SSD firmware destroys digital evidence, researchers find

A technology built into many new solid state drives (SSDs) to improve their storage efficiency could inadvertently be making forensic analysis at a later date by police forces and intelligence agencies almost impossible to carry out to legally safe standards, researchers have discovered.

The detailed findings contained in Solid State Drives: The Beginning of the End for Current Practice in Digital Forensic Discovery? by Graeme B. Bell and Richard Boddington of Murdoch University in Perth, Australia, will make unsettling reading for professionals in the digital forensics field and beyond.

After conducting a series of experiments comparing a sample Corsair 64GB SSD with a conventional Hitachi 80GB magnetic hard drive (HDD), the team found a layer cake of data recovery problems caused by the 'garbage collection' or purging algorithms used in SSDs to keep them at peak performance.

After examining an SSD for traces of data after it had been quick formatted, the team expected the purging routines to kick in around 30-60 minutes later, a process that must happen on SSDs before new data can be written to those blocks. To their surprise, this happened in only three minutes, after which only 1,064 out of 316,666 evidence files were recoverable from the drive.

Going a stage further, they removed the drive from the PC and connected a 'write blocker', a piece of hardware designed to isolate the drive and stop any purging of its contents. Incredibly, after leaving this attached for only 20 minutes, almost 19 per cent of its files had been wiped for good, a process the researchers put down the ability of SSDs to initiate certain routines independent of a computer.

For comparison, on the equivalent hard drive all data was recoverable, regardless of the time elapsed, as a forensic examiner would expect

"Even in the absence of computer instructions, a modern solid-state storage device can permanently destroy evidence to a quite remarkable degree, during a short space of time, in a manner that a magnetic hard drive would not," the team concludes.

The results are concerning on a number of levels, forensic, legal and technical.

Current digital forensic practice rests on assumptions about the ability of experts to isolate and snapshot drives accurately in order to back up possible criminal investigations. This is now looking to be far more difficult for SSDs than it has been for HDDs using current technologies.

Even more startling is that basic drive isolation 'write blockers' are not guaranteed to perform to high standards against SSDs, the first time this technology has ever been experimentally undermined. The firmware built into many and possibly all of these drives allows them to destroy data simply by being powered on, even when not connected to a PC or under the apparent control of an operating system.

"If the drive is purging data far faster than the analyst can extract it, and the process of purging can begin and continue while the analyst is extracting the data, how can the analyst hope to capture a complete, frozen image of the disk that is representative of the disk state at capture time?," the researchers write.

"A few people in the forensics community had some awareness that something funny was going on with some SSDs, but everyone we've shown this to has been shocked at the extent of the findings," said co-author Graeme Bell by email to Techworld.

As far as SSDs are concerned, the state of the drive cannot be taken to indicate that its owner did or did not interact with it in ways that allow prosecutors to infer guilt or innocence.

"The fact that data has been purged does not mean a human knowingly did it (e.g. accidental guilt). [But] data purging may make a guilty person look innocent (e.g. accidental innocence)," says Bell.

The team warns that as USB sticks grow in capacity, manufacturers could start integrating similar purging technologies into them, duplicating the same problem for a second set of storage media. Bell and Boddington also believe that 'garbage collection' routines will become more aggressive over time as manufacturers start using more powerful firmware, chipsets and larger-capacity drives.

In an 18-point summary of their findings, the pair offer no simple fixes to the problem they are the first to experimentally demonstrate, noting that "there is no simple answer to this problem."

How many SSDs might use 'garbage collection' firmware? According to Bell, probably very few older drives but an increasing number of newer ones.

Previously only published in The Journal of Digital Forensics, Security and Law in December 2010, the full report can now be downloaded from the publication's website.

Paradoxically, only last week researchers in California uncovered a separate but related problem with SSDs, namely that it could be hard to securely wipe data from them in a guaranteed, controlled way.

Although at first it sounds as if this finding contradicts the Australian research (i.e that data is constantly being wiped by SSDs in order to maintain performance), it is more concerned with the difficulty of guaranteeing that data has really been erased from the portion of the drive it is located on from the point of view of software erase programs.

• Tweet