryption products (i.e. McAfee FDE, Checkpoint Pointsec, etc.) don't issue TRIM commands, and thus would permit traditional forensics in conjunction with a recovery key if the partition were intact. This might permit corporate scenarios (where the disk is recovered intact and a recovery key is present and the software-based full disk encryption product in question doesn't support TRIM) to proceed in a similar manner to forensics on HDDs.

Anonymous

From my experience with OCZ Vertex 2 and Intel 320/510, the secure erase tool deletes the controller AES key. Therefore all the data on the SSD is USELESS.

This is as good as using TrueCrypt when it comes to re-using a SSD inside the company.

Anonymous

There has been some very interesting discussion on both the OCZ forum and on the Gentoo Linux forum regarding SSD's used with full disk encryption (FDE) and TRIM. With FDE, every sector is filled with random bits. If you read those random bits with going thru the crypto, you see random bit, whether that sector is in use or not. But if you use TRIM, it pre-erases the flash block, filling it with zeros when viewed without going thru crypto. And yes, FDE defeats the NTFS garbage collection present in some SSDs. I have finally decided to run FDE without TRIM and suffer the time penalty for not having a pool of pre-erased flash blocks. If disk performance falls off enough, I can always image the drive, do a secure erase, then copy the image back to the drive. SSDs actually have more capacity that is visable to the user precisely so that a pool of pre-erased flash blocks can be kept handy for handling short bursts of writes quickly. Whenever you write to a sector, the SSD controller returns it to the free list, but it may take a little while before it gets erased and becomes re-usable.

Moriah

133 Posts

SSD's are my passion now;
And being close to Law Enforcement even as I am Retired,
I find them to be very good but a bit troublesome as well.
The Previous posters are Rightfully concerned about data security.
But I found a useful little tool that I paid For the unlock code by making a donation.
The tool is By a Guy in Australia.

He's at Elpamsoft his tool is called SSD Tweaker.

With the unlock code and your username you can effectively force the TRIM to be run and re-use areas of the SSD that were marked by the controller to not use again.

The Freeware version does not allow the TRIM to be re-set.

I hope this is an acceptable post.
..

Moriah
20 Posts