Difference between pages "USBCrypt" and "Solid State Drive (SSD) Forensics"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
m (spelling)
 
(Bibliography: added recent article on SSD forensics.)
 
Line 1: Line 1:
{{Infobox_Software |
+
Solid State Drives pose a variety of interesting challenges for computer forensics in comparison with traditional rotating magnetic platter hard drives.  
  name = USBCrypt |
+
  maintainer = WinAbility Software |
+
  os = {{Windows}} |
+
  genre = {{Encryption}} |
+
  license = WinAbility Software License |
+
  website = [http://www.winability.com/usbcrypt/ winability.com/usbcrypt] |
+
}}
+
  
'''USBCrypt''' is a commercial (closed source) software intended primarily to encrypt external USB drives. (However, the encryption is not limited to the external drives or to the USB connection: any drive that is recognized by Windows as a valid drive with read-write access can be encrypted with USBCrypt.) USBCrypt software is [[Windows|Windows 7, Vista, XP, 2000]]-only. It supports [[AES]], and [[Twofish]] encryption with the 128- and 256-bit keys, in the [[XTS]] and [[CBC]] encryption modes.
+
Most SSD devices are based on flash memory; some have battery backed SRAM or DRAM with a flash backing store.
  
== Recognizing drives encrypted with USBCrypt ==
+
Flash has a number of key properties that complicate its use in computer storage systems and subsequent forensic analysis:
 +
# Internally, flash memory is not divided into the traditional 512 byte blocks, but instead is in pages of 2KiB, 4KiB, or larger, although it is still presented to the host computer in blocks
 +
# Whilst hard drives can be written in a single pass, flash memory pages must be erased (in whole) before they can be rewritten.
 +
# Rewriting a block at the operating system level does not necessarily rewrite the same page in the flash memory due to the controller remapping data to spread wear or avoid failing pages
 +
# Each page can be erased and rewritten a limited number of times – typically 1000 to 10,000. (Hard drive sectors, in contrast, can be rewritten millions of times or more.)
 +
# Flash data is often encrypted on the drive, and can be "erased" by telling the controller to forget the old key and generate a new one, as well as marking all blocks as unused
  
USBCrypt encrypts drives by creating the file-based Virtual Encrypted Disks on them. In addition to one or more files that contain the encrypted data, USBCrypt also puts a portable software on the drive, to enable its use on other computers. While the encrypted data files contain no identifying information (and thus support [[plausible deniability]]), the presence of other supporting files makes it easy to identify the drives encrypted with USBCrypt: the root folder of the encrypted drive contains the file USBCrypt.exe as well as a folder named USBCrypt-system. The latter contains the encrypted data files as well as USBCrypt software files (DLL and SYS). The file USBCrypt.ini is a text-only file that contains settings as well as license information (including the name of the person or business who has purchased the software).
+
The controller in a flash SSD is significantly more complex in the number of tasks it has to perform in comparison to a magnetic rotating drive, with the following features:
 +
# ''wear leveling'' – that is, spreading the writes to flash out among different sectors. Wear leveling is typically done with a ''flash translation layer'' that maps ''logical sectors'' (or LBAs) to ''physical pages''. Most FTLs are contained within the SSD device and are not accessible to end users.
 +
# ''read/modify/relocate+write'' - if the controller allows rewriting of a partial flash page, it must read the entire page, modify the sector that is being written, and write the new flash page in a new/fresh location which has been previously erased. the old pre-modification data's page is then queued for erase.
  
== Spare-key file ==
 
  
When the user is encrypting a drive with USBCrypt software, s/he has the option to create a "spare key" file on the user's computer. This file contains a copy of the encryption key that can be used by the user if s/he forgets the main encryption password. Or, it can be used by a system administrator to get access to the encrypted data in case the employees leave the company and take the passwords with them. Each spare key file contains a copy of just one encryption key for the specific encrypted drive it was created for. It cannot be used to decrypt any other drive, even if the user has used the same password and encryption algorithm. USBCrypt can automatically detect whether it can decrypt a specific drive with a spare key.
 
  
== Forensic Acquisition ==
+
==Bibliography==
 +
<bibtex>
 +
@inproceedings{wei2011,
 +
  author = {Yuri Gubanov, Oleg Afonin},
 +
  title = {Why SSD Drives Destroy Court Evidence, and What Can Be Done About It},
 +
  booktitle={Article},
 +
  year = 2012,
 +
  keywords = {ssd forensics},
 +
  added-at = {2012-09-01T09:00:00.000+0100},
 +
  url={http://forensic.belkasoft.com/en/why-ssd-destroy-court-evidence}
 +
}
 +
</bibtex>
  
If you encounter a system that has a live USBCrypt drive, it is imperative that you capture the contents of the encrypted drive before disconnecting the drive or shutting down the system. Once the system is shutdown, the contents becomes inaccessible unless you have the proper encryption key generated by a user's password. If the encrypted drive in not live, it is imperative to secure access to the user's computer that was used to encrypt the drive: there is a possibility that the computer still has the "spare key" file stored on its hard drive, assuming the user has the selected the option to create such a file when encrypting the drive.   
+
<bibtex>
 +
@inproceedings{wei2011,
 +
  author = {Michael Wei and Laura M. Grupp and Frederick M. Spada and Steven Swanson},
 +
  title = {Reliably Erasing Data from Flash-Based Solid State Drives},
 +
  booktitle={FAST 2011},
 +
  year = 2011,
 +
  keywords = {erasing flash security ssd},
 +
  added-at = {2011-02-22T09:22:03.000+0100},
 +
  url={http://cseweb.ucsd.edu/users/m3wei/assets/pdf/FMS-2010-Secure-Erase.pdf},
 +
  biburl = {http://www.bibsonomy.org/bibtex/27c408ad559fc19f829717f485707a909/schmidt2}
 +
}
 +
</bibtex>
 +
<bibtex>
 +
@article{bell2011,
 +
author="Graeme B. Bell and Richard Boddington",
 +
title="Solid State Drives: The Beginning of the End for Current Practice in Digital Forensic Recovery?",
 +
journal="Journal of Digital Forensics, Security and Law",
 +
volume=5,
 +
issue=3,
 +
year=2011,
 +
url={http://www.jdfsl.org/subscriptions/JDFSL-V5N3-Bell.pdf}
 +
}
 +
</bibtex>
 +
<bibtex>
 +
@inproceedings{Billard:2010:MSU:1774088.1774426,
 +
author = {Billard, David and Hauri, Rolf},
 +
title = {Making sense of unstructured flash-memory dumps},
 +
booktitle = {Proceedings of the 2010 ACM Symposium on Applied Computing},
 +
series = {SAC '10},
 +
year = {2010},
 +
isbn = {978-1-60558-639-7},
 +
location = {Sierre, Switzerland},
 +
pages = {1579--1583},
 +
numpages = {5},
 +
url = {http://doi.acm.org/10.1145/1774088.1774426},
 +
doi = {http://doi.acm.org/10.1145/1774088.1774426},
 +
acmid = {1774426},
 +
publisher = {ACM},
 +
address = {New York, NY, USA},
 +
keywords = {cell phone, computer forensics, file carving, flash-memory dumps, forensics},
 +
}
 +
</bibtex>
 +
<bibtex>
 +
@mastersthesis{regan:2009,
 +
  title="The Forensic Potential of Flash Memory",
 +
  author="James E. Regan",
 +
   school="Naval Postgraduate School",
 +
  address="Monterey, CA",
 +
  date=Sep,
 +
  year=2009,
 +
  pages=86,
 +
  url="http://handle.dtic.mil/100.2/ADA509258"
 +
}
 +
</bibtex>
 +
<bibtex>
 +
@inproceedings{Phillips:2008:RDU:1363217.1363243,
 +
author = {Phillips, B. J. and Schmidt, C. D. and Kelly, D. R.},
 +
title = {Recovering data from USB flash memory sticks that have been damaged or electronically erased},
 +
booktitle = {Proceedings of the 1st international conference on Forensic applications and techniques in telecommunications, information, and multimedia and workshop},
 +
series = {e-Forensics '08},
 +
year = {2008},
 +
isbn = {978-963-9799-19-6},
 +
location = {Adelaide, Australia},
 +
pages = {19:1--19:6},
 +
articleno = {19},
 +
numpages = {6},
 +
url = {http://portal.acm.org/citation.cfm?id=1363217.1363243},
 +
acmid = {1363243},
 +
publisher = {ICST (Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering)},
 +
address = {ICST, Brussels, Belgium, Belgium},
 +
keywords = {data recovery, flash memory, semiconductor data remanence},
 +
}
 +
</bibtex>
  
== Attacks ==
+
==Presentations==
If the "spare key" file for the encrypted drive has not been obtained, then the only option for acquiring the content of a dismounted USBCrypt drive is to do a brute-force password guessing attack. USBCrypt software itself contains a built-in command to perform the brute-force attack on the drives it encrypts.
+
* [http://asalor.blogspot.com/2011/08/trim-dm-crypt-problems.html Milan Broz's blog - TRIM & dm-crypt ... problems?]
 
+
* [http://www.snia.org/events/storage-developer2009/presentations/thursday/NealChristiansen_ATA_TrimDeleteNotification_Windows7.pdf ATA Trim / Delete Notification Support in Windows 7], Neal Christiansen, Storage Developer 2009
== External Links ==
+
* [http://www.slideshare.net/digitalassembly/challenges-of-ssd-forensic-analysis Challenges of SSD Forensic Analysis], Digital Assembly,
 
+
* [http://www.youtube.com/watch?v=WcO7xn0wJ2I Solid State Drives: Ruining Forensics], by Scott Moulton, DEFCON 16 (2008)
* [http://www.winability.com/usbcrypt/ Official website]
+
* Scott Moulton, Shmoocon 20008,  SSD drives vs. Hard Drives.
* [http://www.usbcrypt.com/ USBCrypt web site]
+
** [http://www.youtube.com/watch?v=l4hbdZFWGog SSD Flash Hard Drives - Shmoocon 2008 - Part 1]
 
+
** [http://www.youtube.com/watch?v=mglEnIPnzjo SSD Flash Hard Drives - Shmoocon 2008 - Part 2]
[[Category:Encryption]]
+
** [http://www.youtube.com/watch?v=3psy_d-pyNg SSD Flash Hard Drives - Shmoocon 2008 - Part 3]
[[Category:Disk encryption]]
+
** [http://www.youtube.com/watch?v=pKeZvhDd5c4 SSD Flash Hard Drives - Shmoocon 2008 - Part 4]
 +
** [http://www.youtube.com/watch?v=9XMBdDypSO4 SSD Flash Hard Drives - Shmoocon 2008 - Part 5]
 +
** [http://www.youtube.com/watch?v=LY36SWbfQg0 SSD Flash Hard Drives - Shmoocon 2008 - Part 6]
 +
* [http://risky.biz/RB185 Risky Business #185], Peter Gutmann talks SSD forensics, March 4, 2011 (Radio Show)

Latest revision as of 08:59, 28 March 2013

Solid State Drives pose a variety of interesting challenges for computer forensics in comparison with traditional rotating magnetic platter hard drives.

Most SSD devices are based on flash memory; some have battery backed SRAM or DRAM with a flash backing store.

Flash has a number of key properties that complicate its use in computer storage systems and subsequent forensic analysis:

  1. Internally, flash memory is not divided into the traditional 512 byte blocks, but instead is in pages of 2KiB, 4KiB, or larger, although it is still presented to the host computer in blocks
  2. Whilst hard drives can be written in a single pass, flash memory pages must be erased (in whole) before they can be rewritten.
  3. Rewriting a block at the operating system level does not necessarily rewrite the same page in the flash memory due to the controller remapping data to spread wear or avoid failing pages
  4. Each page can be erased and rewritten a limited number of times – typically 1000 to 10,000. (Hard drive sectors, in contrast, can be rewritten millions of times or more.)
  5. Flash data is often encrypted on the drive, and can be "erased" by telling the controller to forget the old key and generate a new one, as well as marking all blocks as unused

The controller in a flash SSD is significantly more complex in the number of tasks it has to perform in comparison to a magnetic rotating drive, with the following features:

  1. wear leveling – that is, spreading the writes to flash out among different sectors. Wear leveling is typically done with a flash translation layer that maps logical sectors (or LBAs) to physical pages. Most FTLs are contained within the SSD device and are not accessible to end users.
  2. read/modify/relocate+write - if the controller allows rewriting of a partial flash page, it must read the entire page, modify the sector that is being written, and write the new flash page in a new/fresh location which has been previously erased. the old pre-modification data's page is then queued for erase.


Bibliography

Yuri Gubanov, Oleg Afonin - Why SSD Drives Destroy Court Evidence, and What Can Be Done About It
Article ,2012
http://forensic.belkasoft.com/en/why-ssd-destroy-court-evidence
Bibtex
Author : Yuri Gubanov, Oleg Afonin
Title : Why SSD Drives Destroy Court Evidence, and What Can Be Done About It
In : Article -
Address :
Date : 2012

Michael Wei, Laura M. Grupp, Frederick M. Spada, Steven Swanson - Reliably Erasing Data from Flash-Based Solid State Drives
FAST 2011 ,2011
http://cseweb.ucsd.edu/users/m3wei/assets/pdf/FMS-2010-Secure-Erase.pdf
Bibtex
Author : Michael Wei, Laura M. Grupp, Frederick M. Spada, Steven Swanson
Title : Reliably Erasing Data from Flash-Based Solid State Drives
In : FAST 2011 -
Address :
Date : 2011

Graeme B. Bell, Richard Boddington - Solid State Drives: The Beginning of the End for Current Practice in Digital Forensic Recovery?
Journal of Digital Forensics, Security and Law 5,2011
http://www.jdfsl.org/subscriptions/JDFSL-V5N3-Bell.pdf
Bibtex
Author : Graeme B. Bell, Richard Boddington
Title : Solid State Drives: The Beginning of the End for Current Practice in Digital Forensic Recovery?
In : Journal of Digital Forensics, Security and Law -
Address :
Date : 2011

Billard, David, Hauri, Rolf - Making sense of unstructured flash-memory dumps
Proceedings of the 2010 ACM Symposium on Applied Computing pp. 1579--1583, New York, NY, USA,2010
http://doi.acm.org/10.1145/1774088.1774426
Bibtex
Author : Billard, David, Hauri, Rolf
Title : Making sense of unstructured flash-memory dumps
In : Proceedings of the 2010 ACM Symposium on Applied Computing -
Address : New York, NY, USA
Date : 2010

James E. Regan - The Forensic Potential of Flash Memory
Master's Thesis, Naval Postgraduate School , Monterey, CA,2009
http://handle.dtic.mil/100.2/ADA509258
Bibtex
Author : James E. Regan
Title : The Forensic Potential of Flash Memory
In : Master's Thesis, Naval Postgraduate School -
Address : Monterey, CA
Date : 2009

Phillips, B. J., Schmidt, C. D., Kelly, D. R. - Recovering data from USB flash memory sticks that have been damaged or electronically erased
Proceedings of the 1st international conference on Forensic applications and techniques in telecommunications, information, and multimedia and workshop pp. 19:1--19:6, ICST, Brussels, Belgium, Belgium,2008
http://portal.acm.org/citation.cfm?id=1363217.1363243
Bibtex
Author : Phillips, B. J., Schmidt, C. D., Kelly, D. R.
Title : Recovering data from USB flash memory sticks that have been damaged or electronically erased
In : Proceedings of the 1st international conference on Forensic applications and techniques in telecommunications, information, and multimedia and workshop -
Address : ICST, Brussels, Belgium, Belgium
Date : 2008

Presentations