Thursday, 13 August 2009

SSD Drives and IT Forensics - Update

In previous post The implication of new firmware released for OCZ SSD on computer forensics I asked a number of questions. The post was also send to an internal mailing list where I work. A number of responses came back and I thought I'd share them

1. What are the implications of having this included in the firmware of SSD drives and how would you acquire such a drive?

The implications are wide ranging, but essentially the volume of recoverable data may be reduced. (Forensic analysis of deleted items, system artefacts, etc may not be possible). However, acquisition methods will not be affected.

2. Does the firmware start clearing sectors when it is simply to a power supply or does it require other hardware to be attached?

3. If it starts clearing sectors when connected to a power supply what legal implication will this have if during the acquisition of the drive potential evidence is been deleted by the built-in firmware before if can be forensically acquired ?

No, the firmware does not clear sectors when powered up. It requires an operating system that supports the TRIM command. OCZ SSD's now have the ability to use TRIM under win7, linux, OSX but only where the operating system, firmware, and associated software are correctly installed.

4. Are "live" acquisitions still possible with SSD drives with this firmware if we want to consider them forensically sound images. For example creating a logical evidence file of an open encrypted container file.

Yes, see above, as TRIM is not supported under the linux kernel (and would never be supported for a forensic distribution) there will be no loss of data during forensic acquisition.
The only potential issue would be a live acquisition under an operating system that does support TRIM (potentially windows 7).

Wednesday, 12 August 2009

The implication of new firmware released for OCZ SSD on computer forensics

UPDATE - Questions answered

On my daily trawl through various feeds, thanks Google Reader for making this so easy, I came across an article that discussed the "benefits" of this new firmware. While I tend to agree with the write from a performance standpoint the IT Forensics voice in my head was saying this could make my job more interesting.

This firmware is designed to keep the speed of the SSD drive as close as possible to that of a new drive even if the drive has been used over a long period of time . The flash memory used on the SSD drive is comprised of cells that usually contain 4KB pages that are arranged in blocks of 512KB. When a cell is unused, data can be written to it relatively quickly. But if a cell already contains some data, no matter how little even if it fills only a single page in the block,the entire block must be re-written.

This is because a memory cell has to be empty to have data written on it, even if it's only partially filled. The data already contained in the cell has to be copied to the cache, the new data to be added is then added to the cache, the old data in the cell is then erased and the new information in the cache copied to the memory cell. As time passes and all the cells are partially filled with old data,the SSD slows down as new data has to be added using the same process.

Basically what this means is that the way many SSD drives write data is not very efficient, and leaves all kinds of un-used data all over the place, which later causes slowdowns when it is needlessly rewritten.

Now what the new firmware from OCZ does is to apparently
fix this while the drive is idle by clearing used memory cells of unneeded or unwanted data on a regular basis so they are instantly available for future use.

From a forensics perspective could this be considered a built-in "wiping" function on SSD drives. It is also worth noting that this could become the standard for all SSD drives.

This raises the following questions:

1. What are the implications of having this included in the firmware of SSD drives and how would you acquire such a drive?

2. Does the firmware start clearing sectors when it is simply to a power supply or does it require other hardware to be attached?

3. If it starts clearing sectors when connected to a power supply what legal implication will this have if during the acquisition of the drive potential evidence is been deleted by the built-in firmware before if can be forensically acquired ?

4. Are "live" acquisitions still possible with SSD drives with this firmware if we want to consider them forensically sound images. For example creating a logical evidence file of an open encrypted container file.

I would be interested in reading comments from anyone who has tested this or even theories on dealing with this in the wild.

UPDATE - Questions answered

Monday, 10 August 2009

Root on HTC Magic

[UPDATE]

1 Click Android Rooting ...

http://androidandme.com/2009/08/news/how-to-root-a-t-mobile-g1-and-mytouch-3g-android-phone/



I recently got a HTC Magic on Vodafone UK and decided that it was about time I got root on it.

Murphy's law states that anything that can go wrong will go wrong. Step 1 is always make sure you have a backup.

I downloaded the files from The Unlockr's Guide to getting root on HTC Magic. Since my phone is a Vodafone UK version I downloaded the 32B files.

After extracting the SDK to C:\AndroidSDK\ and the images to C:\AdnroidSDK\tools

I booted my phone into fastboot mode: Power on phone with the "Back" arrow held down.
Connect the usb cable, open a command prompt and and run the following from your AndroidSDK\tools folder:

fastboot boot recovery-new.img

Your phone will reboot and you will be presented by the Android System Recovery Menu.
Choose the "Nandroid Backup 2.1" option. After 2-5 minutes backups of your phones system,boot,recovery,data,misc and cache images will be copied to the phones SD card.

I then followed The Unlockr's Guide, unfortunately this didn't work for me and my phone just hung on at the Vodafone splash screen. I left it for about 20mins thinking that maybe it was doing some post load installs, but no not that lucky. Thinking that I may have just bricked my phone was not a happy feeling. Just as well I remembered Murphy and his laws. Now the next question: How do I get the backup back on to my phone. I tried to re-flash it by first wiping the failed flash

fastboot erase system -w
fastboot erase boot
fastboot flash system system.img
fastboot flash boot boot.img
fastboot flash recovery recovery.img
fastboot reboot

No sure luck all the fastboot flash options returned the same error:

FAILED (remote: signature verify fail)

Browsing through the xda-developers forum I came across the following post by Amon_RA that had a modified version of the HTC Magic recovery image.
I downloaded this and extracted it to c:\AndroidSDK\tools

So booting into fastboot mode again, opening a command prompt and running the following from C:\AndroidSDK\tools

fastboot boot recovery-RAv1.2.0G.img

The phone will boot the recovery image and you will notice and option titled

Nandroid V2.2 Restore

Selecting this option started the restore process. 5 minutes later my phone was fully working again. I guess I'll be waiting a bit longer for a working "root" image.


Monday, 3 August 2009

Slipstream or integrate Office 2007 Service Pack 2 (SP2)

If like me you update and deploy software to new workstation on a regular basis you will quickly grow tired of installing MS Office and then installing the latest service pack. This quick guide will assist in slipstreaming the latest service pack (SP2) into MS Office 2007. I will assume that you will be installing office from a network share and have already copied the entire contents of the CD to this folder.

Download the standalone installer office2007sp2-kb953195-fullfile-en-us.exe to a temporary folder (c:\tmp)
Create folder called Updates (C:\Updates)
Open a command line window (CMD) and type the following on one line:

c:\updates\office2007sp2-kb953195-fullfile-en-us.exe /extract:C:\Updates

Agree to the EULA and then close the Installer when completed.
Move the contents of the C:\Updates folder to the Updates folder in your Office 2007 install folder structure.

Enabling AHCI after installing Windows XP x64

Download the OS Pre-Install sata drivers and extract to a temporery location on the machine (c:\tmp).

Open Device Manager
under IDE ATA/ATAPI controllers you should see something like : Intel ICH9 Serial ATA Storage Controller.
Right-Click on that and select Update Driver
Say no to connecting to Windows Update to search, hit Next
Select Install from a list or specific location (Advanced), hit Next
Select "Don't search. I will choose the driver to install", hit Next
Select Have Disk
Browse to the Driver folder (c:\tmp\) and highlight the iastor.inf file, hit Open Select OK

Now you should have a list of controllers ICH9 /AHCI driver
You'll get warned that installing the device driver is not recommended, click Yes to continue installing
Click Finish
If you have more than one Intel ICH9 Serial ATA Storage Controller you will need to do this for each before restarting
When system boots enter the bios, navigate to the SATA Operation option or equivlant and set it to AHCI
Verify your sata ports enabled, save changes and exit.
After you log into Windows, your computer will find the "new" hardware. Wait until you get the popup message to restart your computer, say Yes to restart one last time.