Presentation is loading. Please wait.

Presentation is loading. Please wait.

Www.belkasoft.com SSD Forensics 2014 Oleg Afonin, Yuri Gubanov.

Published byHenry Hodge Modified over 9 years ago

Similar presentations

Presentation on theme: "Www.belkasoft.com SSD Forensics 2014 Oleg Afonin, Yuri Gubanov."— Presentation transcript:

1 www.belkasoft.com SSD Forensics 2014 Oleg Afonin, Yuri Gubanov

2 www.belkasoft.com SSD Forensics 2014 10% of all laptops sold in 2013 featured SSD drives SSD adoption steadily growing Samsung expects 30% SSD adoption rate in 2015 and 2016 SSD forensics important today, essential in nearest future Solid-state storage technology has arrived

3 www.belkasoft.com 2014 SSD Trend More space for less money Cunning technologies Compressing controllers fading away Chip-off acquisition did not take off Bigger, faster, cheaper

4 www.belkasoft.com Who Made That SSD?

5 www.belkasoft.com SSD Forensics: Probability Based Whether or not a particular SSD is recoverable depends on numerous factors Forensic outcome is impossible to predict Rules, exceptions and exceptions from exceptions While it’s always worth trying, understanding how and why SSD’s destroy evidence is essential No definite ‘Yes’ or ‘No’

6 www.belkasoft.com Checklist As an example of how complex the whole TRIM issue is, here’s an excerpt from a Synology document: The following is applicable to (other NAS models don’t support TRIM at all). SSD TRIM is not available when an SHA cluster exists. TRIM cannot be enabled on iSCSI LUN. The TRIM feature under RAID 5 and 6 configurations can only be enabled on the SSDs with DZAT (Deterministic Read Zero after TRIM) support. Please contact your SSD manufacturers for details on DZAT support. TRIM support is not a given

7 www.belkasoft.com Chip-Off Forensics Chip-off forensics for SSD’s never took off VERY few exceptions No all-in-one solution Why? Direct access to flash chips TEEL Tech BGA Acquisition Toolkit

8 www.belkasoft.com Chip-Off Forensics Existing data extracted via SATA (no such thing for mobile phones) SSD internal data structures extremely complex Data remapping, shuffling and overprovisioning Heavy fragmentation on logical and physical levels due to massively parallel writes Direct access to flash chips: unfeasible?

9 www.belkasoft.com Why SSD’s Destroy Evidence SSD self-corrosion: a poorly understood phenomenon that permanently destroys deleted evidence TRIM and background collection used in all new SSD’s On-the-fly compression and constant remapping make off-chip acquisition practically impossible Numerous exceptions make destroyed evidence recoverable SSD technology: wear leveling and performance considerations

10 www.belkasoft.com Facts about SSD Self-Corrosion SSD self-corrosion is a by-product of SSD wear leveling and performance optimization Self-corrosion continues even SSD is installed into a write-blocking imaging device If the self-destruction process has already started, there is no practical way of stopping it Practical outcome: content of deleted files magically disappears

11 www.belkasoft.com How TRIM Works (On Paper)

12 www.belkasoft.com Facts about TRIM and Garbage Collection TRIM does not delete data TRIM is an advisory measure Data is destroyed by background garbage collection Data becomes inaccessible because of remapping SSD over-provisioning makes intact data blocks non- addressable and inaccessible TRIM fact sheet

13 www.belkasoft.com Facts about SSD Over-Provisioning SSD over-provisioning makes intact data blocks non- addressable and inaccessible Reliability measure and performance aid SSD drives have more space than advertised No way to access ‘hidden’ blocks SSD over-provisioning and why it’s important

14 www.belkasoft.com TRIM: Controversial and Poorly Understood TRIM Not Always Supported Not Always Engaged Not Always Working

15 www.belkasoft.com TRIM: Is It Enabled? TRIM is enabled in most computers, but still worth a check Analyzing a live Windows 7, 8 or 8.1 PC: fsutil behavior query disabledeletenotify DisableDeleteNotify = 1 means that Windows TRIM is disabled DisableDeleteNotify = 0 means that Windows TRIM is enabled fsutil is a standard tool in Windows 7, 8, and 8.1. One can enable TRIM with “fsutil behavior set disabledeletenotify 0” or disable it with “fsutil behavior set disabledeletenotify 1”.

16 www.belkasoft.com TRIM: Not Always Supported TRIM is not supported in certain configurations OS prior to Windows 7 or Mac OS X 10.6.8 Exceptions: Intel SSD Optimizer and similar third-party software Mac OS X: TRIM only in native SSD drives Old and basic SSD hardware Windows: non-NTFS volumes Legacy RAID configurations Recent platforms support TRIM, e.g. RAID 0 + Intel H67, Z77, Z87, H87, Z68, Z97 + recent Intel Rapid Storage Technology (RST) driver

17 www.belkasoft.com TRIM: Not Always Engaged TRIM is not engaged in certain situations Data corruption Slack space Resident files (MFT attributes) External drives: USB, FireWire, NAS Exceptions: certain Synapsis NAS units started supporting TRIM in some configurations (and only for DZAT-type SSD’s) Non-SATA SSD (e.g. PCI Express) Exceptions: some PCI Express type SSD’s implement on-board SATA controllers

18 www.belkasoft.com SSD Slack Space

19 www.belkasoft.com TRIM: Not Always Working Sometimes, TRIM does not work SSD firmware bugs Faulty implementations of SSD over-provisioning Bait-and-switch

20 www.belkasoft.com SSD Shadiness: Bait-and-Switch Online reviews not to trust Kingston and PNY caught switching SSD components after good reviews Second revision of PNY Optima drives features forensic-friendly SandForce controller http://www.extremetech.com/extreme/184253-ssd-shadiness- kingston-and-pny-caught-bait-and-switching-cheaper-components- after-good-reviews

21 www.belkasoft.com Special Considerations Apple FileVault 2TRIM enabled Microsoft BitLockerTRIM enabled TrueCryptTRIM enabled PGP WDETRIM disabled (optional) Encrypted volumes

22 www.belkasoft.com Life After TRIM Sometimes, trimmed data remains recoverable User experience varies Why? What happens to trimmed data?

23 www.belkasoft.com Life After TRIM Several implementations, different handling of deleted data Deterministic Read After Trim (DRAT) Deterministic Zeroes After Trim (DZAT) Undefined $ sudo hdparm -I /dev/sda | grep -i trim * Data Set Management TRIM supported (limit 1 block) * Deterministic read data after TRIM What happens to trimmed data?

24 www.belkasoft.com Reality Steps In Why? Significant success rate when investigating real SSD’s

25 www.belkasoft.com Reality Steps In

26 www.belkasoft.com Reality Steps In Marketing ploy: it’s not a real SSD Ultra-thin devices: PCI Express SSD Software bugs Requires BIOS, firmware or drivers update Unsupported configurations Significant success rate when investigating real SSD’s

27 www.belkasoft.com What’s New in 2014 SSD recognition grows among software makers and hardware manufacturers TRIM now supported in some RAID configurations TRIM now supported in some NAS units (e.g. Synology) Buggy Sandforce controllers are becoming a thing of the past (but many existing drives carry one) Windows XP discontinued, less PC’s with no TRIM support TRIM adoption steadily growing

28 www.belkasoft.com Alternative Data Sources Evidence is available elsewhere Memory dumps Hibernation and page files Deleted SQLite records Alternative data sources contain copies or traces of deleted evidence: Jumplists Thumbnail cache Skype ‘chatsync’ SQLite ‘freelist’

29 www.belkasoft.com Alternative Sources Live RAM Analysis RAM (Volatile Memory) analysis reveals more evidence Instant access to TrueCrypt, PGP, BitLocker and other encrypted volumes with binary encryption keys Recent social network communications Data from browsing sessions with enforced privacy settings BelkaCarving™ recovers fragmented data from memory dumps Support for binary RAM dumps, hibernation and page file analysis Proper acquisition technique is required

30 www.belkasoft.com Data Carving Destroyed Evidence Recovered with Data Carving Carving is used to locate evidence in existing files and unallocated space Locates hidden evidence Recovers deleted files Recovers evidence from formatted volumes and repartitioned hard drives Implements binary signature-search analysis Carving available for logical and physical disks, forensic drive images and memory dumps, hibernation and page files Fully automated operation requires no special skills

31 www.belkasoft.com Not All Deleted Evidence Is Destroyed Cleared Skype Histories and Deleted SQLite Records Cleared Skype histories are not deleted from the disk Deleted SQLite records are not affected by SSD TRIM SQLite is used in: most system and user-level Android and iOS apps Skype, Yahoo Messenger, eBuddy, PhotoBox, Picasa Explorer Major Web browsers: Mozilla, Chrome, Safari Deleted SQLite records recoverable via ‘freelist’ analysis Cleared Skype histories and conversation logs can be recovered

32 www.belkasoft.com Capturing Memory Dumps Live RAM Capturer Free forensically sound memory acquisition tool True kernel-mode operation in 32-bit and 64-bit environments Bypasses active anti-debugging and anti-dumping protection Forensically tested with minimum footprint Portable operation Produces binary memory dumps that are usable in Belkasoft and third-party tools Download from belkasoft.com/ram-capturer

33 www.belkasoft.com Hands On Experience Free Demo Version Downloadable evaluation version Fully-featured demo by request Request your FREE demo at belkasoft.com/trial

Download ppt "Www.belkasoft.com SSD Forensics 2014 Oleg Afonin, Yuri Gubanov."

Similar presentations

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Microsoft ® Official Course First Look Clinic Overview of Windows 8 By Ragowo Riantory, S.Kom, MCP.

Microsoft ® Official Course First Look Clinic Overview of Windows 8 By Ragowo Riantory, S.Kom, MCP.
IT1100 – COMPUTER APPLICATIONS 10 Credits 2 Hours per week.

IT1100 – COMPUTER APPLICATIONS 10 Credits 2 Hours per week.
What’s new in this release? September 6, 2012. Milestone Systems Confidential Milestone’s September release 2012 XProtect ® Web Client 1 Connect instantly.

What’s new in this release? September 6, Milestone Systems Confidential Milestone’s September release 2012 XProtect ® Web Client 1 Connect instantly.
Objectives Overview Define an operating system

Objectives Overview Define an operating system
Lecture 19 Page 1 CS 111 Online Protecting Operating Systems Resources How do we use these various tools to protect actual OS resources? Memory? Files?

Lecture 19 Page 1 CS 111 Online Protecting Operating Systems Resources How do we use these various tools to protect actual OS resources? Memory? Files?
This presentation will take a look at to prevent your information from being discovered by and investigator.

This presentation will take a look at to prevent your information from being discovered by and investigator.
Www.belkasoft.com Belkasoft Acquisition and Analysis Suite.

Belkasoft Acquisition and Analysis Suite.
Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.

Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.
You can run that from a USB Drive ? Portable Applications: the good, the bad and the ugly Jeff Gimbel © 2007.

You can run that from a USB Drive ? Portable Applications: the good, the bad and the ugly Jeff Gimbel © 2007.
Kaitlin Moran Software Brief. What is picnik? Picnik is a free program that allows you to create your photos into a master piece, through a variety of.

Kaitlin Moran Software Brief. What is picnik? Picnik is a free program that allows you to create your photos into a master piece, through a variety of.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 2: Managing Hardware Devices.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 2: Managing Hardware Devices.
Operating Systems.

Operating Systems.
 Contents 1.Introduction about operating system. 2. What is 32 bit and 64 bit operating system. 3. File systems. 4. Minimum requirement for Windows 7.

 Contents 1.Introduction about operating system. 2. What is 32 bit and 64 bit operating system. 3. File systems. 4. Minimum requirement for Windows 7.
Installing Windows XP Professional Using Attended Installation Slide 1 of 41Session 2 Ver. 1.0 CompTIA A+ Certification: A Comprehensive Approach for all.

Installing Windows XP Professional Using Attended Installation Slide 1 of 41Session 2 Ver. 1.0 CompTIA A+ Certification: A Comprehensive Approach for all.
Computers They're Not Magic! (for the most part)‏ Adapted from Ryan Moore.

Computers They're Not Magic! (for the most part)‏ Adapted from Ryan Moore.
8/10/2015Windows 71 George South. 8/10/2015Windows 7 2 1. Windows Vista Windows Vista was released in January 2007 some five years after Windows XP Vista.

8/10/2015Windows 71 George South. 8/10/2015Windows Windows Vista Windows Vista was released in January 2007 some five years after Windows XP Vista.
Capturing Computer Evidence Extracting Information.

Capturing Computer Evidence Extracting Information.
 A basic overview  Presented by:  Steve Jones, Gran-IT Consulting, Inc.

 A basic overview  Presented by:  Steve Jones, Gran-IT Consulting, Inc.
CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application.

CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application.

Similar presentations

Ads by Google