I’ve touted the benefits of fast, new solid-state drive technology (SSD) and the recent push toward hardware drive encryption more than once. Now, it seems, they might be making my job harder.
A group of Australian scientists discovered that the algorithms used to keep SSDs running in tip-top shape also destroy a host of hidden data—data that forensic investigators look for when researching drive usage and recovering forensic artifacts.
The team found that after a quick drive format the SSD began purging drive data almost immediately—a process of deep cleaning the disk or overwriting the old data with 1s and 0s. This is required for SSDs to write again, unlike magnetic media that can write new data on old data. In the researchers’ test case, only 1,064 evidence files were recoverable out of 316,666 files on the drive.
This raises a question of performance versus security. On one hand, the automatic disposal of electronic clutter could be a boon for some businesses. On the other hand, in the event of a digital attack, valuable forensic artifacts that could be used to detect computer crime could go the way of 1s and 0s.
Ultimately, you’d want both features—performance and auditable features that could help future forensic investigators. That will be the next design hurdle—build a drive system that with additional auditable features helpful in forensic investigations, or integrate them into SSD technology drivers.
Ondrej Krehel, Chief Information Security Officer, Identity Theft 911
Ondrej has more than a decade of network and computer security experience. His expertise extends to investigations of intellectual property theft, massive deletions, defragmentation, anti-money laundering and computer hacking. He led U.S. computer security projects at Stroz Friedberg and worked in IT security at Loews Corp.
Leave a Reply