Self-erasing flash drives destroy court evidence

Discussion in 'Technical' started by melbo, Nov 19, 2011.

  1. melbo

    melbo Hunter Gatherer Administrator Founding Member

    'Golden age' of forensics coming to close

    The inner workings of solid state storage devices are so fundamentally different from traditional hard drives that forensic investigators can no longer rely on current preservation techniques when admitting evidence stored on them in court cases, Australian scientists said in a research paper

    By Dan Goodin in San Francisco

    Posted in ID, 1st March 2011 21:41 GMT

    Free whitepaper – Bringing speed and intelligence to the network

    Data stored on Flash drives is often subject to a process the scientists called “self-corrosion,” in which evidence is permanently erased or contaminated in ways that bits stored on magnetic-based hard drives are not. The alterations happen in the absence of any instructions from the user. The findings introduce a “grey area” into the integrity of files that are forensically extracted from the devices and threaten to end a “golden age” of digital evidence gathering offered by older storage types.

    “Given the pace of development in SSD memory and controller technology, and the increasingly proliferation [sic] of manufacturers, drives, and firmware versions, it will probably never be possible to remove or narrow this new grey area within the forensic and legal domain,” the scientists, from Australia's Murdoch University, wrote. “It seems possible that the golden age for forensic recovery and analysis of deleted data and deleted metadata may now be ending.”

    For decades, investigators have worked with tape, floppy drives and hard drives that continue to store huge amounts of information even when the files they're contained in are marked for deletion. Even wiping the disks isn't always enough to permanently erase the contents. SSDs, by contrast, store data in blocks or pages of NAND-based transistor chips that must be electronically erased before they can be reused.

    As a result, most SSDs have firmware that automatically carries out “self healing” or “garbage collection” procedures that can permanently erase or alter files that have been marked for deletion. The process often begins as soon as three minutes after the drive is powered on and happens with no warning. The user need not initiate any commands, and the drive emits no lights or makes any sounds to indicate the purging is taking place.

    What's more, the use of so-called write blockers and other techniques designed to isolate a drive during forensic imaging offered no protection. That's because the garbage collection is initiated by the SSD firmware that's independent from commands issued by the computer it's attached to.

    “If garbage collection were to take place before or during forensic extraction of the drive image, it would result in irreversible deletion of potentially large amounts of valuable data that would ordinarily be gathered as evidence during the forensic process – we call this 'corrosion of evidence,'” the scientists wrote.

    The findings have serious consequences for criminal and civil court cases that rely on digital evidence. If the disk from which the data comes appears to have been tampered with after it was seized, an opposing party frequently has grounds for having the evidence thrown out of court. The paper comes as a growing number of computer makers integrate SSDs into the machines they sell. The drives have many benefits over their magnetic brethren, including speed, lower power consumption and durability.

    At first blush, the results appear to conflict with those of a recent paper that found data fragments stored on flash drives can be virtually indestructible [1]. It may be the case that what both research teams are saying is that data stored on the newfangled devices can't be reliably deleted or preserved the way it can on magnetic media.

    Researchers Graeme B. Bell and Richard Boddington, of Murdoch University's School of IT, arrived at their findings by comparing the way data is preserved on a 64GB Corsair P64 SSD versus an 80GB Hitachi Deskstar hard drive. A PDF of their paper, which previously was published in December in The Journal of Digital Forensics, Security and Law, is here [2]. ®
    Self-erasing flash drives destroy court evidence ? The Register

    Flash drives dangerously hard to purge of sensitive data ? The Register

    Original article:
    Mike and stg58 like this.
  2. melbo

    melbo Hunter Gatherer Administrator Founding Member

    stg58 likes this.
  3. beast

    beast backwoodsman

    hmm, i havent seen one of those drives but i like em
    Mike and dragonfly like this.
  4. BTPost

    BTPost Stumpy Old Fart,Deadman Walking, Snow Monkey Moderator

    Just a NOTE, here.... In the OSX Mac Operating System, there is what is called "SECURE Erase" where the data in the erased file, is overwritten three times, with alternate 1s, and 0s, and then the File Headers are erased. Standard Erase is also available, in the same Menu, where just the file Headers in the Directory are erased. Now it is true that Electron Microscopic Evaluation "MAY" be able to recover the Data, but that is VERY expensive and time consuming for any but the most sensitive data recovery. There is no reason that a Windows or other OS couldn't have the equivelant of a file NUKE routine.
    Mike likes this.
  5. beast

    beast backwoodsman

    if there is time to do so, i can totally wipe a drive
    it just takes a little subroutine to overwrite deleted files
    several times with gibberish
    but as i said, it takes time
  6. CATO

    CATO Monkey+++

    Mike likes this.
  7. melbo

    melbo Hunter Gatherer Administrator Founding Member

    I think that this gist of the article is that SSD behaves in a different manner than magnetic platters. You cannot get to all the data you would normally destroy by any of the methods mentioned above but because of the nature of the decay in these 'garbage collection' sectors, it's not necessary. I did not know this but am moving to SSDs for a home project and started researching the methods for their ultimate destruction or sterilization.

    BT, Linux erases the same way as OSX, writes 000000 over the file.

    When I used Windows, I used a combination of Heidi Eraser, (35 pass Gutmann), index.dat suite and CCleaner. You can add Eraser to the 'right click' recycle bin.

    Before I give HDDs away, I let them bake all night under (DBAN) Darins Boot and Nuke CD which runs a 35 pass Gutmann on every sector in every known crypto random sequence. 120 GB will take about 24 hours so its only useful if you have the time and want to sterilize before gifting your old HDD.

    There lies a pond in the State of Franklin that is the final resting place for a collection of 12 years worth of obsolete Hard Drives. Pried open, platters sanded with a belt sander, holes drilled through the platters and guts, smashed with hammers, circuits melted with a blow torch and finally cast into the pond.
    Mike, STANGF150, Sapper John and 3 others like this.
  8. VisuTrac

    VisuTrac Ваша мать носит военные ботинки Site Supporter+++

    when the Old Man from the North pole arrives this year. He is going to be packing a nice new flash drive for me.

    Hardware Encrypted Drives - Products

    BTW we use the 256bit SSD's at work.
    Mike likes this.
  9. beast

    beast backwoodsman

    removing the platters and setting them on old speaker magnets does wonders too
    Mike likes this.
  10. Redneck Rebel

    Redneck Rebel Monkey++

    I just use an IronKey and a routinely updated backup IronKey to store anything that I feel needs protecting. If they can access the data stored on there they've earned it IMO.
    Mike likes this.
  11. goinpostal

    goinpostal Monkey+++

    Hit the $#!t with a hammer and stick it in either a food processor,blender,or a good cross cut shredder.
    My Son mounted one(a food processor)in a waste basket with the shredder mounted ontop.It will turn a disk,or credit card literally into powder in about a minute,and a half.
  12. NVBeav

    NVBeav Monkey+++

    With these interesting properties of SSDs, I've heard they're more prone to failure than standard HDDs... Can't back up the statement - just heard from someone who's been around them.
  13. VisuTrac

    VisuTrac Ваша мать носит военные ботинки Site Supporter+++

    I can speak from experience, I've had more SSD failures than HDD failures. But that is from the method i use them. I deal with huge quantities of data 200 GB at a time.

    SSDs shine when you write to them and they are read multiple times. Like a archive or website that does not change frequently. very fast read times.

    I've killed 3 SSDs and 1 HDD performing the same huge data conversion tasks over the past 3 years.

    Plus, you can get larger HDD than SSDs at a more reasonable price point. Ok well, maybe not since the flooding in Thailand..

  14. Seawolf1090

    Seawolf1090 Retired Curmudgeonly IT Monkey Founding Member

    A most interesting aspect of this is the legal angle - even if incriminating evidence IS readable, if the device is shown to have been in ANY way altered AFTER it was taken in as evidence, then ALL data on the device can be challenged and nullified in court.

    Of course, complete BURNING is always a sure bet....... ;)
  15. DKR

    DKR Raconteur of the first stripe

    LOL, burn indeed

    I worked in a DIA unit for a few years while active, disks were removed,
    sanded, broken into pieces, put in a can with diesel and a bit of gas to the diesel burning and torched.

    They had to burn fro at least 10 min to reach the Curie point, Then and only then could they be tossed.

    The real devious load Linux via a USB thumb drive, cruise the net and when done, then shut off the PC - leaving no footprints....
  16. onegeorgian

    onegeorgian Monkey++

    I just smash them with a hammer until the platters are bent or crushed. It would be pretty tough to get them spinning again.
  17. strunk

    strunk Monkey+

    SSD's are a relatively new technology. Developments are happening all the time that make them faster, bigger, cheaper, and more reliable. This year's models are better on all counts than last year's models, by and large.

    You still need to keep backups of your data. And as (relatively) cheap as these things are, it's still smart to mirror a pair of disks so your computer keeps running even if a drive dies.

    Plan on replacing them from time to time, just like any disk drive.
  18. strunk

    strunk Monkey+

    If the data you're storing is really damning stuff that a determined party would really want to have a look at, it doesn't matter much that the disks won't spin.

    DBAN is a bootable disk wiper that the DoD is content with. That would be a good place to start.

    Then there's always fire...
  19. T.R

    T.R Monkey+

    Yeah , that happened to me . I had an 8 gig flash drive and it malfunctioned one day making all my files unretreavable .
  20. BTPost

    BTPost Stumpy Old Fart,Deadman Walking, Snow Monkey Moderator

    The POINT here is, If they (Letters Outfits) really want the data it can be recove, anymore, by using Scanning Electron Microscopy Technology, unless they can get their hands on the material, in the First Place. With these Silicon base Memory Units, that technology is NOT effective and other methods need to be used. These other methods can NOT undo the erasures done internally, to the Memory Cells, and they (Letters Outfits) have no Backdoors into the firmware that drives this type of system, at the moment. ..... YMMV...
survivalmonkey SSL seal warrant canary