11:51 Erase can not be recovered | |
| Two interesting research articles from different parts of the world, published on the Web almost immediately one after the other, give substantially new perspective on forensic aspects in the SSD, or solid-state storage devices, often referred to as a flash drive. The inner workings of SSD is so much different from traditional storage on hard disks that criminologists can no longer rely on the current data storage technology in situations where the evidence from the media type SSD appear in court proceedings. On the other hand, pieces of data stored in memory flash drives, can be rendered virtually indestructible. Restore can not About this boils down the essence of prevention in the outcome of the research articles of scientists from Australia's Murdoch University («Solid State Drives: The Beginning of the End for Current Practice in Digital Forensic Discovery» by Graeme B. Bell and Richard Boddington, PDF). The study was based on a large series of experiments over the nuances of storage in the studied samples: the flash drive Corsair 64GB SSD and traditional magnetic disk Hitachi 80GB. A comparative analysis, researchers identified a SSD whole bunch of problems with data recovery. Problems, it is not peculiar to magnetic disks and the resulting algorithms cleaning or "garbage" that are used to maintain the flash drives at the level of maximum productivity. Under the influence of these algorithms is important for the investigation data stored on today's SSD, often become the object of what has been among criminologists name "samokorroziya. The result of this process is that the evidence on the SSD is continuously erased or polluted by extraneous data - in a manner which is absolutely not peculiar to carriers based on magnetic hard disks. And that is fundamentally important that all these changes to the information occur in the absence of any instruction from the user or the computer. Results of Australian researchers inevitably give rise to doubts about the integrity and authenticity of the files that isolate forensic techniques and removed from the storage devices. You could even say that marked a distinct threat to the end of the "golden age" in collecting digital evidence that was secured features storage on magnetic media. Over the past few decades, investigators have been working with magnetic tapes, floppy and hard disks, which are steadily continued to store vast amounts of information after the files that contain all these have been marked by the system as destroyed. Even the procedure safe cleaning (wiping), as is well known to specialists, is not always sufficient for complete destruction of data on magnetic media. However, in the solid state disk SSD data are stored quite differently - in the form of blocks or pages of transistor chip logic NAND, which must be electronically washed before they can be reused. The output of the industry to improve the efficiency of memory SSD is that most of today's flash drives are built into the firmware program, which regularly and automatically perform the procedure "purification" or "garbage". As a result of these sanitary procedures are constant rubbing, edit, and transfer those files that are marked as destroyed the system. Moreover, this process begins without any notice and very quickly, almost immediately after the filing of the chip supply. The user does not need any commands, and a flash drive it does not publish any sound or light signals to inform the user about the beginning of the purification procedure. When testing a particular sample, after he was subjected to a quick format, the researchers expected the cleanup utility will run approximately 30-60 minutes, assuming that this process should occur with the SSD before the new data will be recorded in blocks, first occupied by files. To their surprise, the cleanup took place just three minutes later, after which only 1064 file evidence of the total 316,666 were available to restore from disk. Having decided to follow this process further, the researchers removed the flash drive of your computer and connected it to lock records - hardware devices specifically designed for the isolation of all procedures that can modify the contents of the media. But even here only 20 minutes after the connection is almost 19 percent of all the files have been erased due to internal processes, which initiates the flash SSD itself without any external commands. For comparison, we note that an equivalent magnetic hard disk, all data following a similar format remained the retrievable regardless of elapsed time - as expected by researchers. Clearly, for criminologists who are concerned about the safety of all on the media, this feature of SSD is a big problem. Writes in a commentary to their article, one of the authors, Graham Bell, "a few people in the community of computer forensic aware of the fact that the data in the SSD occur some funny things, but almost all of whom we showed our results were shocked the magnitude of what was found. If the "garbage collection" in SSD occurs before or during the forensic procedure to remove the image, it leads to irreversible destruction of potentially large volumes of valuable data. The data that is in the usual case would have been received as evidence during the investigative process, born from a new term - "Corrosion of evidence". There is no doubt that the discovery of Australian experts will inevitably have serious consequences for those criminal and civil court cases that rely on digital certificates. If the disk from which were obtained evidence is evidence that with these changes occurred after the withdrawal of the device owner, the opposing party receives the base require exclusion of the evidence from the trial. The authors also warn that the growth capacity of USB-flash drives manufacturers may begin to build a similar treatment technology, and in them, causing the same problem and an array of secondary (external) storage media. In addition, Bell and Boddington utility is expected to "garbage collection" will become progressively more aggressive - to the extent that, as manufacturers introduce more and more powerful in its functionality firmware, chipsets and more disk space. The final conclusion of the paper containing the 18-point problems, the researchers offer no treatment, believing that a simple and effective solution to this problem does not exist. Erase can not If we talk about the other American research article is also dedicated to the specific characteristics of data storage in the SSD, at first glance the results seem to be clearly in conflict with those obtained by the Australians. Here, a team of researchers came to a completely different opening: the fragments of data stored in memory flash drives, can be rendered virtually indestructible. How to show the authors of this paper, flash drives are very difficult to clean from the sensitive data being compromised using traditional methods of secure wiping of files and disks. Even in cases where SSD devices show that the files are destroyed, and 75 percent of the data contained in them may still be in memory flash drives. In particular, in some cases, when the solid-state drives indicate if the files "securely erase", in fact duplicates remain largely intact in secondary locations. These are, briefly, the findings of research conducted by the University of California San Diego and presented in late February at the Usenix FAST conference in 1911 («Reliably Erasing Data From Flash-Based Solid State Drives» by Michael Wei, Laura Grupp, Frederick Spada, Steven Swanson. PDF). Problems with reliable data mashing on SSD, as the authors write works are due to a radically different internal design of the carrier. Traditional actuators ATA and SCSI use a magnetized materials for recording information in a specific physical location, known as LBA or logical block address. In drives SSD, on the other hand, for digital storage chips are used for content management applying FTL or "flash translation layer. When data is modified in such a carrier, then FTL is often writes new files to different places, simultaneously updating the allocation map to reflect the changes made. The result of such manipulations is that the remnants of old files, which the authors call "digital remains, in the form of uncontrolled duplicates still exist on disk. As the authors write, "these differences in treatment between magnetic disks and SSD potentially lead to dangerous inconsistencies between the user's expectations and actual behavior of the flash drive ... The owner of such a device can be applied to the SSD standard means of wiping hard drives, mistakenly thinking that resulting data will be irreversibly destroyed. In fact, these data can remain on disk and require only a slightly more complex operations to restore them. " If we talk about specific numbers, the researchers found that about 67 percent of the data stored in the file remain on disk even after it was destroyed by the SSD using the Safely erase ", available in the Apple Mac OS X. Other tools safe (overwrite) erasure in other operating systems showed approximately similar results. For example, after the destruction of the individual program files Pseudorandom Data on the SSD could be up to 75 percent of the data, while using the British government's Technology stripper British HMG IS5 remained until 58protsentov. How to article warns, these results suggest: a situation with SSD overwrite the data proves to be ineffective, and standard procedures for erasing supplied by the manufacturer may not work properly. According to the researchers, the most effective way to securely delete data in SSD is the use of devices that encrypts its contents. Here Wiping procedure reduces the destruction of cryptographic keys in a special section called the "key store" - in effect ensuring that data remains encrypted on disk forever. But then, of course, lies in wait for another problem. As the authors write articles, "the danger lies in the fact that the defense relies on the proper operation of the controller, clean internal storage compartment that contains the crypto key and any values ??derived from it that may be useful for cryptanalysis. Taking into account the implementation errors that we found in some versions of utilities secure erase, it would be unduly optimistic to assume that SSD vendors properly clean up the keystore. Worse, there is no way (for example, dismantling the device) to make sure that erasure did take place. " His results the researchers obtained by writing to SSD drives different files with the well-identifiable data structures. Then use a special device based on FPGA (reprogrammable logic chips) to quickly find and identify the remaining fingerprint of the files after the application procedures for the safe erasure. Spetsustroystvo researchers worth a thousand dollars, but "a more simple version of the device based on microcontroller would cost about 200 dollars and would require only a modest presence of technical expertise for its design." There is no contradiction How to formulate the combined results of these two articles on the discussion forum Slashdot, «or SSD drives really hard to clean up, or with them is really very difficult to recover deleted files. It turns out some complicated story ... " One of the direct participants of the first (Australian) study, Graham Bell, explains this apparent paradox as follows. First data on the disks have traditionally cleaned out manually, that is, explicitly giving the computer a command, that he ordered the drive to write something else on top of previous data. If this command to overwrite has been received, the magnetic media data persisted. However, if the same trick to try to apply to the SSD, it can not work. That the logical memory address that you are trying to dub, could already be reallocated on the fly, so that your team is "overwrite" goes to some other physical memory cell, rather than to one that stores the data before. From a logical point of view, it looks as if dubbing worked: you will not longer be able to access that data through your computer's operating system. However, in terms of the flash drive, these data are still there, hidden in some physical cell, which currently is not used if appropriate to imply a logical sector. However, any subtle flash or a cunning hacker with a soldering iron, in principle, to get this data. At the same time, apart from these features of modern media SSD use different specific tricks in order to automatically improve their performance. One of these tricks is to advance mashing memory cells that contain data, more is not accounted for the file system. In this case, the drive itself is actively trying to continuously clean the disc with all that it can. And does it all exclusively on their own - just for the sake of future acceleration of write operations by providing pre-prepared pool of available and any similarity that is not involved cells. To summarize these features of SSD, we can state the following. If your computer says a flash drive to reset some data, then the drive can you tell a lie and actually reset, maybe it will, maybe not. If he wants to drive something to jam (and he actually does it and without warning), then these data will be destroyed ... One of the commentators, apparently not without a sense of humor, described as an intricate situation in these words: "Why do you call it confusion? Here, everything is transparent and understandable. If you want to recover deleted data, you do so you can not. If you want to destroy them, then do it you can not. It's a Murphy's Law for data storage on SSD ». PS. Original here http://www.computerra.ru/597770/, unfortunately I can not publish a topic link, but the subject is extremely interesting, forgive me. | |
|
| |
| Total comments: 0 | |