|
|
| Line 1: |
Line 1: |
| − | Solid State Drives pose a variety of interesting challenges for computer forensics. Most SSD devices are based on flash memory. Flash has two properties that complicate its use in computer storage systems:
| + | System Analyst. |
| − | # Unlike normal hard drives that can be written in a single pass, flash memory is arranged in pages that must first be erased before it can be written.
| + | |
| − | # Each flash page consists of multiple blocks. Typically block size is 512 bytes and page size is 2KiB, 4KiB, or larger.
| + | |
| − | # Each page can be erased and rewritten a limited number of times---typically 1000 to 10,000. (Hard drive sectors, in contrast, can be rewritten millions of times or more.)
| + | |
| − | | + | |
| − | To overcome these problems, SSD manufacturers have created a system for ''wear leveling''---that is, spreading the writes to flash out among different sectors. Wear leveling is typically done with a ''flash translation layer'' that maps ''logical sectors'' (or LBAs) to ''physical pages.'' Most FTLs are contained within the SSD device and are not accessible to end users.
| + | |
| − | | + | |
| − | ==Bibliography==
| + | |
| − | <bibtex>
| + | |
| − | @inproceedings{wei2011,
| + | |
| − | author = {Michael Wei and Laura M. Grupp and Frederick M. Spada and Steven Swanson},
| + | |
| − | title = {Reliably Erasing Data from Flash-Based Solid State Drives},
| + | |
| − | booktitle={FAST 2011},
| + | |
| − | year = 2011,
| + | |
| − | keywords = {erasing flash security ssd},
| + | |
| − | added-at = {2011-02-22T09:22:03.000+0100},
| + | |
| − | url={http://cseweb.ucsd.edu/users/m3wei/assets/pdf/FMS-2010-Secure-Erase.pdf},
| + | |
| − | biburl = {http://www.bibsonomy.org/bibtex/27c408ad559fc19f829717f485707a909/schmidt2}
| + | |
| − | }
| + | |
| − | </bibtex>
| + | |
| − | <bibtex>
| + | |
| − | @article{bell2011,
| + | |
| − | author="Graeme B. Bell and Richard Boddington",
| + | |
| − | title="Solid State Drives: The Beginning of the End for Current Practice in Digital Forensic Recovery?",
| + | |
| − | journal="Journal of Digital Forensics, Security and Law",
| + | |
| − | volume=5,
| + | |
| − | issue=3,
| + | |
| − | year=2011,
| + | |
| − | url={http://www.jdfsl.org/subscriptions/JDFSL-V5N3-Bell.pdf}
| + | |
| − | }
| + | |
| − | </bibtex>
| + | |
| − | <bibtex>
| + | |
| − | @inproceedings{Billard:2010:MSU:1774088.1774426,
| + | |
| − | author = {Billard, David and Hauri, Rolf},
| + | |
| − | title = {Making sense of unstructured flash-memory dumps},
| + | |
| − | booktitle = {Proceedings of the 2010 ACM Symposium on Applied Computing},
| + | |
| − | series = {SAC '10},
| + | |
| − | year = {2010},
| + | |
| − | isbn = {978-1-60558-639-7},
| + | |
| − | location = {Sierre, Switzerland},
| + | |
| − | pages = {1579--1583},
| + | |
| − | numpages = {5},
| + | |
| − | url = {http://doi.acm.org/10.1145/1774088.1774426},
| + | |
| − | doi = {http://doi.acm.org/10.1145/1774088.1774426},
| + | |
| − | acmid = {1774426},
| + | |
| − | publisher = {ACM},
| + | |
| − | address = {New York, NY, USA},
| + | |
| − | keywords = {cell phone, computer forensics, file carving, flash-memory dumps, forensics},
| + | |
| − | }
| + | |
| − | </bibtex>
| + | |
| − | <bibtex>
| + | |
| − | @mastersthesis{regan:2009,
| + | |
| − | title="The Forensic Potential of Flash Memory",
| + | |
| − | author="James E. Regan",
| + | |
| − | school="Naval Postgraduate School",
| + | |
| − | address="Monterey, CA",
| + | |
| − | date=Sep,
| + | |
| − | year=2009,
| + | |
| − | pages=86,
| + | |
| − | url="http://handle.dtic.mil/100.2/ADA509258"
| + | |
| − | }
| + | |
| − | </bibtex>
| + | |
| − | <bibtex>
| + | |
| − | @inproceedings{Phillips:2008:RDU:1363217.1363243,
| + | |
| − | author = {Phillips, B. J. and Schmidt, C. D. and Kelly, D. R.},
| + | |
| − | title = {Recovering data from USB flash memory sticks that have been damaged or electronically erased},
| + | |
| − | booktitle = {Proceedings of the 1st international conference on Forensic applications and techniques in telecommunications, information, and multimedia and workshop},
| + | |
| − | series = {e-Forensics '08},
| + | |
| − | year = {2008},
| + | |
| − | isbn = {978-963-9799-19-6},
| + | |
| − | location = {Adelaide, Australia},
| + | |
| − | pages = {19:1--19:6},
| + | |
| − | articleno = {19},
| + | |
| − | numpages = {6},
| + | |
| − | url = {http://portal.acm.org/citation.cfm?id=1363217.1363243},
| + | |
| − | acmid = {1363243},
| + | |
| − | publisher = {ICST (Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering)},
| + | |
| − | address = {ICST, Brussels, Belgium, Belgium},
| + | |
| − | keywords = {data recovery, flash memory, semiconductor data remanence},
| + | |
| − | }
| + | |
| − | </bibtex>
| + | |
| − | | + | |
| − | ==Presentations==
| + | |
| − | * [http://www.snia.org/events/storage-developer2009/presentations/thursday/NealChristiansen_ATA_TrimDeleteNotification_Windows7.pdf ATA Trim / Delete Notification Support in Windows 7], Neal Christiansen, Storage Developer 2009
| + | |
| − | * [http://www.slideshare.net/digitalassembly/challenges-of-ssd-forensic-analysis Challenges of SSD Forensic Analysis], Digital Assembly.
| + | |
| − | * [http://www.youtube.com/watch?v=WcO7xn0wJ2I ]Solid State Drives: Ruining Forensics, by Scott Moulton, DEFCON 16 (2008)
| + | |
| − | * Scott Moulton, Shmoocon 20008, SSD drives vs. Hard Drives.
| + | |
| − | ** [http://www.youtube.com/watch?v=l4hbdZFWGog SSD Flash Hard Drives - Shmoocon 2008 - Part 1]
| + | |
| − | ** [http://www.youtube.com/watch?v=mglEnIPnzjo SSD Flash Hard Drives - Shmoocon 2008 - Part 2]
| + | |
| − | ** [http://www.youtube.com/watch?v=3psy_d-pyNg SSD Flash Hard Drives - Shmoocon 2008 - Part 3]
| + | |
| − | ** [http://www.youtube.com/watch?v=pKeZvhDd5c4 SSD Flash Hard Drives - Shmoocon 2008 - Part 4]
| + | |
| − | ** [http://www.youtube.com/watch?v=9XMBdDypSO4 SSD Flash Hard Drives - Shmoocon 2008 - Part 5]
| + | |
| − | ** [http://www.youtube.com/watch?v=LY36SWbfQg0 SSD Flash Hard Drives - Shmoocon 2008 - Part 6]
| + | |
| − | * [http://risky.biz/RB185 Risky Business #185], Peter Gutmann talks SSD forensics, March 4, 2011 (Radio Show)
| + | |
