[LINK] Self-erasing flash drives destroy court evidence

Bernard Robertson-Dunn brd at iimetro.com.au
Thu Mar 3 09:55:23 AEDT 2011

Self-erasing flash drives destroy court evidence
'Golden age' of forensics coming to close
By Dan Goodin in San Francisco
Posted in ID, 1st March 2011
The Register

The inner workings of solid state storage devices are so fundamentally 
different from traditional hard drives that forensic investigators can 
no longer rely on current preservation techniques when admitting 
evidence stored on them in court cases, Australian scientists said in a 
research paper.

Data stored on Flash drives is often subject to a process the scientists 
called “self-corrosion,” in which evidence is permanently erased or 
contaminated in ways that bits stored on magnetic-based hard drives are 
not. The alterations happen in the absence of any instructions from the 
user. The findings introduce a “grey area” into the integrity of files 
that are forensically extracted from the devices and threaten to end a 
“golden age” of digital evidence gathering offered by older storage types.

“Given the pace of development in SSD memory and controller technology, 
and the increasingly proliferation [sic] of manufacturers, drives, and 
firmware versions, it will probably never be possible to remove or 
narrow this new grey area within the forensic and legal domain,” the 
scientists, from Australia's Murdoch University, wrote. “It seems 
possible that the golden age for forensic recovery and analysis of 
deleted data and deleted metadata may now be ending.”

For decades, investigators have worked with tape, floppy drives and hard 
drives that continue to store huge amounts of information even when the 
files they're contained in are marked for deletion. Even wiping the 
disks isn't always enough to permanently erase the contents. SSDs, by 
contrast, store data in blocks or pages of NAND-based transistor chips 
that must be electronically erased before they can be reused.

As a result, most SSDs have firmware that automatically carries out 
“self healing” or “garbage collection” procedures that can permanently 
erase or alter files that have been marked for deletion. The process 
often begins as soon as three minutes after the drive is powered on and 
happens with no warning. The user need not initiate any commands, and 
the drive emits no lights or makes any sounds to indicate the purging is 
taking place.

What's more, the use of so-called write blockers and other techniques 
designed to isolate a drive during forensic imaging offered no 
protection. That's because the garbage collection is initiated by the 
SSD firmware that's independent from commands issued by the computer 
it's attached to.

“If garbage collection were to take place before or during forensic 
extraction of the drive image, it would result in irreversible deletion 
of potentially large amounts of valuable data that would ordinarily be 
gathered as evidence during the forensic process – we call this 
'corrosion of evidence,'” the scientists wrote.

The findings have serious consequences for criminal and civil court 
cases that rely on digital evidence. If the disk from which the data 
comes appears to have been tampered with after it was seized, an 
opposing party frequently has grounds for having the evidence thrown out 
of court. The paper comes as a growing number of computer makers 
integrate SSDs into the machines they sell. The drives have many 
benefits over their magnetic brethren, including speed, lower power 
consumption and durability.

At first blush, the results appear to conflict with those of a recent 
paper that found data fragments stored on flash drives can be virtually 
<http://www.theregister.co.uk/2011/02/21/flash_drive_erasing_peril/> It 
may be the case that what both research teams are saying is that data 
stored on the newfangled devices can't be reliably deleted or preserved 
the way it can on magnetic media.

Researchers Graeme B. Bell and Richard Boddington, of Murdoch 
University's School of IT, arrived at their findings by comparing the 
way data is preserved on a 64GB Corsair P64 SSD versus an 80GB Hitachi 
Deskstar hard drive. A PDF of their paper, which previously was 
published in December in The Journal of Digital Forensics, Security and 
Law, is here. <http://www.jdfsl.org/subscriptions/JDFSL-V5N3-Bell.pdf>



Bernard Robertson-Dunn
Canberra Australia
email:	 brd at iimetro.com.au
website: www.drbrd.com

More information about the Link mailing list