Top

Journal of Computer Virology and Hacking Techniques

Published in:

01-11-2014 | Original Paper

Black-box forensic and antiforensic characteristics of solid-state drives

Authors: Gabriele Bonetti, Marco Viglione, Alessandro Frossi, Federico Maggi, Stefano Zanero

Published in: Journal of Computer Virology and Hacking Techniques | Issue 4/2014

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Solid-state drives (SSDs) are inherently different from traditional drives, as they incorporate data-optimization mechanisms to overcome their limitations (such as a limited number of program-erase cycles, or the need to blank a block before writing). The most common optimizations are wear leveling, trimming, compression, and garbage collection, which operate transparently to the host OS and, in certain cases, even when the disks are disconnected from a computer (but still powered up). In simple words, SSD controllers are designed to hide these internals completely, rendering them inaccessible if not through direct acquisition of the memory cells. These optimizations may have a significant impact on the forensic analysis of SSDs. The main cause is that memory cells could be preemptively blanked, whereas a traditional drive sector would need to be explicitly rewritten to physically wipe off the data. Unfortunately, the existing literature on this subject is sparse and the conclusions are seemingly contradictory. In this work we propose a generic, practical, test-driven methodology that guides researchers and forensics analysts through a series of steps that assess the “forensic friendliness” of a SSD. Given a drive of the same brand and model of the one under analysis, our methodology produces a decision tree that can for instance help an analyst to determine whether or not an expensive direct acquisition of the memory cells is worth the effort, because optimizations may have rendered the data unreadable or useless. Conversely, it can be used to assess the antiforensic techniques that stem from the characteristics of a given hardware, and to develop novel ones that are specifically suited to particular drives. We apply our methodology to three SSDs produced by top vendors (Samsung, Corsair, and Crucial), and provide a detailed description of how each step should be conducted. As a result, we provide two use cases, a test-driven triage classification of drives according to forensic friendliness, and the development of an anti-forensic technique specifically suited to a given drive.

previous article Reversing the operating system of a Java based smart card

next article Automating NFC message sending for good and evil

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Available only for authorised users

We used the TSOP NAND clip socket, available online for 29USD.

Wear leveling in micron NAND flash memory. Tech. Rep. TN-29-61, Micron Technology Inc. (2008). http://www.micron.com/~/media/Documents/Products/Technical

Wear-leveling techniques in NAND flash devices. Tech. Rep. TN-29-42, Micron Technology Inc. (2008). http://www.micron.com/~/media/Documents/Products/Technical

Microsoft Co.: Support and Q&A for Solid-State Drives. MSDN Blog (2009). http://blogs.msdn.com/b/e7/archive/2009/05/05/support-and-q-a-for-solid-state-drives-and.aspx

Antonellis, C.J.: Solid state disks and computer forensics. ISSA J. 6(7), 36–38 (2008)

Bell, G.B., Boddington, R.: Solid state drives: the beginning of the end for current practice in digital forensic recovery? J. Digit. Forensics Secur. Law 5(3), pp. 1–20 (2010)

Billard, D., Hauri, R.: Making sense of unstructured flash-memory dumps. In: SAC ’10, pp. 1579–1583. ACM, New York (2010)

Bonetti, G., Viglione, M., Frossi, A., Maggi, F., Zanero, S.: A comprehensive black-box methodology for testing the forensic characteristics of solid-state drives. In: Proceedings of the Annual Computer Security Applications Conference (ACSAC). ACM (2013). doi:10.1145/2523649.2523660

Breeuwsma, M., De Jongh, M., Klaver, C., Van Der Knijff, R., Roeloffs, M.: Forensic data recovery from flash memory. Small Scale Digit. Device Forensics J. 1, 1–17 (2007)

Bunker, T., Wei, M., Swanson, S.: Ming II: a flexible platform for NAND flash-based research. Tech. Rep. CS2012-0978, UCSD CSE (2012)

10.

Chang, Y.H., Hsieh, J.W., Kuo, T.W.: Improving flash wear-leveling by proactively moving static data. IEEE Trans. Comput. 59(1), 53–65 (2010)CrossRefMathSciNet

11.

Diesburg, S., Meyers, C., Stanovich, M., Mitchell, M., Marshall, J., Gould, J., Wang, A.I.A., Kuenning, G.: Trueerase: per-file secure deletion for the storage data path. In: Proceedings of the 28th Annual Computer Security Applications Conference, ACSAC ’12, pp. 439–448. ACM, New York (2012). doi:10.1145/2420950.2421013

12.

Gray, J., Fitzgerald, B.: Flash disk opportunity for server applications. Queue 6(4), 18–23 (2008)CrossRef

13.

Hu, X.Y., Eleftheriou, E., Haas, R., Iliadis, I., Pletka, R.: Write amplification analysis in flash-based solid state drives. In: SYSTOR ’09, pp. 10:1–10:9. ACM, New York (2009)

14.

Intel: AP-684: Understanding the flash translation layer (FTL) specification. Intel Application Note. (1998) http://www.jbosn.com/download_documents/FTL_INTEL.pdf

15.

King, C., Vidas, T.: Empirical Analysis of Solid State Disk Data Retention When Used with Contemporary Operating Systems, pp. S111–S117. Elsevier Science Publishers B. V., Amsterdam (2011)

16.

Luck, J., Stokes, M.: An integrated approach to recovering deleted files from nand flash data. Small Scale Digit. Device Forensics J. 2(1), 1941–6164 (2008)

17.

Rajgarhia, A., Gehani, A.: Performance and extension of user space file systems. In: Proceedings of the 2010 ACM Symposium on Applied Computing, SAC ’10, pp. 206–213. ACM, New York (2010). doi:10.1145/1774088.1774130

18.

Skorobogatov, S.P.: Data remanence in flash memory devices. In: Cryptographic Hardware and Embedded Systems—CHES 2005, 7th Intl. Workshop, Edinburgh, UK, August 29–September 1, 2005, Proc., Lecture Notes in Computer Science, vol. 3659, pp. 339–353. Springer, Berlin (2005)

19.

Templeman, R., Kapadia, A.: Gangrene: exploring the mortality of flash memory. In: HotSec’12, pp. 1–1. USENIX Association, Berkeley (2012)

20.

Wei, M., Grupp, L.M., Spada, F.E., Swanson, S.: Reliably erasing data from flash-based solid state drives. In: FAST’11, pp. 8–8. USENIX Association, Berkeley (2011)

Title: Black-box forensic and antiforensic characteristics of solid-state drives
Authors: Gabriele Bonetti
Marco Viglione
Alessandro Frossi
Federico Maggi
Stefano Zanero
Publication date: 01-11-2014
Publisher: Springer Paris
Published in: Journal of Computer Virology and Hacking Techniques / Issue 4/2014
Electronic ISSN: 2263-8733
DOI: https://doi.org/10.1007/s11416-014-0221-z

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Other articles of this Issue 4/2014

I know your MAC address: targeted tracking of individual using Wi-Fi

Detecting privacy leaks in the RATP App: how we proceeded and what we found

Automating NFC message sending for good and evil

Reversing the operating system of a Java based smart card

Premium Partner