Annual Computer Security Applications Conference (ACSAC) 2013
 OpenConf Peer Review & Conference Management System

Full Program »

A Comprehensive Black-box Methodology for Testing the Forensic Characteristics of Solid-state Drives

Solid-state drives (SSDs) are gaining popularity and substituting traditional, platter-based hard drives (particularly in portable computers). SSDs are, however, inherently different from traditional drives, as they incorporate data-optimization mechanisms to overcome their limitations (such as a limited number of program-erase cycles, or the need of blanking a block before writing). The most common optimizations are wear leveling, trimming, compression, and garbage collection, which operate transparently to the host OS and, in certain cases, even when the disks are disconnected from a computer (but still powered up). In simple words, SSD controllers are designed to hide these internals completely, rendering them inaccessible if not through direct acquisition of the memory cells.

These optimizations have a significant impact on the forensic analysis of SSDs, and in particular on data reconstruction and file carving. The main cause is that memory cells could be preemptively blanked, whereas a traditional drive sector would need to be explicitly rewritten to physically wipe off the data. Unfortunately, the existing literature on this subject is sparse and the conclusions are seemingly contradictory.

In this paper we propose a generic, practical, test-driven methodology that guides researchers and forensics analysts through a series of steps that assess the ``forensic friendliness'' of a solid-state drive under examination. Our methodology produces a valuable output that helps an analyst to determine whether or not an expensive direct acquisition of the memory cells is worth the effort, because the extreme optimizations may have rendered the data unreadable or useless. We apply our proposed methodology to three SSDs produced by top vendors (Samsung, Corsair, and Crucial), and provide a detailed description of how each step should be conducted.

Author(s):

Gabriele Bonetti    
Politecnico di Milano
Italy

Marco Viglione    
Politecnico di Milano
Italy

Alessandro Frossi    
Politecnico di Milano
Italy

Federico Maggi    
Politecnico di Milano
Italy

Stefano Zanero    
Politecnico di Milano
Italy

 

Powered by OpenConf®
Copyright©2002-2014 Zakon Group LLC