Self-erasing flash drives destroy court evidence
'Golden age' of forensics coming to close
The inner workings of solid state storage devices are so fundamentally different from traditional hard drives that forensic investigators can no longer rely on current preservation techniques when admitting evidence stored on them in court cases, Australian scientists said in a research paper.
Data stored on Flash drives is often subject to a process the scientists called “self-corrosion,” in which evidence is permanently erased or contaminated in ways that bits stored on magnetic-based hard drives are not. The alterations happen in the absence of any instructions from the user. The findings introduce a “grey area” into the integrity of files that are forensically extracted from the devices and threaten to end a “golden age” of digital evidence gathering offered by older storage types.
“Given the pace of development in SSD memory and controller technology, and the increasingly proliferation [sic] of manufacturers, drives, and firmware versions, it will probably never be possible to remove or narrow this new grey area within the forensic and legal domain,” the scientists, from Australia's Murdoch University, wrote. “It seems possible that the golden age for forensic recovery and analysis of deleted data and deleted metadata may now be ending.”
For decades, investigators have worked with tape, floppy drives and hard drives that continue to store huge amounts of information even when the files they're contained in are marked for deletion. Even wiping the disks isn't always enough to permanently erase the contents. SSDs, by contrast, store data in blocks or pages of NAND-based transistor chips that must be electronically erased before they can be reused.
As a result, most SSDs have firmware that automatically carries out “self healing” or “garbage collection” procedures that can permanently erase or alter files that have been marked for deletion. The process often begins as soon as three minutes after the drive is powered on and happens with no warning. The user need not initiate any commands, and the drive emits no lights or makes any sounds to indicate the purging is taking place.
What's more, the use of so-called write blockers and other techniques designed to isolate a drive during forensic imaging offered no protection. That's because the garbage collection is initiated by the SSD firmware that's independent from commands issued by the computer it's attached to.
“If garbage collection were to take place before or during forensic extraction of the drive image, it would result in irreversible deletion of potentially large amounts of valuable data that would ordinarily be gathered as evidence during the forensic process – we call this 'corrosion of evidence,'” the scientists wrote.
The findings have serious consequences for criminal and civil court cases that rely on digital evidence. If the disk from which the data comes appears to have been tampered with after it was seized, an opposing party frequently has grounds for having the evidence thrown out of court. The paper comes as a growing number of computer makers integrate SSDs into the machines they sell. The drives have many benefits over their magnetic brethren, including speed, lower power consumption and durability.
At first blush, the results appear to conflict with those of a recent paper that found data fragments stored on flash drives can be virtually indestructible. It may be the case that what both research teams are saying is that data stored on the newfangled devices can't be reliably deleted or preserved the way it can on magnetic media.
Researchers Graeme B. Bell and Richard Boddington, of Murdoch University's School of IT, arrived at their findings by comparing the way data is preserved on a 64GB Corsair P64 SSD versus an 80GB Hitachi Deskstar hard drive. A PDF of their paper, which previously was published in December in The Journal of Digital Forensics, Security and Law, is here. ®
Right track, wrong solution
I have put much thought into this since I've been developing data recovery algorithms since the days when 20 megabyte drives were considered a luxury ;)
The concerns involved at this point are more related to the fact that on power up of the drive, possibly before the controller itself becomes active, the drive begins to flush its "mark for deletion" cache. This occurs by sending the delete block command to the Flash memory chips for the blocks that are to be readied for writing. This is an important thing to do as you would want to flush these sectors are quickly as possible to avoid issues related to power losses. After all, if the mark for deletion table is run multiple times, then extra writes will occur thereby degrading the sectors more rapidly. It's just a good algorithm to follow.
The drawback to this approach with regards to forensics is that simply powering up the drive, even attempting to burst a "do no write" or "enter forensics mode" command over the controller probably would not issue quickly enough to avoid the drive being written to and therefore rendering the drive as altered and invalid with regard to evidence requirements.
Forensics MUST copy the drive unaltered, sector by sector to an image which can be used to recover the media, leaving the original drive in tact before any analysis occurs.
The correct solutions would be :
1) require a jumper to be present on all devices to block garbage collector from initializing.
This solution sucks because it would take another year or two before the jumper is present and therefore would only be ok for newer drives.
2) require that the controller of the drive is flash programmable from a JTAG circuit so that the firmware can be altered in an environment where the flash chips themselves are not powered up. This also sucks since if I were the one being prosecuted, I would argue that this modification also counts as altering the contents of the drive.
3) program a controller chip separately, then desolder the original controller chip and solder the forensics controller chip to the board. This solution is great, but requires that the forensics firm physically "damage" the device in question. I'd imagine that very quickly the quality of the forensics companies' surface mount rework technicians would come into question and would quickly become an issue as to whether they altered the data accidentally.
For part suggestion 2 or 3, the next huge problem is, can you reliably keep track of all those chips and firmwares. There will be thousands of different models and revisions in the future.
4) access the JTAG ports for the individual flash chips (they should probably be accessible on all devices), then power the chips up and perform a JTAG read of all the data. This is slow and boring, but it is 100% reliable and it is 100% guaranteed to not alter the physical device or the data on the device. Therefore leaving the confiscated device in pristine order.
As a data recovery "expert". I recently recovered "all recoverable data" from a RAID 0 stripped set which someone had actually formatted and installed a fresh copy of Windows XP on... one of the drives. Having done this by imaging both drives and developing a tool to detect the raid parameters and reassembled the striped set into a single linear image from which I reconstructed as much of the original MFT as possible and then recovered images through algorithmic steps followed by a brute force method of scanning the image for JPEG jfif signatures and then reassembled photos by using simple linear reassembly as well as scanning "likely places" for missing sectors. I feel pretty comfortable calling myself a hard drive data recovery "expert" which means, I'm pretty good at it, at least good enough that I'll recover more data than most people will from a drive unless needing a clean room.
At least in my "expert" beliefs the only correct method of performing Flash based forensics is to :
1) create an image file via JTAG of each individual flash chip on the device.
2) copy these images to an identical device
3) find out from the device manufacturer how to read the sector mapping table from the controller via JTAG.
4) upload the sector mapping table to the duplicate device.
5) image the device in question to a forensics workstation
6) work from the image files.
Why should personal use equipment be optimised for Plod?
Plod can take the lumps and go figure out their own solutions for technical challenges. there is no need to add complexity to already complex storage technologies just because MI whatever or others want to read your private files.
It is high time people stood up and said : 'Enough!'. Be it eve's dropping on conversations, geo-location on smartphones or checking electricity consumption for potential pot growers the Plod is everywhere. They don't make people remove insulation from homes so they can use their thermal imaging systems more easily, so why do we have to?
A pox on the lot.
Thanks for sharing your experience and thoughts; they were as worthwhile as the article itself.