DEFCON 16: Solid State Drives Destroy Forensic & Data Recovery Jobs: Animated!

Author: Christiaan008
31463 View
44m 35s Lenght
157 Rating

Speaker: Scott Moulton, President of Forensic Strategy Services, LLC This speech is all ANIMATION in 3D! Data on a Solid State Device is virtualized and the Physical Sector that you are asking for is not actually the sector it was 5 minutes ago. The data moves around using wear leveling schemes controlled by the drive using propriety methods. When you ask for Sector 125, its physical address block is converted to an LBA block and every 5 write cycles the data is moved to a new and empty previously erased block. This destroys metadata used in forensics & data recovery. File Slack Space disappears, you can no longer be sure that the exact physical sector you are recovering was in the same location or has not been moved or find out what it used to be! I will explain how Flash and Solid State Drives are different and compare them to hard drives in their ability to read and write data. What happens when they are damaged and a recovery needs to be done? In this process you will see how the data gets shuffled around and how some of the data is destroyed in the process making it impossible in many cases to recover some files and metadata that on a hard drive has been a simple task by comparison. You will also get an idea about how propriety methods that each vendor is using will isolate you from knowing what is happening to your data or even where it is on the drive. And at the very least the animation is the quality of the History Channel and you will enjoy what you are learning! For more information visit: http://bit.ly/defcon16_information To download the video visit: http://bit.ly/defcon16_videos

Comments

  1. Not sure of I would be clapping after watching that

    GC does not wipe data that has been deleted in the file system (unless the OS supports trim command then as part of GC witch more reorganises data will start to 00 out blocks that have been marked as trimed by the OS, this is why they find that most ssd they get have no data (witch are normally sata ssd love how he likes to call all flash based products as ssd) GC will not 00 out a block that has not been re written to all it do is moves data around so the over provision space is optimised (witch is usually 00s once the drive is idle) so leaving the ssd overnight will be in the same state it was the it was 10 hours ago (at the nand level it might of moved around but it still be located at the same LBA block if it has been trimmed the data is gone data recovery just won't work on free space only where there is data currently is (unless they did a quick format witch is as good as a full format on a ssd as the whole drive is sent the tirm command, secure erase on a ssd is even more compleat and finishes in less then 30 seconds typically nand and page is cleared and of its a SED ssd witch most of the none cheaper ones are it also resets the public and private keys +the nand and page wipe witch makes data completely unrecoverable )

    my years of experience may show that I know more then him on how stuff works even to the point about USB sticks don't do any processing witch is rubbish every single USB flash stick has a very slim arm cpu in it that manages, the stuff all the computer is doing is talking to that chip the pc is not managing the wear leveling of the USB stick the OS has no control over where data or how ecc (if any) on what the flash is doing

    I typed this up fast so may be errors in here
  2. 27:00 is bull ssd don't get smaller when they run out of spare blocks they fail typically (really they should just mark any new blocks as unwriteable but a SSD never get smaller as they are not aware of the filesystem or partition tables on it all they are aware of is the 4k (not 512 ssd and hdd have not used 512 for years now) sectors of date that has been written and when a trim command has been sent to erase it

    I guess he going to go one about how most of the ssd is now all 00s when you look at it via a hex tool well der window 7 and higher trims all deleted files so when you save a new file the old data is gone almost immediately if not when idle qued trim runs when the ssd is idle

    Funny thing is if you do a windows quick format the ssd is sent a full trim command for the partition size then then file system is regenerated so no data recovery
  3. Just wanted to say thank you for sharing this presentation, I work in software development and am also starting in computer forensics, its great to see presentations and technical talks on topics like this, good info overall and very helpful to people like myself just trying to better grasp the changes in HD/SSD lately.
  4. sooooo...SSD  drives are BETTER for privacy then......sweet ( because if someone found your old one it would be near impossible to recover say....your bank info off of it.....right?
  5. What about using a chipclip to pull data directly? Then you don't have the "garbage collectors" running at all. Also, a chocolate-chip cookie dough exploit would work here, same as for SDRAM.......
  6. Says "actually" 87 times in 45 minutes.
  7. If this guy thinks he has to explain the difference between a flash drive and an SSD, he has seriously misjudged his current audience, and I just can't take him seriously, and I'm sure MANY of the people in his audience (a computer hacker and security centric audience, who KNOW these things) will take this as it is, a speaker who doesn't know who he is talking to, and will take offense to his thinking there is really a need explain this to a large group of hobbyists, enthusiasts, and professionals.  This "talk" was written for people who DON'T know shit about computing and networking, like congress, and his bosses;  This should have been rewritten and geared toward his current audience, with REAL information, and none of the B.S. 101 explanations.  It's kind of like explaining the concept of counting to 9, to a 55 year old mathematician, in his office, while he is working on cryptographic analysis or Fourier transforms.  Toward the end, he finally got to the point where he should have STARTED, then took it from there.
    Communications 101 - Know your audience
  8. 23:50 dude is misinforming you. It clearly says that the bad cells are marked and the REMAINING CELLS are sorted into consumer and industrial quality flash. Yes, consumers are not getting the same quality flash as industrial clients. But it's not crap.
  9. Any one else annoyed by the beeping? sorry but i cant watch it this way, kinda annoying.
  10. a lot of misinformation here best to watch something different for educational purposes good video though 
  11. Get over it, not all jobs that have been invented in the old days are still here.
  12. Very interesting.. Thanks for sharing!
  13. There is a fundamental misunderstanding in this talk.
    SSDs pretend to be an array of blocks.

    Unless you actually open up the SSD and remove and probe the chips themselves, how the data is stored is not relevant.

    The reason that stuff is now zeroed is 'Trim' largely, it has nothing to do with what the SSD does. The SSD cannot erase data in the context of the filesystem, as it cannot tell what that content is - only the host can. Trim does this.
    Disks cannot 'shrink' - without presenting bad sectors to the user.
    In addition, mass storage devices are exactly the same as SSD in this respect, they are an array of idealised blocks. The host does no wear leveling, it is simply a SCSI analog.
  14. FTK Imager is free but the toolkit itself costs, a good alternative is a Linux based forensics suite.
  15. Nice SSD advertisement.
  16. Accessdata FTK I assume isn't free anymore? Doesn't appear to be.
  17. physically