SSDs and Digital Forensics

[Strikemaster]

The days of "The Man" easily finding stuff on your storage devices are on the way out. This rather interesting post on the Internet Storm Center blog details why lifting legal-grade evidence from solid-state drives is driving forensic experts batty.

One example given: fill a SSD with data until the device indicates full. Perform a "quick format" on it. Within 5 minutes, without any intervention from the operating system, the flash-memory "garbage collection" routines wipe practically all data from the drive. See page 6 of the second link if you're in a hurry.

 

[Greene420]

couldn't you just throw it in a microwave either one? (its there for your hot pockets, of course!)

 

[ckryan]

I read both the papers... Some of it I already had seen, but a lot is new to me.

Very interesting.

 

[KENNYB]

A secure erase takes only a few minutes and most of that time is spent rebooting your computer. I bet they hate secure erase.

 

[drescherjm]

The thing is that with both methods reformat and secure erase your data still exists in flash. The filesystem will be a jumbled mess because the mapping table is wiped out however if a file is entirely on a flash cell it will be totally readable unless the ssd controller uses encryption.

 

[MrGuvernment]

how soon until governments are trying to change how SSD drives work

 

[NandFlashGuy]

The thing is that with both methods reformat and secure erase your data still exists in flash. The filesystem will be a jumbled mess because the mapping table is wiped out however if a file is entirely on a flash cell it will be totally readable unless the ssd controller uses encryption.

Actually, the point of the UCSD paper was that Secure Erase implementations vary greatly from vendor to vendor.

If the vendor actually does erase all of the flash blocks holding user data, then Secure Erase is incredibly secure. However, certain vendors were simply updating a look-up table, resulting in the data still being resident on the Nand.