SSD found out the situation that modern criminal investigation is extremely difficult, the cause of which is explained from the mechanism of SSD
High speed data processing possibleSolid state driveThe momentum of high performance, low price, large capacity of SSD (SSD) does not know where to stay and even during 2014Intel plans to release 2 TB high-speed SSDis. Although SSD is becoming popular as a familiar storage, it is pointed out that it exists to make data analysis difficult in criminal investigation.
Belkasoft: Digital Evidence Extraction Software for Computer Forensic Investigations
Modern SSDs self-destroy court evidence
In criminal investigation, technology to retrieve data from PCs and smartphones, analyze it, and make it evidenceDigital ForensicIt is indispensable for criminal investigation in modern society. Since data related to crime may be erased and destroyed by a criminal who has detected the investigation, or physical destruction of the PC itself, the task of restoring lost data is important technology in digital forensics and It is being done.
However, in the case of SSD, the data restoration that was possible in the conventional hard disk (HDD), it is regarded as a problem that makes digital forensics difficult because it is very difficult. This seems to be due to the structure of SSD's data recording apparently.
When overwriting old data to be erased with new data, HDD can overwrite new data directly to old data. But,SSD can not directly overwrite data. The mechanism of overwriting data is that in the case of SSD, after copying all chunks of bundling data of "block" containing old data to the buffer (work memory) area, store old data in the buffer memory Replaced with data, erasing the copied blocks all at once and then writing back the blocks on the buffer memory go through several processes (commonly known as block copy).
Regarding the mechanism of block copyLogitec's siteIt is explained in an easy-to-understand manner.
That is, in SSD, when there is no empty block when data is rewritten and it is necessary to erase the block by copying the data to the buffer, it takes more time than simply writing the data to the empty block, so the free space is small And data rewriting does not go smoothly and the processing speed drops. This is the reason why it is said that "SSD has better capacity as much as possible" and "It is said that the speed of SSD will fall as the available space decreases."
Even in the HDD and the SSD, even when performing the operation of "deleting data" on the OS, the data actually disappears when new data is overwritten, and until then it is deleted Data can not be accessed, but the data itself is not erased. The mechanism at the moment when data is lost, that is, the mechanism at the moment the data is overwritten is more complicated in SSD than HDD.
Therefore, in order to compensate for the structural drawback of such SSD,Trim commandSystem has been introduced. This is to tell the SSD controller to erase by deleting the data deleted on the OS "OK even if deleted at any time", the block with the trip is erased sequentially in the background It is a mechanism. It is left to the controller of the SSD when the triped erase OK block is actually erased, but in case the data needs to be overwritten, the Trim command makes it unnoticed by the user It is a little "cleaned up".
The process of erasing such dust and keeping the data ready for writing at any timeGarbage CollectionIt is an indispensable technique to prevent the SSD from slowing down and it is no exaggeration to say how to trash the garbage by using the Trim command etc. determines the performance of the SSD. In other words, the performance improvement of SSD depends on how quickly you erase the data.
This fact implies that it becomes more difficult to restore the data as the SSD evolves, which inevitably means that digital forensics are becoming difficult. Because it is impossible to restore erased blocks in garbage collection, whether or not digital forensics will produce results depends largely on the tailoring of the SSD controller that executes the Trim command.
If either of the following conditions are satisfied, the Trim command does not work, so it can be a gospel to a technician who performs digital forensics.
1.When the SSD is an old model and does not support the Trim command in the first place
2.Trim command not supportedThe strong man who continues to use after Windows XP is not supportedWas the opponent
3.When using an OS of version 10.6.8 or earlier of Mac OS X that does not support the Trim command
Four.When the SSD is formatted with a non-NTFS file system
Five.When it was an external SSD with USB connection
6.At the time of ultra high speed SSD of PCI - Express connection (Note: Trim command is not supported for PCI - Express, except when third - party garbage collection software is used)
7.When RAID is built (however, in the case of RAID, the hurdle of data restoration itself is high)
8.Disable Trim command When encryption is applied (However, it is difficult to decrypt the encryption itself)