Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

SSDs Cause Crisis For Digital Forensics

CmdrTaco posted more than 3 years ago | from the yeah-so-sad dept.

Data Storage 491

rifles only writes "Firmware built into many solid state drives (SSDs) to improve their storage efficiency could be making forensic analysis at a later date by police forces and intelligence agencies almost impossible to carry out to legally safe standards, Australian researchers have discovered. They found that SSDs start wiping themselves within minutes after a quick format (or a file delete or full format) and can even do so when disconnected from a PC and rigged up to a hardware blocker." So either SSDs are really hard to erase, or really hard to recover. I'm so confused.

Sorry! There are no comments related to the filter you selected.

that's why (-1)

Anonymous Coward | more than 3 years ago | (#35349156)

and that's why I bought a Saturn.

Re:that's why (-1, Offtopic)

armanox (826486) | more than 3 years ago | (#35349302)

OT I know, but I love my Saturn (95 SL-1)

Good. (5, Insightful)

Anonymous Coward | more than 3 years ago | (#35349172)

Deleted, should mean deleted.

Will be fixed by a new law. (1)

Anonymous Coward | more than 3 years ago | (#35349226)

Next, expect law enforcement to clamor for a new law that mandates persistent data retention for all types of storage devices.

Re:Good. (3, Informative)

EyelessFade (618151) | more than 3 years ago | (#35349728)

I'm not to sure. Ibas [wikimedia.org] says they are almost impossibly to wipe out. That even with secure delete, almost 90% is still intact. And I think I believe them.

And the downside here is... (0)

Anonymous Coward | more than 3 years ago | (#35349174)

No really! What's the down side?

Re:And the downside here is... (4, Funny)

MachDelta (704883) | more than 3 years ago | (#35349308)

When Mindy the undergrad accidentally deletes her term paper and would be really REALLY grateful for a super smart and kinda cute geek to go in and recover the file with Backtrack... then you'll see the downside.

What? I reject your reality and substitute my own!

Re:And the downside here is... (1, Informative)

GameboyRMH (1153867) | more than 3 years ago | (#35349514)

When Mindy the undergrad accidentally deletes her term paper and would be really REALLY grateful for a super smart and kinda cute geek to go in and recover the file with Backtrack...

OH NOES, what will I ever do without being told "thank you" and about what a nice guy I am.

Yeah it never goes any further than that outside of geek fantasies.

Not even in pornos. <-- business opportunity

Re:And the downside here is... (0)

interkin3tic (1469267) | more than 3 years ago | (#35349618)

OH NOES, what will I ever do without being told "thank you" and about what a nice guy I am. Yeah it never goes any further than that outside of geek fantasies.

You seem to think you're entitled to sex for helping someone with computer issues, or that a "thank you" is insufficient payment for a favor: I'm guessing you don't get told you're a nice guy very often.

Re:And the downside here is... (1)

cayenne8 (626475) | more than 3 years ago | (#35349680)

You seem to think you're entitled to sex for helping someone with computer issues, or that a "thank you" is insufficient payment for a favor: I'm guessing you don't get told you're a nice guy very often.

Nice guys don't get laid as much either....

Re:And the downside here is... (1)

Vegeta99 (219501) | more than 3 years ago | (#35349744)

You don't get laid too often being a dick either.
(Or by tryin to get laid for undeleting a file)

Re:And the downside here is... (0)

Anonymous Coward | more than 3 years ago | (#35349690)

You seem to think you're entitled to sex for helping someone with computer issues, or that a "thank you" is insufficient payment for a favor

And you seem to have reading comprehension issues. GameboyRMH never suggested anything of the sort. MachDelta was the one who sort of implied that geeks currently DO get something more than a "thank you" for doing a favor, and GameboyRMH was just saying that was untrue.

Re:And the downside here is... (3, Insightful)

Asic Eng (193332) | more than 3 years ago | (#35349862)

I think it's about impoliteness when asking favors. Friends help each other: I'm quite ok fixing my non-technical friend's WLAN, just as he's ok with giving me a hand when I'm moving houses. That's the social norm, and thus asking someone for a favor also indicates how you feel about them.

So if you don't like someone, if you would under normal circumstances not want to spend time with them - then you don't ask them for favors. That would be plain rude.

If you don't have an actual friend to provide tech services - just purchase said services.

Re:And the downside here is... (2)

Tumbleweed (3706) | more than 3 years ago | (#35349654)

Business Tip #1: Get payment up front.

Re:And the downside here is... (1)

HungryHobo (1314109) | more than 3 years ago | (#35349850)

actually my girlfriend of 4 years I first started going out with her after coding a trivial little java app for her final year project.
so it does sometimes go beyond "thank you".

Re:And the downside here is... (1)

mysidia (191772) | more than 3 years ago | (#35349570)

When Mindy the undergrad accidentally deletes her term paper and would be really REALLY grateful for a super smart and kinda cute geek to go in and recover the file with Backtrack... then you'll see the downside.

That's where da recycle bin comes in.

Re:And the downside here is... (1)

Vegeta99 (219501) | more than 3 years ago | (#35349766)

except a lot of SSDs come in USB key form and Winderz deletes files off those immediately.

Re:And the downside here is... (2)

cskrat (921721) | more than 3 years ago | (#35349574)

Most geeks that would try to leverage something like that to get laid will still fail at getting to the getting laid part.
Most girls that would dangle that sort of carrot know that teasing is just as effective as giving where geeks are concerned.

Re:And the downside here is... (1)

rogueippacket (1977626) | more than 3 years ago | (#35349686)

Protip: Put up a fake "progress" bar on the screen while you are "recovering" the files. Set it for something like 20 minutes. Now you at least have a chance to talk to a girl for that time, unless you're a real sucker and you let her find an excuse to leave you alone for 20 minutes.

Re:And the downside here is... (3, Funny)

larry bagina (561269) | more than 3 years ago | (#35349764)

Only a problem if the retard windows admin disabled the recycle bin because it interfered with his OCD.

Why can't they make up their minds (1)

joaeri (583880) | more than 3 years ago | (#35349202)

Lately all you have heard is the complete opposite. That they are impossible to completely erase so it's unsafe to store company/secure data on them. Because even if you erase the file its still left on the disk and just marked as empty. Now they say they erase them self.

Re:Why can't they make up their minds (4, Insightful)

DrgnDancer (137700) | more than 3 years ago | (#35349460)

It's not hard really. The drives autoclean themselves. So when you delete the inode reference to a given data file, it will be completely much more quickly that on a normal magnetic drive (which won't reclaim the space till it's needed). On the other hand it won't respond to commands that would FORCE a magnetic drive to completely wipe the file.

So if you're in your secret lab and you hear that the evil enemy is an hour away, you just type "rm /*" and wander off to escape. By the time they get there all your data will be completely wiped. On the other hand if they are breaking down the door to your secret lab and you have only seconds left you can't type "shred /home/joeari/secretfile" and expect it to be perma-deleted like you could with a magnetic drive.

They recover deleted sectors more quickly, but can't be forced to do so in a controlled manner.

Re:Why can't they make up their minds (1)

CastrTroy (595695) | more than 3 years ago | (#35349646)

My understanding is that shred doesn't work on modern file systems because they don't overwrite a file in place. See the Shred MAN page [ed.ac.uk] for information on this. It worked on old file systems like ext2, but on more advanced journaling file systems, this is almost never the case.

Re:Why can't they make up their minds (5, Interesting)

graeme_ssd (2006566) | more than 3 years ago | (#35349838)

Hi, I'm one of the authors of the article (Graeme).

You wrote: "So if you're in your secret lab and you hear that the evil enemy is an hour away, you just type "rm /*" and wander off to escape. By the time they get there all your data will be completely wiped. On the other hand if they are breaking down the door to your secret lab and you have only seconds left you can't type "shred /home/joeari/secretfile" and expect it to be perma-deleted like you could with a magnetic drive."

Actually, we found something even more interesting when we prepared this paper.

An evil criminal could run a quick format (about 8 seconds effort) if police were at the door, or they could set up a dead man switch to do the same. When the investigator powers up the drive, the drive's internal GC runs quickly (we couldn't get any formal documentation about why this is - presumably it begins so quickly since the filesystem metadata is nice and simple to process) and so after about 3 minutes it begins wiping itself.

Just a few minutes later it has finished, and data and old filesystem metadata are gone (at least, gone as far as logical access to drive sectors is concerned).

I'd encourage anyone who finds the result interesting to take a glance at the original paper, it's written to be accessible to people outside the traditional drive forensics community and there are some fun, free script tools you can use to monitor drive GC behaviour in near-realtime.

Graeme.

Re:Why can't they make up their minds (4, Insightful)

arivanov (12034) | more than 3 years ago | (#35349540)

The do not completely erase when you hit them with a commercial erase tool because the commercial erase tool does not give the drive a chance to "take a breath". If you hit it with a DOD wipe instead of overwriting old blocks the drive will give you new until it runs out of spares and after that will slowly overwrite some old. At the end some data will remain.

You need to hit it with short write bursts which are alternated by rest periods so that the controller can reorganise the flash especially if you use the TRIM ATA command to mark stuff as "really deleted". As a result the data will be wiped to a standard which no hard drive can achieve.

I can write a perl 10-liner that feeds DD to do that in about half an hour. So any geek can erase one. However the commercial and most importantly certified by banking and govt tools cannot just yet. They definitely will as there is no rocket science here. Until this happens you will hear both sides of the story depending who you talk to.

By the way the same will apply to overlapping recording and drives with flash cache. A "dumb" wipe will not wipe them. At the same time a script any sysadmin can write in his spare time can wipe them so effectively that no forensics can get the data back.

Re:Why can't they make up their minds (2)

RapmasterT (787426) | more than 3 years ago | (#35349606)

Lately all you have heard is the complete opposite. That they are impossible to completely erase so it's unsafe to store company/secure data on them. Because even if you erase the file its still left on the disk and just marked as empty. Now they say they erase them self.

you've discovered the paradox that exists in the gulf between "in theory" and "in the real world". In the real world, a lot of shit that people get lathered up about is completely impractical and for all real-world purposes "impossible". But that doesn't stop some tech "editor" on a slow news day from hype pimping some theory as if it's the pending zombie apocalypse.

Re:Why can't they make up their minds (1)

Tumbleweed (3706) | more than 3 years ago | (#35349688)

Ignition of the magnesium slab mounted to each SSD and memory module works 100% of the time.

Don't forget your backups!

trim/discard (2)

Tomun (144651) | more than 3 years ago | (#35349206)

At a guess this is caused by mounting with the discard option, or trim as its called in Windows. It tells the drive you don't need the data stored where a deleted file used to be.

Maybe it's still there if you look with a microscope but who really does that?

Re:trim/discard (3, Insightful)

Hatta (162192) | more than 3 years ago | (#35349328)

Deleting a file should tell the OS that I don't need that data. That's what deleting is.

Re:trim/discard (4, Informative)

Artraze (600366) | more than 3 years ago | (#35349580)

> Deleting a file should tell the OS that I don't need that data. That's what deleting is.

It does, and that is, in fact, what it is. So Windows unlinks the file from the directory and removes the blocks from the in-use map.

The drive, however, doesn't know any of this. It updates the requested sectors representing the directory and volume info, and that's about it. It has no idea that blocks somewhere else on the drive are no longer needed, so it will dutifully copy and maintain that data while rewriting blocks.

The idea of the trim command is that it tells the drive that the data is deleted so the drive doesn't have to worry about maintaining it. This was never needed in old drives because the data was basically ignored after being written. In SSDs, the data needs to be continuously copied around to facilitate the erasing (which wipes several thousand blocks at once).

Re:trim/discard (2)

afidel (530433) | more than 3 years ago | (#35349598)

For most of modern computing it's meant unlink the inode or remove the FAT entry which makes the blocks available. This was done because it was too expensive to actually cleanse the data in 99+% of situations. Now with SSD's there is a performance gain to be had by pre-wiping the block in the background so deletes eventually mean actually cleansing the data. The flip side is with most current SSD's there's no way to force a particular physical address to be wiped because of sector to block mapping (though this is actually true to some extent on all modern HDD's due to sector re-mapping for bad areas).

Re:trim/discard (1)

sjames (1099) | more than 3 years ago | (#35349656)

That is, of course, true.

The new part is that in ages past, the OS would just mark the blocks free and that was that. The data tended to remain there until the space was needed for another file, then it would be overwritten.

Because flash has to be erased before it is written (directly overwriting doesn't work), erase can take some time, and the drive is not just a dumb device, it is now necessary to actually let the drive know that the data is no longer needed as well rather than just making a note somewhere. The ATA command to do that is called TRIM.

Re:trim/discard (1)

icebike (68054) | more than 3 years ago | (#35349856)

Deleting a file should tell the OS that I don't need that data.

It does exactly that, by removing pointers to the data, and marking the blocks available (via normal means).

Just like tossing an old shirt in the trash makes it inaccessible after the trash man picks it up, but does not shred the shirt
to rags, file systems simply make it unavailable without heroic methods. Trash pickers can, and in some cases do, salvage all sorts of things from trash.

Actual erasing things would slow down your computer quite a bit. There are software [heidi.ie] packages [fileshredder.org] you can obtain to do this if you are paranoid that your computer is likely to be seized.

In addition other operating systems such as Linux have a built in "Shredder" see: man (1) shred
This is variously incorporated into Graphical file managers in some versions.

Re:trim/discard (2)

Firehed (942385) | more than 3 years ago | (#35349610)

Maybe it's still there if you look with a microscope but who really does that?

The forensics team mentioned in TFS?

Re:trim/discard (5, Informative)

graeme_ssd (2006566) | more than 3 years ago | (#35349642)

At a guess this is caused by mounting with the discard option, or trim as its called in Windows. It tells the drive you don't need the data stored where a deleted file used to be.

Maybe it's still there if you look with a microscope but who really does that?

Hello there, I'm one of the authors of the paper (Graeme).

This finding isn't related to TRIM in any way, though TRIM poses another nightmare for forensic investigators and may make the idea of examining deleted data/metadata redundant in a few years.

What's happening here is that the drive itself has some code, a garbage collector, that reads the NTFS filesystem metadata and wipes any cells it thinks aren't needed any more, so that the next set of writes over those cells can take place more quickly.

Normally this GC has seemed to take a while to kick in (various benchmarking sites suggest e.g. 30-60 minutes and unpredictable behaviour, e.g. not always kicking in when expected); here, we found that after a quick format has taken place, it reliably can be seen to kick in within minutes and also purges the drive within minutes. This is just one example of a case when the GC can kick in, of course.

Current court-accepted forensics practice is to stick a write blocker between the drive and computer, under the assumption that the drive only modifies data when a PC tells it to: but that doesn't help you when the drive itself nukes all it's data cells within minutes of being powered on.

I can imagine a situation where someone connects up the drive to power, (and possibly a write blocker), but not to the PC and makes a cup of coffee for a few minutes - by the time they connect it up for data transfer, it's too late, and they wouldn't even realise it had happened - the drive doesn't exactly make any whirrs or clicks as it wipes itself.

Alternatively, the circumstances we found: in less than the time that would be taken to read an entire image off the disk for forensic study, the GC is racing ahead of you and purging the disk! Yikes. So you can imagine... a forensic investigator takes an image, examines it, presents it to the court, and when the court verifies the original disk that the copy was taken from, nothing is there any more, and the forensic investigator seems to be making it all up....

So this feature has the potential to make it look like the police or forensic investigator themselves tampered with the original disk, as well as potentially destroying evidence that could help establish guilt or help establish innocence. We've put a number of 'interesting legal grey areas' at the back of the paper that we hammered out with reviewers, which are worth being aware of.

Graeme.

Solution is simple, but not easy (2, Informative)

Anonymous Coward | more than 3 years ago | (#35349214)

You need to disassemble the drive and read the memory chips independently of the controller. I believe I read this is how one of the major drive recovery companies is handling SSDs.

Re:Solution is simple, but not easy (4, Insightful)

Zerth (26112) | more than 3 years ago | (#35349404)

You need to disassemble the drive and read the memory chips independently of the controller.

Bingo. Forensic tech are used to being able to just plug in a write-blocker and assume the disk will remain intact and unchanged, which is the "legally safe" part they are complaining about. Since SSDs do lots more under the hood than spinning rust drives, they can't guarantee the device is unchanged unless they disassemble it, which might be considered tampering and leaves room for the other side's lawyers to ask "and then you took a soldering iron to a delicate IC?".

It also requires a lot more know-how than "Use this magic cable when copying drives for investigation".

Re:Solution is simple, but not easy (0)

Anonymous Coward | more than 3 years ago | (#35349564)

I think I've read somewhere that evidence has also be reproducible by the defense. If you destroy the device in the process of recovering data, that might be hard to do; or not ... I'm just guessing really.

Defense may get to observe ... (1)

perpenso (1613749) | more than 3 years ago | (#35349722)

I think I've read somewhere that evidence has also be reproducible by the defense. If you destroy the device in the process of recovering data, that might be hard to do; or not ... I'm just guessing really.

I think some tests inherently destroy evidence. For such cases it may be that the defense has the right to observe the testing to ensure that it was done properly.

Difficult to create data with soldering iron ... (1)

perpenso (1613749) | more than 3 years ago | (#35349810)

... which might be considered tampering and leaves room for the other side's lawyers to ask "and then you took a soldering iron to a delicate IC?" ...

Because the odds of the randomly generated bits creating an email to Bernie Madoff discussing the ponzi scheme falls within a range considered to be reasonable doubt? You would need a fairly ignorant and gullible jury to buy that ... oh wait ... OK that may work for a celebrity defendant but I wouldn't count on that saving the average guy.

Encrypt your data (4, Insightful)

rcb1974 (654474) | more than 3 years ago | (#35349224)

Problem solved. People need control over their own privacy. Tough luck Digital Forensic folks.

Re:Encrypt your data (-1)

Anonymous Coward | more than 3 years ago | (#35349336)

Problem solved. People need control over their own privacy. Tough luck Digital Forensic folks.

Supposedly that doesn't work either:

    http://hardware.slashdot.org/story/11/02/17/1911217/Confidential-Data-Not-Safe-On-Solid-State-Disks?from=rss

So either SSDs are really hard to erase, or really hard to recover. I'm so confused.

Re:Encrypt your data (0)

Anonymous Coward | more than 3 years ago | (#35349378)

That article has nothing to do with encrypted data on a SSD.

Re:Encrypt your data (1)

Kiaser Zohsay (20134) | more than 3 years ago | (#35349468)

So either SSDs are really hard to erase, or really hard to recover. I'm so confused.

It is really hard to prove that data from SSDs was really deleted, and it is also hard to prove that data from SSDs was really not deleted.

Re:Encrypt your data (1)

Anonymous Coward | more than 3 years ago | (#35349576)

Schrödinger's Disk.

Re:Encrypt your data (1)

beelsebob (529313) | more than 3 years ago | (#35349530)

That article was bunk. The correct way to get an SSD to erase something properly is to "trim" the data – i.e. tell the SSD that the cell is no longer needed. This (a) causes the SSD to erase it so that the next write cycle is faster, and (b) lets the SSD know it can overwrite that cell without explicit instructions from the OS, which allows it to wear level better.

What the people in that article did instead was try to write over data with crap. The SSD then did a good job of wear levelling and instead of overwriting what was previously there wrote to a totally different cell, and updated it's map of what was where.

Basically, they decided to use a technique designed for erasing hard disks, and discovered it didn't work very well for erasing SSDs. Meanwhile, the correct technique for erasing SSDs leaves law enforcement of other people trying to recover data totally befuddled.

Re:Encrypt your data (1)

tibit (1762298) | more than 3 years ago | (#35349702)

IOW, if you TRIM over the whole medium, you're guaranteed that the drive will physically erase everything in short order. That's good, isn't it?

Re:Encrypt your data (1)

Firehed (942385) | more than 3 years ago | (#35349754)

What the people in that article did instead was try to write over data with crap. The SSD then did a good job of wear levelling and instead of overwriting what was previously there wrote to a totally different cell, and updated it's map of what was where.

I don't see why this would be less effective on an SSD than on magnetic media - assuming, of course, you're doing a multi-pass overwrite. My hard drives contain sensitive information, so they get the DOD-spec 7-pass overwrite when that special time comes (although the info is encrypted to start, so the risk is minuscule to start). Sounds like zeroing out the drive alone isn't enough (until TRIM does its thing), but is there any reason that completely overwriting the drive wouldn't work on an SSD?

I assume the procedure you're referring to is simply overwriting the original sectors, rather than the entire drive.

Re:Encrypt your data (1)

greenreaper (205818) | more than 3 years ago | (#35349372)

Yeah, but you can still go to jail for that in the UK, unlike TRIM.

Re:Encrypt your data (0)

Anonymous Coward | more than 3 years ago | (#35349658)

No, you can go to jail in the UK for not-giving-em-all-your-data, the empire does not give a crap whether you've deliberatly erased it, denied them your password or if the "disk"-firmware erased it.

Re:Encrypt your data (2)

Jonner (189691) | more than 3 years ago | (#35349786)

This property of modern SSDs is neither positive nor negative by itself. It's a property you'd be thankful for if you were organizing protests in Iran and stored contacts on an SSD. You'd curse it if it were exploited to destroy incriminating photos by someone who'd stalked you or a loved one.

When it absolutely, positively, has to be.. (2)

NevarMore (248971) | more than 3 years ago | (#35349232)

..destroyed overnight, go with the SSDs. The melting point of a surface mount IC is a lot less than that of a spinning platter.

Re:When it absolutely, positively, has to be.. (1)

joeytmann (664434) | more than 3 years ago | (#35349312)

I like hammers, no melting point required.

Re:When it absolutely, positively, has to be.. (1)

boristdog (133725) | more than 3 years ago | (#35349578)

.357 at 10 yards does it for me.

Re:When it absolutely, positively, has to be.. (1)

MonsterTrimble (1205334) | more than 3 years ago | (#35349774)

And you have had reason to do this?

Re:When it absolutely, positively, has to be.. (1)

Ziest (143204) | more than 3 years ago | (#35349440)

Yes but thermite is so much fun to play with.

Well... (4, Insightful)

Minwee (522556) | more than 3 years ago | (#35349238)

So either SSDs are really hard to erase, or really hard to recover. I'm so confused.

All I know is that if SSDs were really hard to erase, and I was in the business of recovering data that other people didn't want recovered, this is exactly the kind of story that I would tell them so that they would continue using SSDs.

Not that I'm paranoid or anything.

Re:Well... (3, Insightful)

EasyTarget (43516) | more than 3 years ago | (#35349488)

What wear levelling gives with one hand (performance and life) at the expense of the OS never knowing in which memory cell the data has -actually- been stored; making targeted deletion runreliable..

..it takes back with the other; deleted files will begin to be overwritten very rapidly when new data arrives; whatever the OS thinks about it, data recovery, even using specialist tooling, will struggle to get complete files or metadata from the media if the drive has seen some real use after the data was deleted.

and, most importantly:

$ cat /dev/urandom >> /dev/ssdX

Just needs to be run once to -really- bollox an investigation..

Re:Well... (4, Funny)

The Wild Norseman (1404891) | more than 3 years ago | (#35349608)

What wear levelling gives with one hand (performance and life) at the expense of the OS never knowing in which memory cell the data has -actually- been stored; making targeted deletion runreliable..

Ruh-roh, Raggy! It's runreliable!

Re:Well... (1)

EasyTarget (43516) | more than 3 years ago | (#35349726)

6 seconds of confusion followed by a minute of laughter.. rankyou!

Re:Well... (1)

imagoon (1159473) | more than 3 years ago | (#35349628)

Issue is you will not urandom the spare space. In an example SSD that may have say 50GB of 64GB available, you still have up to 14GB of "something" out there even with the disk urandomed to full. Sure it will mess up the investigation but you really have no idea what 14GB is sitting in there.

Re:Well... (2)

s0litaire (1205168) | more than 3 years ago | (#35349814)

Depends on if it's the SSD controller that is hiding the space.
I really need to get one to test but...
Example:
you've got a 64Gb ssd on SDB it say's it's 50Gb partition
If you just run a "dcfldd" command "dcfldd if=/dev/zero/ of=/dev/sdb" (the whole device not just the partition)
Will it wipe 50Gb or 64Gb?

Re:Well... (1)

TheCyberShadow (1429099) | more than 3 years ago | (#35349512)

As opposed to HDDs, which aside from being comparatively slow, supposedly allow recovering information after it's been overwritten multiple times?

Re:Well... (1)

0123456 (636235) | more than 3 years ago | (#35349604)

As opposed to HDDs, which aside from being comparatively slow, supposedly allow recovering information after it's been overwritten multiple times?

If you're still using a 20MB hard drive from 1993, perhaps.

Given how hard current drives have to work to recover information that _hasn't_ been overwritten, you can be pretty sure that no-one's going to be recovering information which has.

Re:Well... (5, Interesting)

graeme_ssd (2006566) | more than 3 years ago | (#35349720)

Hi, I'm one of the authors of the research (Graeme).

It's a good joke, but with a grain of truth in it. If you're concerned, you can buy the drive we used, flash it to the firmware we used, (optionally) buy a write blocker if you like, and run the programs I placed at the back of the paper and see what happens. We carefully documented as many of the experimental setup parameters as we could so it should be possible to reproduce the results exactly.

Skepticism is a good thing - so I hope you'll reproduce the experiment at home and tell the world afterwards if you still think we're running PsyOps for the forensics community :-)

Graeme. p.s. I'm currently looking for a postdoctoral/research engineer/research scientist position in Grenoble.

Re:Well... (1)

mdielmann (514750) | more than 3 years ago | (#35349734)

So either SSDs are really hard to erase, or really hard to recover. I'm so confused.

All I know is that if SSDs were really hard to erase, and I was in the business of recovering data that other people didn't want recovered, this is exactly the kind of story that I would tell them so that they would continue using SSDs.

Not that I'm paranoid or anything.

Here, have a sig.

Also the end of data recovery (1)

assemblerex (1275164) | more than 3 years ago | (#35349252)

On magnetic storage I can change controller boards, even swap out the
platters in a clean environment into another drive with working heads.
For a few hundred to some thousands, your poor choice of having no backup media
can be resolved.

On SSD I can desolder the chips, dump them and then tell you there's nothing recoverable.
For a few hundred to some thousands, your poor choice of having no backup media
can be resolved.

Hard to Erase AND Hard to Recover (1)

drenehtsral (29789) | more than 3 years ago | (#35349258)

Ultimately since the Flash Translation Layer goes and does things under-the-hood that are not externally visible, it is hard to be sure your data were erased, and it's also hard to be sure they were not erased... Essentially since there is an opaque interface at the logical-block level and the device is internally free to behave as it chooses so long as that interface is maintained, it makes it tricky to guess how the internal implementation will behave.
Plain old magnetic disks used a fairly predictable implementation of that interface so forensics goons got used to having an easy task on their plates.

really hard to erase, or really hard to recover? (5, Funny)

flaming error (1041742) | more than 3 years ago | (#35349280)

Why the confusion, dear editor? This should be well understood.

If you want to recover, you can't. If you want to erase, you can't. It's Murphy's Law of Data Storage.

Re:really hard to erase, or really hard to recover (1)

cdpage (1172729) | more than 3 years ago | (#35349352)

would mod you up one for that.

Huh? (2)

Andrewkov (140579) | more than 3 years ago | (#35349326)

Forgive my ignorance, but how is this possible? Does this mean that the drives understand NTFS and are actually zeroing out data on the drive when the OS simply deletes the entry from the FAT table? How can the SSD second guess what the OS is doing? I thought that SSD's use the same interface as regular HD's and should behave the same.

Re:Huh? (4, Informative)

Pathwalker (103) | more than 3 years ago | (#35349424)

There is an ATA command called "TRIM [wikipedia.org] ". If a device supports it, the OS can tell it that a group of sectors is no longer needed, and should be wiped.

Re:Huh? (1)

Rich0 (548339) | more than 3 years ago | (#35349550)

I would think that the command would also be useful for wear-leveling.

The more space that the device can understand as "free" the more opportunity it has to avoid writing to places that are wearing. if the whole drive is 100% free the best it can do is try to move data back and forth if it notices one spot getting written to more. That wastes writes and time. If it knows that a spot is now free, the drive can take the opportunity to optimize more.

Re:Huh? (0)

Anonymous Coward | more than 3 years ago | (#35349446)

The basic interface is the same; but SSDs also make certain other decisions when deciding where to write, due by wear leveling. The operating system doesn't really care where the data gets written. On a hard drive, its not important where its written, but SSDs implement wear leveling - and that means that they actively try to figure out where data is written and which blocks are free so that they can optimize the writing process. This wear leveling often results in an additional communications layer - TRIM. That layer tells the drive which sectors are free, which means that it can get rewritten to just seconds after it was deleted. A mechanical drive receives no such info, and makes no effort to find out (via garbage collection). As such, the behavior is much more predictable - and the data is likely to remain for quite some time.

Re:Huh? (2)

Osgeld (1900440) | more than 3 years ago | (#35349474)

they use the same interface tween the computer and the device but tween that device controller and the actual raw memory is a whole different story

Re:Huh? (0)

Anonymous Coward | more than 3 years ago | (#35349486)

http://en.wikipedia.org/wiki/TRIM

Well, I guess.. (1)

The Fanta Menace (607612) | more than 3 years ago | (#35349330)

...we better ban them, then.

So what's the problem? (2)

maxx_entropy (869755) | more than 3 years ago | (#35349342)

The whole point of the referenced article is that it is somehow a "problem" that data deleted (and intended to be deleted) by the owner of the SSD cannot be later recovered. Why should deleted data be recoverable? Will "police state" now require SSDs to stop this seemingly desirable behavior to ensure evidence be recoverable from an impounded device? I for one applaud the behavior of these new storage devices.

Re:So what's the problem? (4, Insightful)

DrgnDancer (137700) | more than 3 years ago | (#35349694)

Well to be fair, that's only part of the problem. Say you're a stupid criminal. You store all your records of your criminal acts on your computer which happens to have an SSD drive. You've never deleted your records of your criminal acts, but just before the police busted through the door you were deleting some old pictures of your cat, Fluffy. So in order to maintain evidence chain of custody, the police immediately turn off you computer and turn it over to a tech. The tech's first two actions should always be the same. He should plug your drive into a a special read only device that will first do an MD5sum or other fingerprint of the whole contents of the drive, and then do a bit for bit copy of the drive.

The idea here is that the police can prove that nothing was done to alter the data present at the time of seizure. Power was removed from the system and the drive was immediately fingerprinted and copied. Assuming the fingerprints match, there should be no question that the copy on which the actual analysis is done is identical to the original drive. The problem is that you were deleting pictures of Fluffy when the Police came in. It's highly likely that as the drive does its self cleaning routine the fingerprint of the data will change. They fingerprint, get a value, but while they're copying the drive self cleans the bits associated with your cat pics. Bam, the copy has a different fingerprint. Now there's reasonable doubt about the usefulness of the evidence you stupidly left unencrypted in your desktop folder.

Now I'm not saying this is a problem, and that they need to modify the design of SSDs. I didn't get the impression that article said that either. What they are saying is "Hey, we need to come up with another way to do this, becasue what we've been doing will no longer stand up in court."

Yo' RTF the PDFs mofos' (0)

Anonymous Coward | more than 3 years ago | (#35349346)

So either SSDs are really hard to erase, or really hard to recover. I'm so confused.

Just RTF studies and I'll think you'll find the first (the one that concludes current SSD's are not purging their stored data as they should according to standards) is more thought out and thoroughly tested. IOW, I trust the first paper over this latest one.

Works as Intended (0)

Anonymous Coward | more than 3 years ago | (#35349360)

So the bad news is that an exploit of an accidental side effect of an existing technology is not always possible to duplicate in newer technologies. I guess that means the digital forensics folks will have a harder job doing things with disk drives that they were never intended to do. I don't see the "problem."

The real problem, as I see it, will come when the digital forensics groups push back on disk manufacturers to change their purging routines in order to improve data retrieval (possibly at the cost of performance). You know, to keep the accidental exploit backwards-compatible.

SSD's are impossible to recover (1)

teh augmenter (2006562) | more than 3 years ago | (#35349362)

Quote: "So either SSDs are really hard to erase, or really hard to recover. I'm so confused."

I work in a professional environment where we attempted to recover data from a crashed SSD. Nothing can be recovered. Consider the way an SSD Works. They are extremely expensive because each one contains a memory bank like RAM and a processor to handle reading and writing. If an operating system has "TRIM" enabled (or implemented to work like in Windows 7) then it will delete when a user deletes a file. It writes over the blocks with blank space. This ensures that writing speed does not slow down during the use of the device. So anynill delete when a user deletes a file. It writes over the blocks with blank space. This ensures that writing speed does not slow down during the use of the device. If thing deleted on a drive like that is really DELETED and cannot be recovered. -- Little google goes a long way ;)

Re:SSD's are impossible to recover (0)

Anonymous Coward | more than 3 years ago | (#35349600)

Yeah, a little googling goes a long way...

http://www.theregister.co.uk/2011/02/21/flash_drive_erasing_peril/

The difficulty of reliably wiping SSDs stems from their radically different internal design. Traditional ATA and SCSI hard drives employ magnetizing materials to write contents to a physical location that's known as the LBA, or logical block address. SSDs, by contrast, use computer chips to store data digitally and employ an FTL, or flash translation layer, to manage the contents. When data is modified, the FTL frequently writes new files to a different location and updates its map to reflect the change.

In the process left-over data from the old file, which the authors refer to as digital remnants, remain.

“These differences between hard drives and SSDs potentially lead to a dangerous disconnect between user expectations and the drive's actual behavior,” the scientists, from the University of California at San Diego, wrote in a 13-page paper. “An SSD's owner might apply a hard drive-centric sanitization technique under the misguided belief that it will render the data essentially irrecoverable. In truth, data may remain on the drive and require only moderate sophistication to extract."

...

Whole-disk wiping techniques faired only slightly better with SSD media. In the most extreme case, one unnamed SSD model still stored 1 percent of its 1 GB of data even after 20 sequential overwrite passes on the entire device. Other drives were able to securely purge their contents after two passes, but most of them required from 58 hours to 121 hours for a single pass, making the technique unviable in most settings.

Both hard and easy are true (5, Informative)

RichMan (8097) | more than 3 years ago | (#35349370)

The drives have internal overprovisioning and perform internal garbage collection. This means that marked for deletion data has an unknown lifetime and may disappear at any point without interaction from a controller.

The hard to erase bit means that you really can't be sure something is totally erased without a full specific erase command to all flash blocks. Without that a page marked unused but not erased may be nestled in with a bunch of valid pages. As all pages in a block are erased together that marked unused page can hang around for a wile.

On the other side the firmware does garbage collection it actively looks for blocks with many erased pages and then tries to consolidate things so it can create more free blocks. This means if the drive is powered but not connected to a host machine it can still be doing data moves for consilidation and erasing marked for deletion pages.

There are thresholds for the garbage collection so it won't overwork and try for 100% consolidation. Thus you get both the presence of some really sticky stale marked unused pages and some active erasing of others.

Not necessarily a bad thing.... (2)

macraig (621737) | more than 3 years ago | (#35349380)

I'm on the fence about this, and it's possible neither pasture is green. On the one hand, I might be the victim of a genuine crime, evidence of which happens to be hiding in an SSD drive. On the other hand, these techniques are just as routinely abused now to go after people for political noncriminal reasons that don't serve the Common Good at all, people and organizations like Julian Assange, Wikileaks, Bradley Manning, the U.S. Chamber of Commerce opponents... you name it.

These techniques are like nuclear physics: just as easily applied for Bad Things as Good. If we can't selectively prevent the abuses, maybe we should err on the side of caution and ban the techniques altogether. They aren't being universally applied to serve justice.

Elementary my dear Watson (2)

joeyblades (785896) | more than 3 years ago | (#35349386)

I thought that this was particularly telling. In the article it said:

... the state of the drive cannot be taken to indicate that its owner did or did not interact with it in ways that allow prosecutors to infer guilt or innocence. The fact that data has been purged does not mean a human knowingly did it (e.g. accidental guilt)...

So in other words, until SSDs came along, evidence of purged data was evidence of guilt... at least in Austrailia.

Re:Elementary my dear Watson (2)

royallthefourth (1564389) | more than 3 years ago | (#35349428)

Destroying evidence is a crime in the US, too.

Re:Elementary my dear Watson (1)

H0p313ss (811249) | more than 3 years ago | (#35349534)

Destroying evidence is a crime in the US, too.

Yes, but destroying data is not. The point is that evidence that something was destroyed is not itself evidence of crime.

This is not new... (1)

bradley13 (1118935) | more than 3 years ago | (#35349710)

I don't now remember what the case was, but: a few months ago a read about a guy who was charged with some crime or other. They were unable to convict him of whatever it was, but they did convict him of obstruction of justice. Why? Because the computer forensics expert stated that he had deliberately deleted some files and then run a defrag.

The way the world works (1)

Anonymous Coward | more than 3 years ago | (#35349400)

"So either SSDs are really hard to erase, or really hard to recover. I'm so confused"

It's easy - if you need it back, it will be hard to recover. If you desperately depend on nobody ever seeing it, it will be hard to erase. I'm pretty sure this is a consequence of the Uncertainty Principle, but I have not yet completed my paper proving it.

This is bad news (1)

bogaboga (793279) | more than 3 years ago | (#35349438)

"Firmware built into many solid state drives (SSDs) to improve their storage efficiency could be making forensic analysis at a later date by police forces and intelligence agencies almost impossible to carry out to legally safe standards, Australian researchers have discovered..."

So expect some government intervention on matters concerning which firmware should be built into the devices we use.

I cannot see any government worth its credibility endorse a product which if employed in crime and confiscated (by police), it is almost impossible to use it to prosecute the perpetrators by government agencies and the FBI in the case of these United States.

You might wonder how a government might endorse a product:

By allowing its importation or production and subsequent collection of taxes from transactions related to the product.

Guantanamo bay for SSDs? (1)

cultiv8 (1660093) | more than 3 years ago | (#35349458)

could be making forensic analysis at a later date by police forces and intelligence agencies almost impossible to carry out to legally safe standards

So then they're sending SSDs out of the country for hard-core, waterboarding-style data extraction?

Wasn't this... (5, Interesting)

MrNemesis (587188) | more than 3 years ago | (#35349490)

...a foregone conclusion ever since ATA Secure Erase and TRIM were introduced?

Secure Erase basically tells the SSD that all of its cells are now blank (AFAIK implementations actually zero the drive as well but I'm happy to be corrected on that); therefore as soon as anything is written to the disc, it will be written here, there and everywhere. It took about 30s to run on my first vertex and I couldn't find any trace of

TRIM support in the ATA spec, along with kernel/filesystem support, tells the disc that when file A is deleted, cells X, Y, and ABQ are now officially "empty" and that if the controller feels like it, it can zero them out, shunt other data in there, or have a mardi gras for all it cares. The same happens when a drive is formatted; OS tells drive controller "I've just formatted you" and for the sake of preserving performance the controller goes "Brilliant! I can chuck out all this shit I've been saddled with."

As soon as hard drives start intelligently erasing/shuffling bits of themselves about so that cells are utilised to their utmost efficiency this was bound to happen. Unlike spinning platters where bad blocks were reallocated only if a) the hard disc knew about it and b) the data could actually be read/recovered, it becomes terribly obvious that data on SSD's is going to be read and written and deleted completely and utterly all over the place, without sequential series of sector found in slackspace like you would on a magnetic drive.

Magnetic drives have no performance penalties for not actually erasing the data, so if you work your way around that double negative you'll see that one of the staples of digital forensics (e.g. recovering files from slack) is a by-product of people trying to make magnetic platters as fast as possible by not actually erasing stuff, because as long as the controller knows that sector is blank then it'll just be overwritten as needed. Technology has now changed sufficiently that the performance gains from new solid state tech are helped by a drive controller that erases stuff as soon as possible, since writing over an occupied cell is slower than writing over a blank one.

I'm sure there'll be new methods to mitigate the change in tech, we're just somewhat on the cusp of a completely new tech. They'll probably come to an agreement that TRIM doesn't actually delete stuff until the amount of free space in the cells reaches a certain threshold or something like that.

Disclaimer: I'm not a digital forensic scientist, but am friends with one and we discussed this problem over some exquisite cocktails a few months back. And I don't think TRIM instructions follow the exact specifications I laid out above (e.g. using Brilliant! as an ACK).

Re:Wasn't this... (1)

ledow (319597) | more than 3 years ago | (#35349584)

To be honest, most data recovery from a hard drive is foiled by a simple zero anyway. All this "must wipe several times with certain patterns" thing is cobblers. Yes, if I was the military, I'd be doing it too, just to make sure, but no-one has yet provided convincing proof that "magnetic history" from drives can actually be recovered in anywhere near a cost-effective or reliable way.

Digital forensics consists of taking an image of the drive and seeing what you can get from that. Any half-decent implementation that encrypts, zeroes and deletes things properly is going to foil any digital forensics.

SSD's make it harder but digital forensics recovering useful data is next-to-impossible for the storage devices of anyone that actually *KNOWS* about PC's and wants to keep that info secret.

Double talk (1)

DigiTechGuy (1747636) | more than 3 years ago | (#35349544)

It was the other way around last week, no? If you really care about privacy you encrypt your personal data, so irrevelant for most folks here.

Not sure what's confusing... (1)

malzfreund (1729864) | more than 3 years ago | (#35349582)

(1.) It may be hard to securely erase an SSD. Due to things such as wear leveling, the relationship between sector addresses and physical flash cells isn't transparent to the OS. And ATA Secure Erase isn't implemented or isn't implemented correctly on all SSDs. (2.) SSDs are hard to recover. That's because they may start erasing some blocks containing data (and not just the entry in the file allocation table) shortly after you delete a file in the file system. Again, this happens due to things such as wear leveling and isn't transparent to the OS. Contrast this to a hard drive where, following a file delete, only the entry in the allocation table is deleted but no actual data. I don't see anything contradictory or confusing here

Right to easily spy on you? (2)

Ossifer (703813) | more than 3 years ago | (#35349588)

Why does the government have this expectation that technology should be built in order to make it easy to spy on citizens?

Re:Right to easily spy on you? (-1)

Anonymous Coward | more than 3 years ago | (#35349672)

Because they are pro-women's rights scum and for women to have rights men must be tightly leashed. Without government policing girls are married very young, men own girls and are their masters (ba'al in hebrew), wives have no status (word wife doesn't even exist in hebrew: there is just woman or his woman or woman with a master), men can rape girls and just marry them etc. If the government wasn't policing men, the biblical laws which opress women and girls might rule. The government scum are pro-feminist pro-women's rights. They represent the majority of people (women, children, some men) and oppose the minority (evil men).

Should not matter (1)

fluch (126140) | more than 3 years ago | (#35349740)

In case the harddrive is full disc encrypted it all should not matter...

Go figure. (0)

Anonymous Coward | more than 3 years ago | (#35349804)

dd if=/dev/sdx of=/dev/random :P

(Please don't copy and try to run this....you might regret it.)

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?