SSD Data Evaporation DEF CON 21 August 3, 2013. Bio.

Slides:



Advertisements
Similar presentations
Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Advertisements

Deleted File Recovery Tool Testing Results Jim Lyle NIST 2/21/13AAFS -- Washington 1.
Hard Drives on Your Old Desktop Computer SIR Phil Goff Branch 116 August 21,
1 X-Ways Security: Permanent Erasure Supervised By: Dr. Lo’ai Tawalbeh Prepared By :Murad M. Ali.
1 Module 10 Managing Partitions. 2  Overview Partitioning a Disk Using Disk Administrator General Maintenance and Troubleshooting.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Forensic Tool Testing Results Jim Lyle National Institute of Standards and Technology.
Guide to Computer Forensics and Investigations Fourth Edition
MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 8: Troubleshooting Storage Devices and Display Devices.
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
COS/PSA 413 Day 15. Agenda Assignment 3 corrected –5 A’s, 4 B’s and 1 C Lab 5 corrected –4 A’s and 1 B Lab 6 corrected –A, 2 B’s, 1 C and 1 D Lab 7 write-up.
70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Five Managing Disks and Data.
I have lost all my vacation pictures due to memory card corruption. Can I get them back? I have accidently deleted some important Photos, Music files.
Capturing Computer Evidence Extracting Information.
Computer Forensic Evidence Collection and Management
Chapter 4: Operating Systems and File Management 1 Operating Systems and File Management Chapter 4.
 A basic overview  Presented by:  Steve Jones, Gran-IT Consulting, Inc.
Chapter 7 Installing and Using Windows XP Professional.
Data Deletion and Recovery. Data Deletion  What does data deletion mean in your own words?
HDD INSTALLATION AND SETUP. HDD Introduction Hard disk is the most popular storage device used to store various kinds of data in most computers. Hard.
A+ Guide to Managing and Maintaining Your PC Fifth Edition Chapter 8 Understanding and Installing Hard Drives.
SSD Forensics 2014 Oleg Afonin, Yuri Gubanov.
Drive Imaging Joe Cicero Northeast Wisconsin Technical College.
ITE 1 Chapter 5. Chapter 5 is a Large Chapter It has a great deal of useful information about operating systems. You will find this VERY helpful when.
Hard Drive Overview: The UltraMax Plus, MiniMax and eGo Firewire+ Drives Erik Collett Chinese Product Launch IOMEGA CONFIDENTIAL.
The Basic Input/Output System Unit objectives: Access the BIOS setup utility, change hardware configuration values, and research BIOS updates Explain the.
Understanding and Troubleshooting Your PC. Chapter 5: Understanding, Installing, and Troubleshooting Disk Drives2 Chapter Objectives  In this chapter,
Active KillDisk © v3.0 Active Data Security Solutions.
WINDOWS Part 1 – Start Up Basics
Component 4: Introduction to Information and Computer Science Unit 4: Application and System Software Lecture 3 This material was developed by Oregon Health.
Chapter 3 Managing Disk and File Systems. File Storage Basics Windows XP supports two types of storage Basic Dynamic Basic storage system Centers on partitioning.
Disk Fragmentation 1. Contents What is Disk Fragmentation Solution For Disk Fragmentation Key features of NTFS Comparing Between NTFS and FAT 2.
C HAPTER 7 Managing Disk and File System. I NTRODUCING DISK MANAGEMENT 2 types of hard disk storage supported by Windows XP are: basic hard disk & dynamic.
MCTS Guide to Microsoft Windows Vista Chapter 4 Managing Disks.
Partitioning and Formatting drives The easy way, using Knoppix live CD By Carl Weisheit.
Strata IT Training Chapter 10 Advanced Storage Topics.
Managing Disks and Drives Chapter 13 powered by dj.
MCTS Guide to Microsoft Windows 7
Floppy Disk Drive Chapter 5 Release 22/10/2010powered by dj.
DELETING TEMPORARY FILES 1.Click “Start” -> “Search” -> “All Files and Folder”. 2.In “All or Part of the file name” box enter “*.tmp” and click “Search”.
IST 222 Day 3. Homework for Today Take up homework and go over Go to Microsoft website and check out their hardware compatibility list.
CS101 Storage Information Storage The zeros and ones in the input devices, output devices and process devices are in _______ form and are lost when the.
Understanding Backup and Recovery Methods Lesson 8.
Windows and Mac OSX.  Formatting a disk prepares it to accept data  NTFS on Windows  HFS+ on the Mac  There are lots of different formatting options.
What is Reformatting? Reformatting the disk means to, refresh the hard drive to a new state. A full format permanently erases everything on the disk as.
MCTS GUIDE TO MICROSOFT WINDOWS 7 Chapter 4 Managing Disks.
Adding a Hard Drive. BIOS / UEFI The Unified Extensible Firmware Interface (UEFI) defines a software interface between an operating system and platform.
Chapter 15 ©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved. Computer Basics for Digital Investigators.
Hyper-V Recovery Software Ideal Application to Get Data from VHD v2.1.
Visit:  If you have lost important files, take a deep breath and rest assured that disk recovery software can likely help.
Stellar Phoenix Photo Recovery Recover Photos, Audio & Videos.
Inutsystems.com. Recovery passable in Any make of the hard disk like any laptop (small) hard disk Extra. We Deal all Operating Systems. Like all windows,
Disk Utility fails to resize Mac partition? Try Stellar Partition Manager.
Are you on the lookout of a good PC backup software? Well, your PC is surely like your virtual diary in this contemporary digital where you store all your.
VMware Recovery Software RECOVER DATA FROM CORRUPT VMDK FILE.
Instructor: Syed Shuja Hussain Chapter 4: Operating System Basics.
A+ Guide to Managing and Maintaining Your PC, 7e Chapter 2 Introducing Operating Systems.
DIT314 ~ Client Operating System & Administration CHAPTER 7 MANAGING DISKS AND FILE SYSTEM Prepared By : Suraya Alias.
CompTIA Server+ Certification (Exam SK0-004)
11. Looking Ahead.
CS101 Booting A Computer.
Introduction To Computers
Introduction to Computers
CHFI & Digital Forensics [Part.1] - Basics & FTK Imager
Normal deletion Shift deletion
COEN 252: Computer Forensics
Lecture 11: Flash Memory and File System Abstraction
Chapter 5 – Files, Directories, and the File System
Windows Operating System
Presentation transcript:

SSD Data Evaporation DEF CON 21 August 3, 2013

Bio

Data Remanence

Deleted Data On magnetic hard disks, data remains till it is overwritten Image from

DEMO on Windows Observing data on a magnetic hard disk after – Moving to Recycle Bin – Emptying Recycle Bin – Formatting Drive (Quick) – Formatting Drive (Slow)

Forensics & Data Recovery We can recover deleted data Find evidence of crimes Even after a format Very few criminals know enough to use encryption or forensic erasure

Useful Free Data Recovery Tools Recuva for PC Disk Drill for Mac

SSDs

From

How SSDs Work Data can be read and written one page at a time, but can only be erased a block at a time Each erasure degrades the flash—it fails around 10,000 erasures From 38/5

Garbage Collection SSD controller erases pages all by itself, when it knows they are empty The TRIM command is sent to the SSD when a file is deleted – But only if you use a the correct OS, Partition type, and BIOS settings Yuri Gubanov calls this “Self-Corrosion” – I call it Data Evaporation

Demo on Mac: Disk Drill Deleted files from desktop evaporate in min

Demo on PC Save data on an SSD Watch it evaporate! How to test TRIM – fsutil behavior query DisableDeleteNotify – Zero = TRIM enabled

When Does TRIM Work? BIOS: Drive must be SATA in AHCI mode, not in IDE emulation mode SSD must be new (Intel: 34 nm only) Windows 7 or later – NTFS volumes, not FAT Mac OS X or later – Must be Apple-branded SSD

When Does TRIM Work? External Drives must use SATA or SCSI, not USB PCI-Express & RAID does not support TRIM From

Expert Witness Testimony

Experience In court, an expert witness can state an opinion Must be based on personal experience – “I read it in a book” NO – “A teacher said it in a class” NO – “I know this because I tested it” YES So forensic examiners do a lot of testing

Summary SSDs retain deleted data sometimes Other times they don’t It depends on – Manufacturer – OS – BIOS – Interface – Who knows what else

The evap Tool For Mac OS X Only

Intro

Evaporation on JHFS+

No Evaporation on HFS+

More Info Slides, instructions for the attacks, & more at Samsclass.info

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.