Self-erasing flash drives destroy court evidence The inner workings of solid state storage devices are so fundamentally different from traditional hard drives that forensic investigators can no longer rely on current preservation techniques when admitting evidence stored on them in court cases, Australian scientists said in a research paper. Data stored on Flash drives is …
Has anyone with a "reasonable" budget (like a law enforcement agency, NOT NSA) EVER recovered data from a disk drive overwritten with zeros? I think that there is a challenge on some web site for this. Extrapolate this to SSD's and the story continues.
Yes, just "marking for deletion" as most of us do doesn't do much, regardless of which media we use. Flotsam and Jetsam of the digital variety.
Just change the law so they don't need to prove that the evidence hasn't been tampered with. Instead, just rely on the word of the investigating officer.
It should only take one case of a child molester to provide an argument to get that change through. I expect the police are on the lookout for the right case already...
If I delete a file on a hard disc, in the ordinary course of using it with Windows, say, the file system just sets a bit in the header to say the space can be reused, but the file is still there - that's how 'undelete' programs work - unless and until something comes along and reuses the space for a new file.
On an SSD, though, the space may get reused by the drive for its own purposes, without me necessarily writing a new file at all.
It's not *very* different, though, is it? The same rules apply to deleted files that *are* still present, as to whether they can be ascribed to the supposed user, or some other person who may have had access to the drive, but the presumption is that deleted pron belonged to someone, and wasn't written by the drive itself. Unless, of course, SSDs are able to provide a modern take on the 'monkeys writing Shakespeare', and generate coherent data and/or images at random....
But of the deleted files that *aren't* present, or not wholly present, there will only be the possibly minuscule differences caused by the SSD carrying out housekeeping, when reconnected, that it couldn't carry out earlier.
It will hardly be the 'death of forensics' forecast above; what an SSD does in firmware when connected is (or should be) detectably different from any 'tampering' that might follow...
Part of the problem -that I don't see discussed here- is that each time the "suspect" powers the machine off/on, all previously deleted files are sort of sanitized, it's not just a problem of the researcher powering it on an nth time. What percent of the evidences can be left at that time, who knows ?
Flash drives take time to erase data. Some Samsung SSD controllers, understand the basics of the NTFS filesystem, and will pre-delete unused sectors, so that the performance for writing new data is improved.
So if you want your data really deleted, you need an SSD with one of these Samsung controllers, and you need to use NTFS.
If you want to investigate the deleted files like you would on a HDD (at the interface level) you change the file system ID byte in the partition table (or whatever the Samsung controller triggers off of). You can document exactly what you've done and why. From that point on it's the same.
As mentioned by someone else, the controller chip (not the RAMs) will probably have a JTAG port, so powering up the device with a JTAG debugger connected to the JTAG port, would allow you to stop the garbage collection at startup. As it's only a range of Samsung devices at the moment, this would be quite simple. As would writing a JTAG debug script to read the entire flash array, including the remapping tables.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
