Home / New Technology / Why forensics investigators must handle solid-state drives with care
ssdistock88310711wir0man.jpg

Why forensics investigators must handle solid-state drives with care


Image: iStock/wir0man

Do your homework before performing forensics research on a budget-priced solid-state drive—or before trusting such drives to erase your data.

That’s the message from Tom Kopchak, a disk encryption expert at Hurricane Labs, which is a managed security provider in Independence, Ohio.

Kopchak said he’s done extensive research on the forensic differences between traditional hard-disk drives and modern SSDs. His work is applicable to law enforcement, electronic discovery (the software process used by attorneys to gather digital evidence), and anyone who wants to make sure their “delete” button does what it says.

SEE: Disk wiping and data forensics: Separating myth from science

Kopchak plans to present his full research, 101 Sentient Storage — Do SSDs have a mind of their own?, on Aug. 5, 2016 at the Defcon 24 conference in Las Vegas. “The goal of this study was to demonstrate and quantify differences across a sample pool of drives in an array of tests conducted in a controlled environment. These tests explored the variations between drive firmware, controllers, interfaces, operating systems, and TRIM state,” he wrote in the session description. “This presentation will demonstrate these differences and provide a framework to allow forensics investigators to determine the likelihood of successful deleted file recovery from an evidence bearing solid state drive.”

Asked to further explain his work, Kopchak told TechRepublic he’s long had an interest in this subject but could not find enough existing research. Although it’s only partially related to his work at Hurricane Labs, “This is more of something I’ve been interested in, and it’s one of those areas which kind of lack information that I’ve been able to find,” he said. “It seems there’s one [paper] every year, year-and-a-half, or two that comes out for this sort of thing.

“There are a pair of incorrect assumptions which are prevalent. First, law enforcement and forensic technicians too often assume that tools made for HDDs will work exactly the same on SSDs. Second, even when people do understand that SSDs behave different from HDDs, they still assume that all SSDs work the same.”

Kopchak also found in his research that pricier, more mature SSDs delete files and leave fewer traces behind than budget models. This is an important consideration for anyone purchasing enterprise drives, he said.

“When you look at something used in an enterprise SAN array for example, fundamentally they’ll operate similarly [to hard drives],” he continued. “The work that I did just cracks the surface. It draws attention to investigators needing to be aware of these differences.”

SEE: All-flash arrays: The smart person’s guide

As such, black-hat hackers and anyone who is concerned about privacy should probably use a high-end SSD, not a budget model or a traditional hard disk, Kopchak said. The fewer digital trails your computer leaves behind, the harder it is for investigators to recreate your data.

Also see

About admin

mm

Check Also

06.19.17_before_after_katrinat.width_1000.png

Google News gets a much-needed redesign to cut down on clutter and confusion

Google today unveiled a new look for its 14-year-old news reader that makes the web ...

Leave a Reply

Your email address will not be published. Required fields are marked *