Wednesday, 12 August 2009

The implication of new firmware released for OCZ SSD on computer forensics

UPDATE - Questions answered

On my daily trawl through various feeds, thanks Google Reader for making this so easy, I came across an article that discussed the "benefits" of this new firmware. While I tend to agree with the write from a performance standpoint the IT Forensics voice in my head was saying this could make my job more interesting.

This firmware is designed to keep the speed of the SSD drive as close as possible to that of a new drive even if the drive has been used over a long period of time . The flash memory used on the SSD drive is comprised of cells that usually contain 4KB pages that are arranged in blocks of 512KB. When a cell is unused, data can be written to it relatively quickly. But if a cell already contains some data, no matter how little even if it fills only a single page in the block,the entire block must be re-written.

This is because a memory cell has to be empty to have data written on it, even if it's only partially filled. The data already contained in the cell has to be copied to the cache, the new data to be added is then added to the cache, the old data in the cell is then erased and the new information in the cache copied to the memory cell. As time passes and all the cells are partially filled with old data,the SSD slows down as new data has to be added using the same process.

Basically what this means is that the way many SSD drives write data is not very efficient, and leaves all kinds of un-used data all over the place, which later causes slowdowns when it is needlessly rewritten.

Now what the new firmware from OCZ does is to apparently
fix this while the drive is idle by clearing used memory cells of unneeded or unwanted data on a regular basis so they are instantly available for future use.

From a forensics perspective could this be considered a built-in "wiping" function on SSD drives. It is also worth noting that this could become the standard for all SSD drives.

This raises the following questions:

1. What are the implications of having this included in the firmware of SSD drives and how would you acquire such a drive?

2. Does the firmware start clearing sectors when it is simply to a power supply or does it require other hardware to be attached?

3. If it starts clearing sectors when connected to a power supply what legal implication will this have if during the acquisition of the drive potential evidence is been deleted by the built-in firmware before if can be forensically acquired ?

4. Are "live" acquisitions still possible with SSD drives with this firmware if we want to consider them forensically sound images. For example creating a logical evidence file of an open encrypted container file.

I would be interested in reading comments from anyone who has tested this or even theories on dealing with this in the wild.

UPDATE - Questions answered

No comments:

Post a Comment