Solid-State Disk Forensics

Earlier this year, I wrote about some of the new security issues presented by the increasing use of solid-state disk [SSD] technology.  In particular, some of the methods developed for “sanitizing” conventional disk drives — that is, deleting stored data in a manner that prevents its recovery — do not work reliably or at all for SSD devices.  Some of these devices include a “secure erase” capability, meant to address this issue, but even this is not a truly reliable solution.

The SANS Internet Storm Center has a diary entry, by Daniel Wesemann, revisiting this issue, particularly as it pertains to forensic examinations.  It turns out that the picture is also a bit gloomy from this perspective.   A forensic examiner will often want to get an exact bit-level copy of a storage device, to be used for later analysis.  Unfortunately, some of the “wear leveling” capabilities built into SSDs can autonomously rearrange and re-write data sectors as soon as power is supplied to the device, without any instructions from the host computer.  This can corrupt evidence, and can make the recovery of deleted files nearly impossible.  (Wesemann refers to an excellent paper [PDF] by Graeme Bell and Richard Boddington describing this phenomenon, which they call “self-corrosion”.)

If you use these devices for any system that stores sensitive data, or that may be subject to malicious hacking (thus perhaps requiring forensic analysis), you should tale a bit of time to familiarize yourself with their idiosyncracies.  Especially for portable devices, you should seriously consider using “full disk” encryption; this also addresses other problems, like loss of the device.  Above all, do not  assume that SSDs work just like rotating magnetic disks; they don’t, and those differences can bite you.

Comments are closed.

%d bloggers like this: