Black-box forensic and antiforensic characteristics of solid-state drives

摘要

Solid-state drives (SSDs) are inherently different from traditional drives, as they incorporate data-optimization mechanisms to overcome their limitations (such as a limited number of program-erase cycles, or the need to blank a block before writing). The most common optimizations are wear leveling, trimming, compression, and garbage collection, which operate transparently to the host OS and, in certain cases, even when the disks are disconnected from a computer (but still powered up). In simple words, SSD controllers are designed to hide these internals completely, rendering them inaccessible if not through direct acquisition of the memory cells. These optimizations may have a significant impact on the forensic analysis of SSDs. The main cause is that memory cells could be preemptively blanked, whereas a traditional drive sector would need to be explicitly rewritten to physically wipe off the data. Unfortunately, the existing literature on this subject is sparse and the conclusions are seemingly contradictory. In this work we propose a generic, practical, test-driven methodology that guides researchers and forensics analysts through a series of steps that assess the “forensic friendliness” of a SSD. Given a drive of the same brand and model of the one under analysis, our methodology produces a decision tree that can for instance help an analyst to determine whether or not an expensive direct acquisition of the memory cells is worth the effort, because optimizations may have rendered the data unreadable or useless. Conversely, it can be used to assess the antiforensic techniques that stem from the characteristics of a given hardware, and to develop novel ones that are specifically suited to particular drives. We apply our methodology to three SSDs produced by top vendors (Samsung, Corsair, and Crucial), and provide a detailed description of how each step should be conducted. As a result, we provide two use cases, a test-driven triage classification of drives according to forensic friendliness, and the development of an anti-forensic technique specifically suited to a given drive.