Feeds

Self-erasing flash drives destroy court evidence

'Golden age' of forensics coming to close

The Essential Guide to IT Transformation

The inner workings of solid state storage devices are so fundamentally different from traditional hard drives that forensic investigators can no longer rely on current preservation techniques when admitting evidence stored on them in court cases, Australian scientists said in a research paper.

Data stored on Flash drives is often subject to a process the scientists called “self-corrosion,” in which evidence is permanently erased or contaminated in ways that bits stored on magnetic-based hard drives are not. The alterations happen in the absence of any instructions from the user. The findings introduce a “grey area” into the integrity of files that are forensically extracted from the devices and threaten to end a “golden age” of digital evidence gathering offered by older storage types.

“Given the pace of development in SSD memory and controller technology, and the increasingly proliferation [sic] of manufacturers, drives, and firmware versions, it will probably never be possible to remove or narrow this new grey area within the forensic and legal domain,” the scientists, from Australia's Murdoch University, wrote. “It seems possible that the golden age for forensic recovery and analysis of deleted data and deleted metadata may now be ending.”

For decades, investigators have worked with tape, floppy drives and hard drives that continue to store huge amounts of information even when the files they're contained in are marked for deletion. Even wiping the disks isn't always enough to permanently erase the contents. SSDs, by contrast, store data in blocks or pages of NAND-based transistor chips that must be electronically erased before they can be reused.

As a result, most SSDs have firmware that automatically carries out “self healing” or “garbage collection” procedures that can permanently erase or alter files that have been marked for deletion. The process often begins as soon as three minutes after the drive is powered on and happens with no warning. The user need not initiate any commands, and the drive emits no lights or makes any sounds to indicate the purging is taking place.

What's more, the use of so-called write blockers and other techniques designed to isolate a drive during forensic imaging offered no protection. That's because the garbage collection is initiated by the SSD firmware that's independent from commands issued by the computer it's attached to.

“If garbage collection were to take place before or during forensic extraction of the drive image, it would result in irreversible deletion of potentially large amounts of valuable data that would ordinarily be gathered as evidence during the forensic process – we call this 'corrosion of evidence,'” the scientists wrote.

The findings have serious consequences for criminal and civil court cases that rely on digital evidence. If the disk from which the data comes appears to have been tampered with after it was seized, an opposing party frequently has grounds for having the evidence thrown out of court. The paper comes as a growing number of computer makers integrate SSDs into the machines they sell. The drives have many benefits over their magnetic brethren, including speed, lower power consumption and durability.

At first blush, the results appear to conflict with those of a recent paper that found data fragments stored on flash drives can be virtually indestructible. It may be the case that what both research teams are saying is that data stored on the newfangled devices can't be reliably deleted or preserved the way it can on magnetic media.

Researchers Graeme B. Bell and Richard Boddington, of Murdoch University's School of IT, arrived at their findings by comparing the way data is preserved on a 64GB Corsair P64 SSD versus an 80GB Hitachi Deskstar hard drive. A PDF of their paper, which previously was published in December in The Journal of Digital Forensics, Security and Law, is here. ®

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Tor attack nodes RIPPED MASKS off users for 6 MONTHS
Traffic confirmation attack bared users' privates - but to whom?
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.