Thursday, 13 August 2009

SSD Drives and IT Forensics - Update

In previous post The implication of new firmware released for OCZ SSD on computer forensics I asked a number of questions. The post was also send to an internal mailing list where I work. A number of responses came back and I thought I'd share them

1. What are the implications of having this included in the firmware of SSD drives and how would you acquire such a drive?

The implications are wide ranging, but essentially the volume of recoverable data may be reduced. (Forensic analysis of deleted items, system artefacts, etc may not be possible). However, acquisition methods will not be affected.

2. Does the firmware start clearing sectors when it is simply to a power supply or does it require other hardware to be attached?

3. If it starts clearing sectors when connected to a power supply what legal implication will this have if during the acquisition of the drive potential evidence is been deleted by the built-in firmware before if can be forensically acquired ?

No, the firmware does not clear sectors when powered up. It requires an operating system that supports the TRIM command. OCZ SSD's now have the ability to use TRIM under win7, linux, OSX but only where the operating system, firmware, and associated software are correctly installed.

4. Are "live" acquisitions still possible with SSD drives with this firmware if we want to consider them forensically sound images. For example creating a logical evidence file of an open encrypted container file.

Yes, see above, as TRIM is not supported under the linux kernel (and would never be supported for a forensic distribution) there will be no loss of data during forensic acquisition.
The only potential issue would be a live acquisition under an operating system that does support TRIM (potentially windows 7).

No comments:

Post a Comment