Instead, information is broken into small blocks that are written to the different NAND chips concurrently. Unlike magnetic hard drives using more or less sequential writing (bar fragmentation and bad sector remapping), SSD drives ditch linear writing. However, before we talk about factory access mode, let us first have a look at how SSDs store information and why it is so easy to destroy evidence and so insanely difficult to recover it. This method employs a so-called factory access mode. In this article, we’ll talk about a recent development in SSD forensics allowing to prevent background trimming of evidence and providing access to the entire storage capacity of the disk including non-addressable areas. As found in the research, many consumer-grade SSDs take it easy, keeping the encryption key unprotected in the storage chips on the SSD. A recent discovery points out that Windows built-in BitLocker protection tends to delegate the job of encrypting data to the SSD controller (as opposed to doing the encryption on the computer using the CPU). They also said they’d rather steer clear of the recent ten-chip SSDs, and they won’t do anything about encryption.ĭid I say encryption? It could be easier than you think. We asked our partners from a forensic data recovery lab, and they told us they can do a four-chip SSD in a matter of two weeks. Until very recently your only way of accessing deleted evidence on an SSD would be taking the chips off and performing a labour-intensive, time-consuming (let alone extremely expensive) chip-off analysis. 5 to 15% of the physical storage capacity is dedicated for a non-addressable pool any data one deletes from the SSD that is subsequently trimmed by the OS can go straight into that pool, without any chance of accessing or even addressing the blocks. One more thing: your SSD has more storage capacity than it says on the box. Image the SSD, and you won’t find anything in the “empty” areas – even if the actual data was still there at the time of the imaging. Just power on the SSD, and it’ll start background garbage collection, erasing trimmed blocks even if you connected it through a write blocker. They are different in handling deleted data, wiping evidence irreversibly in the background like they were criminals’ best friends. In the good old days of striped magnetic recording, one could delete a file and rest assured its content was still there until overwritten at some (hopefully distant) moment in the future not so on an SSD. They are weird in the way they write data, and even weirder in the way they delete information. Many thanks to Roman Morozov, ACELab technical support specialist, for sharing his extensive knowledge and expertise and for all the time he spent ditching bugs in this article.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
December 2022
Categories |