Skip to main content

Digital forensics on an SSD

By
Recently I was able to listen to a guest lecturer by a chap working the digital forensics field. There were a few interesting things to come out of the lecture. They are, in no particular order:

  • document and timestamp everything you do - it doesn't matter if it's written down, or you use software, but you have to show the steps you went through to reach the conclusions you're putting forward
  • EnCase is an industry favourite software
  • small cases can take you in surprising directions and you can go from a $40,000 fraud case and end up with a $250,000 + fraud case!
  • recovering RAID arrays can be a trick - but you can image each disk and use EnCase to rebuild the array which is pretty neat!
  • you can't carve an SSD to recover data like you would a HDD
That last point is the one I want to mention. On a magnetic hard disk drive (the regular type of drive people have been using) when a file is deleted, it's removed from the File Allocation Table and the computer recognises it as free space, ready to overwrite. It's relatively straightforward to then get that data back - a process I've performed dozens of times to save someone's bacon when they've deleted all their uni work (for example). But on an SSD the process is different. 

On a TRIM enabled SSD (and this is all modern SSD's) the data is removed immediately when you delete it. The OS clears the space for re-use and it's not recoverable. This applies to USB drives as well - any flash media in fact. Once a file is marked for deletion, the operating system erases it completely and then that space is available again. This keeps the SSD running fast. It makes it very hard, if not impossible to perform data carving (or recovery) on an SSD. Uh oh - that makes life harder for the digital forensic expert! 

It's amazing though - even with these kinds of hurdles to getting data out and processing it, people still make it easy to be caught. For example, using work email to talk about things people are doing wrong, or storing data on work computers that has evidence of wrong doing. There is no expectation of privacy when you use a work asset - the company owns all this stuff and all the data on it. And most companies will comply with search orders giving an investigator plenty of access to what they are looking for.

It's interesting stuff, but I don't think I'll make a career of it - getting into the business seems quite tricky and while it is a fascinating field, there is a lot of tedious combing through search hits for relevant results that, quite frankly, looks boring. Never say never though!
Labels:

Comments

Post a Comment

Popular posts from this blog

Plone - the open source Content Management System - a review

By
One of my clients, a non-profit, has a lot of files on it's clients. They need a way to digitally store these files, securely and with availability for certain people. They also need these files to expire and be deleted after a given length of time - usually about 7 years. These were the parameters I was given to search for a Document Management System (DMS) or more commonly a Content Management System (CMS). There are quite a lot of them, but most are designed for front facing information delivery - that is, to write something, put it up for review, have it reviewed and then published. We do not want this data published ever - and some CMS's make that a bit tricky to manage. So at the end of the day, I looked into several CMS systems that looked like they could be useful. The first one to be reviewed was OpenKM ( www.openkm.com ). It looked OK, was open source which is preferable and seemed to have solid security and publishing options. Backing up the database and upgradin
Post a Comment
Read more

Musings on System Administration

By
I was reading an article discussing forensic preparation for computer systems. Some of the stuff in there I knew the general theory of, but not the specifics of how to perform. As I thought about it, it occurred to me that Systems Administration is such a vast field. There is no way I can know all of this stuff. I made a list of the software and operating systems I currently manage. They include: - Windows Server 2003, Standard and Enterprise - Exchange 2003 - Windows XP - Windows Vista - Windows 2000 - Ubuntu Linux - OpenSuSE Linux - Mac OSX (10.3 and 10.4) - Solaris 8 - SQL 2005 - Various specialised software for the transport industry I have specific knowledge on some of this, broad knowledge on all of it, and always think "There's so much I *don't* know". It gets a bit down heartening sometimes. For one thing - I have no clue about SQL 2005 and I need to make it work with another bit of software. All complicated and nothing straightforward. Irritating doesn&
Post a Comment
Read more

Traffic Monitoring using Ubuntu Linux, ntop, iftop and bridging

By
This is an update of an older post, as the utilities change, so has this concept of a cheap network spike - I use it to troubleshoot network issues, usually between a router and the network to understand what traffic is going where. The concept involves a transparent bridge between two network interface cards, and then looking at that traffic with a variety of tools to determine network traffic specifics. Most recently I used one to determine if a 4MB SDSL connection was saturated or not. It turned out the router was incorrectly configured and the connection had a maximum usage under 100Kb/s (!) At $1600 / month it's probably important to get this right - especially when the client was considering upgrading to a faster (and more expensive) link based on their DSL provider's advice. Hardware requirements: I'm using an old Dell Vostro desktop PC with a dual gigabit NIC in it - low profile and fits into the box nicely. Added a bit of extra RAM and a decent disk and that&
6 comments
Read more