Notifications
Clear all

SSD's acquisition

11 Posts
7 Users
0 Likes
825 Views
SilesianMan
(@silesianman)
Posts: 15
Active Member
Topic starter
 

Hi everyone,

I would like to ask you, how do you deal with SSD acquisition?

We all know the issue with TRIM and garbage collection (Hash verification).

Is there any magic step to comply with forensic rules whilst acquire such drives or you just insert the information about this "functionality" into the acquisition protocol?

Best regards,
Karol

 
Posted : 05/11/2015 3:05 pm
EricZimmerman
(@ericzimmerman)
Posts: 222
Estimable Member
 

it is what it is and it has changed things from the 'old way' for sure. you have to be able to articulate why something has changed when things do not match. its not a problem for active stuff and most cases rely on active vs only recoverable anyways, so not a HUGE issue IMO

 
Posted : 26/11/2015 12:23 am
Adam10541
(@adam10541)
Posts: 550
Honorable Member
 

I've never had an SSD fail to verify hashes after acquisition, so not sure how much of an issue that is in the wild really.

 
Posted : 26/11/2015 6:06 am
(@mscotgrove)
Posts: 938
Prominent Member
 

As I understand it, TRIM etc will have settled down after maybe 30 mins idle time. If a device is then read with a write blocker, it should have stable hash values on imaging.

If caught in the first 30 mins (or what ever time interval it is depending on recent activity) the data may not be stable

 
Posted : 26/11/2015 3:03 pm
(@trewmte)
Posts: 1877
Noble Member
 

Depends whether TRIM active on the SSD you are examining. An example

http//arstechnica.com/apple/2015/06/latest-os-x-update-allows-you-to-enable-trim-for-third-party-ssds/

Pretty much every operating system in use these days supports TRIM—a special ATA command that the OS sends along to an SSD when deleting files on that SSD. The lone exception to that list has been Apple’s OS X, which—at least until today—only supported TRIM on its OEM SSDs. If you took a Mac that originally came with a spinning disk and installed an aftermarket SSD in it yourself, the operating system wouldn’t use TRIM on the disk—at least, not unless you resorted to third-party tools.

With today’s OS X 10.10.4 update, however, Apple has added a command line utility that can be used to enable TRIM on third-party SSDs without having to download and install anything. Called trimforce, the utility can be executed from the OS X terminal, and it requires a reboot to start working.

As I understand it, TRIM etc will have settled down after maybe 30 mins idle time. If a device is then read with a write blocker, it should have stable hash values on imaging.

If caught in the first 30 mins (or what ever time interval it is depending on recent activity) the data may not be stable

Is the 30 minutes from your own personal observations/experience or is there a study that defines "inactive", "settled" or "idle state" in time (..tDuration)?

 
Posted : 26/11/2015 4:51 pm
(@thefuf)
Posts: 262
Reputable Member
 

I've never had an SSD fail to verify hashes after acquisition, so not sure how much of an issue that is in the wild really.

Tools like FTK Imager don't re-read a source drive for verification after acquisition, so you will not notice that a sector was changed after you copied it to a destination drive.

 
Posted : 26/11/2015 7:07 pm
(@thefuf)
Posts: 262
Reputable Member
 

Depends whether TRIM active on the SSD you are examining.

Trim should not be confused with garbage collection. Forensic issues with SSDs are triggered by garbage collection in most cases. See also http//media.kingston.com/images/ssd/technicalbrief/MKF_608_%20SSDGarbagecollectionTechBrief.pdf

 
Posted : 26/11/2015 7:23 pm
(@mscotgrove)
Posts: 938
Prominent Member
 

@trewmte

30 mins is just a figure I pulled out of the air. I went to a F3 presentation a few years ago and seem to remember reports of getting 'deleted' data for about 10 mins.

 
Posted : 26/11/2015 7:59 pm
(@trewmte)
Posts: 1877
Noble Member
 

@trewmte

30 mins is just a figure I pulled out of the air. I went to a F3 presentation a few years ago and seem to remember reports of getting 'deleted' data for about 10 mins.

mscotgrove..ok…thanks for that, good advice … and you may find yourself being referenced for safe working practice…

 
Posted : 26/11/2015 11:49 pm
(@belkasoft)
Posts: 169
Estimable Member
 

Hi everyone,

I would like to ask you, how do you deal with SSD acquisition?

We all know the issue with TRIM and garbage collection (Hash verification).

Is there any magic step to comply with forensic rules whilst acquire such drives or you just insert the information about this "functionality" into the acquisition protocol?

Best regards,
Karol

There is no silver bullet or magic. Please refer to the Belkasoft article at http//belkasoft.com/en/ssd-2014

 
Posted : 27/11/2015 1:14 am
Page 1 / 2
Share: