SSD firmware destroys digital evidence, researchers find

Forensic analysis of drives by investigators now uncertain

A technology built into many new solid state drives (SSDs) to improve their storage efficiency could inadvertently be making forensic analysis at a later date by police forces and intelligence agencies almost impossible to carry out to legally safe standards, researchers have discovered.

The detailed findings contained in Solid State Drives: The Beginning of the End for Current Practice in Digital Forensic Discovery? by Graeme B. Bell and Richard Boddington of Murdoch University in Perth, Australia, will make unsettling reading for professionals in the digital forensics field and beyond.

After conducting a series of experiments comparing a sample Corsair 64GB SSD with a conventional Hitachi 80GB magnetic hard drive (HDD), the team found a layer cake of data recovery problems caused by the 'garbage collection' or purging algorithms used in SSDs to keep them at peak performance.

After examining an SSD for traces of data after it had been quick formatted, the team expected the purging routines to kick in around 30-60 minutes later, a process that must happen on SSDs before new data can be written to those blocks. To their surprise, this happened in only three minutes, after which only 1,064 out of 316,666 evidence files were recoverable from the drive.

Going a stage further, they removed the drive from the PC and connected a 'write blocker', a piece of hardware designed to isolate the drive and stop any purging of its contents. Incredibly, after leaving this attached for only 20 minutes, almost 19 per cent of its files had been wiped for good, a process the researchers put down the ability of SSDs to initiate certain routines independent of a computer.

For comparison, on the equivalent hard drive all data was recoverable, regardless of the time elapsed, as a forensic examiner would expect

"Even in the absence of computer instructions, a modern solid-state storage device can permanently destroy evidence to a quite remarkable degree, during a short space of time, in a manner that a magnetic hard drive would not," the team concludes.

The results are concerning on a number of levels, forensic, legal and technical.

Current digital forensic practice rests on assumptions about the ability of experts to isolate and snapshot drives accurately in order to back up possible criminal investigations. This is now looking to be far more difficult for SSDs than it has been for HDDs using current technologies.

Even more startling is that basic drive isolation 'write blockers' are not guaranteed to perform to high standards against SSDs, the first time this technology has ever been experimentally undermined. The firmware built into many and possibly all of these drives allows them to destroy data simply by being powered on, even when not connected to a PC or under the apparent control of an operating system.

"If the drive is purging data far faster than the analyst can extract it, and the process of purging can begin and continue while the analyst is extracting the data, how can the analyst hope to capture a complete, frozen image of the disk that is representative of the disk state at capture time?," the researchers write.

"A few people in the forensics community had some awareness that something funny was going on with some SSDs, but everyone we've shown this to has been shocked at the extent of the findings," said co-author Graeme Bell by email to Techworld.

As far as SSDs are concerned, the state of the drive cannot be taken to indicate that its owner did or did not interact with it in ways that allow prosecutors to infer guilt or innocence.

"The fact that data has been purged does not mean a human knowingly did it (e.g. accidental guilt). [But] data purging may make a guilty person look innocent (e.g. accidental innocence)," says Bell.

The team warns that as USB sticks grow in capacity, manufacturers could start integrating similar purging technologies into them, duplicating the same problem for a second set of storage media. Bell and Boddington also believe that 'garbage collection' routines will become more aggressive over time as manufacturers start using more powerful firmware, chipsets and larger-capacity drives.

In an 18-point summary of their findings, the pair offer no simple fixes to the problem they are the first to experimentally demonstrate, noting that "there is no simple answer to this problem."

How many SSDs might use 'garbage collection' firmware? According to Bell, probably very few older drives but an increasing number of newer ones.

Previously only published in The Journal of Digital Forensics, Security and Law in December 2010, the full report can now be downloaded from the publication's website.

Paradoxically, only last week researchers in California uncovered a separate but related problem with SSDs, namely that it could be hard to securely wipe data from them in a guaranteed, controlled way.

Although at first it sounds as if this finding contradicts the Australian research (i.e that data is constantly being wiped by SSDs in order to maintain performance), it is more concerned with the difficulty of guaranteeing that data has really been erased from the portion of the drive it is located on from the point of view of software erase programs.

Join the CSO newsletter!

Error: Please check your email address.

Tags storagesecurityhitachi

More about CorsairHitachi AustraliaMurdoch UniversityMurdoch University

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts