Presentation is loading. Please wait.

Presentation is loading. Please wait.

SSD Data Evaporation DEF CON 21 August 3, 2013. Bio.

Published byTyler Pope Modified over 9 years ago

Similar presentations

Presentation on theme: "SSD Data Evaporation DEF CON 21 August 3, 2013. Bio."— Presentation transcript:

1 SSD Data Evaporation DEF CON 21 August 3, 2013

2 Bio

3 Data Remanence

4 Deleted Data On magnetic hard disks, data remains till it is overwritten Image from www.howstuffworks.com

5 DEMO on Windows Observing data on a magnetic hard disk after – Moving to Recycle Bin – Emptying Recycle Bin – Formatting Drive (Quick) – Formatting Drive (Slow)

6 Forensics & Data Recovery We can recover deleted data Find evidence of crimes Even after a format Very few criminals know enough to use encryption or forensic erasure

7 Useful Free Data Recovery Tools Recuva for PC Disk Drill for Mac

8

9 SSDs

10 From http://www.isuppli.com/Abstract/P28276_20130322152341.pdf

11 How SSDs Work Data can be read and written one page at a time, but can only be erased a block at a time Each erasure degrades the flash—it fails around 10,000 erasures From http://www.anandtech.com/show/27 38/5

12 Garbage Collection SSD controller erases pages all by itself, when it knows they are empty The TRIM command is sent to the SSD when a file is deleted – But only if you use a the correct OS, Partition type, and BIOS settings Yuri Gubanov calls this “Self-Corrosion” – I call it Data Evaporation

13 Demo on Mac: Disk Drill Deleted files from desktop evaporate in 30-60 min

14

15 Demo on PC Save data on an SSD Watch it evaporate! How to test TRIM – fsutil behavior query DisableDeleteNotify – Zero = TRIM enabled

16 When Does TRIM Work? BIOS: Drive must be SATA in AHCI mode, not in IDE emulation mode SSD must be new (Intel: 34 nm only) Windows 7 or later – NTFS volumes, not FAT Mac OS X 10.6.8 or later – Must be Apple-branded SSD

17 When Does TRIM Work? External Drives must use SATA or SCSI, not USB PCI-Express & RAID does not support TRIM From http://forensic.belkasoft.com/en/why-ssd-destroy-court-evidence

18 Expert Witness Testimony

19 Experience In court, an expert witness can state an opinion Must be based on personal experience – “I read it in a book” NO – “A teacher said it in a class” NO – “I know this because I tested it” YES So forensic examiners do a lot of testing

20 Summary SSDs retain deleted data sometimes Other times they don’t It depends on – Manufacturer – OS – BIOS – Interface – Who knows what else

21 The evap Tool For Mac OS X Only

22 Intro

23 Evaporation on JHFS+

24 No Evaporation on HFS+

25 More Info Slides, instructions for the attacks, & more at Samsclass.info

Download ppt "SSD Data Evaporation DEF CON 21 August 3, 2013. Bio."

Similar presentations

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Deleted File Recovery Tool Testing Results Jim Lyle NIST 2/21/13AAFS -- Washington 1.

Deleted File Recovery Tool Testing Results Jim Lyle NIST 2/21/13AAFS -- Washington 1.
Hard Drives on Your Old Desktop Computer SIR Phil Goff Branch 116 August 21, 2014 1.

Hard Drives on Your Old Desktop Computer SIR Phil Goff Branch 116 August 21,
1 X-Ways Security: Permanent Erasure Supervised By: Dr. Lo’ai Tawalbeh Prepared By :Murad M. Ali.

1 X-Ways Security: Permanent Erasure Supervised By: Dr. Lo’ai Tawalbeh Prepared By :Murad M. Ali.
1 Module 10 Managing Partitions. 2  Overview Partitioning a Disk Using Disk Administrator General Maintenance and Troubleshooting.

1 Module 10 Managing Partitions. 2  Overview Partitioning a Disk Using Disk Administrator General Maintenance and Troubleshooting.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Forensic Tool Testing Results Jim Lyle National Institute of Standards and Technology.

Forensic Tool Testing Results Jim Lyle National Institute of Standards and Technology.
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 8: Troubleshooting Storage Devices and Display Devices.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 8: Troubleshooting Storage Devices and Display Devices.
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.

COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
COS/PSA 413 Day 15. Agenda Assignment 3 corrected –5 A’s, 4 B’s and 1 C Lab 5 corrected –4 A’s and 1 B Lab 6 corrected –A, 2 B’s, 1 C and 1 D Lab 7 write-up.

COS/PSA 413 Day 15. Agenda Assignment 3 corrected –5 A’s, 4 B’s and 1 C Lab 5 corrected –4 A’s and 1 B Lab 6 corrected –A, 2 B’s, 1 C and 1 D Lab 7 write-up.
70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Five Managing Disks and Data.

70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Five Managing Disks and Data.
I have lost all my vacation pictures due to memory card corruption. Can I get them back? I have accidently deleted some important Photos, Music files.

I have lost all my vacation pictures due to memory card corruption. Can I get them back? I have accidently deleted some important Photos, Music files.
Capturing Computer Evidence Extracting Information.

Capturing Computer Evidence Extracting Information.
Computer Forensic Evidence Collection and Management

Computer Forensic Evidence Collection and Management
Chapter 4: Operating Systems and File Management 1 Operating Systems and File Management Chapter 4.

Chapter 4: Operating Systems and File Management 1 Operating Systems and File Management Chapter 4.
 A basic overview  Presented by:  Steve Jones, Gran-IT Consulting, Inc.

 A basic overview  Presented by:  Steve Jones, Gran-IT Consulting, Inc.
Chapter 7 Installing and Using Windows XP Professional.

Chapter 7 Installing and Using Windows XP Professional.
Data Deletion and Recovery. Data Deletion  What does data deletion mean in your own words?

Data Deletion and Recovery. Data Deletion  What does data deletion mean in your own words?
HDD INSTALLATION AND SETUP. HDD Introduction Hard disk is the most popular storage device used to store various kinds of data in most computers. Hard.

HDD INSTALLATION AND SETUP. HDD Introduction Hard disk is the most popular storage device used to store various kinds of data in most computers. Hard.

Similar presentations

Ads by Google