Abstract
Solid-state drives (SSDs) are inherently different from traditional drives, as they incorporate data-optimization mechanisms to overcome their limitations (such as a limited number of program-erase cycles, or the need to blank a block before writing). The most common optimizations are wear leveling, trimming, compression, and garbage collection, which operate transparently to the host OS and, in certain cases, even when the disks are disconnected from a computer (but still powered up). In simple words, SSD controllers are designed to hide these internals completely, rendering them inaccessible if not through direct acquisition of the memory cells. These optimizations may have a significant impact on the forensic analysis of SSDs. The main cause is that memory cells could be preemptively blanked, whereas a traditional drive sector would need to be explicitly rewritten to physically wipe off the data. Unfortunately, the existing literature on this subject is sparse and the conclusions are seemingly contradictory. In this work we propose a generic, practical, test-driven methodology that guides researchers and forensics analysts through a series of steps that assess the “forensic friendliness” of a SSD. Given a drive of the same brand and model of the one under analysis, our methodology produces a decision tree that can for instance help an analyst to determine whether or not an expensive direct acquisition of the memory cells is worth the effort, because optimizations may have rendered the data unreadable or useless. Conversely, it can be used to assess the antiforensic techniques that stem from the characteristics of a given hardware, and to develop novel ones that are specifically suited to particular drives. We apply our methodology to three SSDs produced by top vendors (Samsung, Corsair, and Crucial), and provide a detailed description of how each step should be conducted. As a result, we provide two use cases, a test-driven triage classification of drives according to forensic friendliness, and the development of an anti-forensic technique specifically suited to a given drive.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
We used the TSOP NAND clip socket, available online for 29USD.
References
Wear leveling in micron NAND flash memory. Tech. Rep. TN-29-61, Micron Technology Inc. (2008). http://www.micron.com/~/media/Documents/Products/Technical
Wear-leveling techniques in NAND flash devices. Tech. Rep. TN-29-42, Micron Technology Inc. (2008). http://www.micron.com/~/media/Documents/Products/Technical
Microsoft Co.: Support and Q&A for Solid-State Drives. MSDN Blog (2009). http://blogs.msdn.com/b/e7/archive/2009/05/05/support-and-q-a-for-solid-state-drives-and.aspx
Antonellis, C.J.: Solid state disks and computer forensics. ISSA J. 6(7), 36–38 (2008)
Bell, G.B., Boddington, R.: Solid state drives: the beginning of the end for current practice in digital forensic recovery? J. Digit. Forensics Secur. Law 5(3), pp. 1–20 (2010)
Billard, D., Hauri, R.: Making sense of unstructured flash-memory dumps. In: SAC ’10, pp. 1579–1583. ACM, New York (2010)
Bonetti, G., Viglione, M., Frossi, A., Maggi, F., Zanero, S.: A comprehensive black-box methodology for testing the forensic characteristics of solid-state drives. In: Proceedings of the Annual Computer Security Applications Conference (ACSAC). ACM (2013). doi:10.1145/2523649.2523660
Breeuwsma, M., De Jongh, M., Klaver, C., Van Der Knijff, R., Roeloffs, M.: Forensic data recovery from flash memory. Small Scale Digit. Device Forensics J. 1, 1–17 (2007)
Bunker, T., Wei, M., Swanson, S.: Ming II: a flexible platform for NAND flash-based research. Tech. Rep. CS2012-0978, UCSD CSE (2012)
Chang, Y.H., Hsieh, J.W., Kuo, T.W.: Improving flash wear-leveling by proactively moving static data. IEEE Trans. Comput. 59(1), 53–65 (2010)
Diesburg, S., Meyers, C., Stanovich, M., Mitchell, M., Marshall, J., Gould, J., Wang, A.I.A., Kuenning, G.: Trueerase: per-file secure deletion for the storage data path. In: Proceedings of the 28th Annual Computer Security Applications Conference, ACSAC ’12, pp. 439–448. ACM, New York (2012). doi:10.1145/2420950.2421013
Gray, J., Fitzgerald, B.: Flash disk opportunity for server applications. Queue 6(4), 18–23 (2008)
Hu, X.Y., Eleftheriou, E., Haas, R., Iliadis, I., Pletka, R.: Write amplification analysis in flash-based solid state drives. In: SYSTOR ’09, pp. 10:1–10:9. ACM, New York (2009)
Intel: AP-684: Understanding the flash translation layer (FTL) specification. Intel Application Note. (1998) http://www.jbosn.com/download_documents/FTL_INTEL.pdf
King, C., Vidas, T.: Empirical Analysis of Solid State Disk Data Retention When Used with Contemporary Operating Systems, pp. S111–S117. Elsevier Science Publishers B. V., Amsterdam (2011)
Luck, J., Stokes, M.: An integrated approach to recovering deleted files from nand flash data. Small Scale Digit. Device Forensics J. 2(1), 1941–6164 (2008)
Rajgarhia, A., Gehani, A.: Performance and extension of user space file systems. In: Proceedings of the 2010 ACM Symposium on Applied Computing, SAC ’10, pp. 206–213. ACM, New York (2010). doi:10.1145/1774088.1774130
Skorobogatov, S.P.: Data remanence in flash memory devices. In: Cryptographic Hardware and Embedded Systems—CHES 2005, 7th Intl. Workshop, Edinburgh, UK, August 29–September 1, 2005, Proc., Lecture Notes in Computer Science, vol. 3659, pp. 339–353. Springer, Berlin (2005)
Templeman, R., Kapadia, A.: Gangrene: exploring the mortality of flash memory. In: HotSec’12, pp. 1–1. USENIX Association, Berkeley (2012)
Wei, M., Grupp, L.M., Spada, F.E., Swanson, S.: Reliably erasing data from flash-based solid state drives. In: FAST’11, pp. 8–8. USENIX Association, Berkeley (2011)
Acknowledgments
This paper was published, in an earlier version [7], in the proceedings of the ACSAC 2013 conference. The authors are grateful to the anonymous reviewers and to the conference attendees, who pointed out weaknesses and significantly contributed to the improvement of this research. We wish to particularly acknowledge the fruitful discussions at the conference with Dr. Sarah Diesburg. The research leading to these results has received funding from the European Union Seventh Framework Programme (FP7/2007–2013) under Grant Agreement No 257007, as well as from the TENACE PRIN Project (No. 20103P34XC) funded by the Italian Ministry of Education, University and Research.
Author information
Authors and Affiliations
Corresponding author
Electronic supplementary material
Below is the link to the electronic supplementary material.
Rights and permissions
About this article
Cite this article
Bonetti, G., Viglione, M., Frossi, A. et al. Black-box forensic and antiforensic characteristics of solid-state drives. J Comput Virol Hack Tech 10, 255–271 (2014). https://doi.org/10.1007/s11416-014-0221-z
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-014-0221-z