Slashdot Mirror
SSDs Cause Crisis For Digital Forensics
rifles only writes "Firmware built into many solid state drives (SSDs) to improve their storage efficiency could be making forensic analysis at a later date by police forces and intelligence agencies almost impossible to carry out to legally safe standards, Australian researchers have discovered. They found that SSDs start wiping themselves within minutes after a quick format (or a file delete or full format) and can even do so when disconnected from a PC and rigged up to a hardware blocker." So either SSDs are really hard to erase, or really hard to recover. I'm so confused.
Deleted, should mean deleted.
Lately all you have heard is the complete opposite. That they are impossible to completely erase so it's unsafe to store company/secure data on them. Because even if you erase the file its still left on the disk and just marked as empty. Now they say they erase them self.
At a guess this is caused by mounting with the discard option, or trim as its called in Windows. It tells the drive you don't need the data stored where a deleted file used to be.
Maybe it's still there if you look with a microscope but who really does that?
You need to disassemble the drive and read the memory chips independently of the controller. I believe I read this is how one of the major drive recovery companies is handling SSDs.
Problem solved. People need control over their own privacy. Tough luck Digital Forensic folks.
Next, expect law enforcement to clamor for a new law that mandates persistent data retention for all types of storage devices.
..destroyed overnight, go with the SSDs. The melting point of a surface mount IC is a lot less than that of a spinning platter.
So either SSDs are really hard to erase, or really hard to recover. I'm so confused.
All I know is that if SSDs were really hard to erase, and I was in the business of recovering data that other people didn't want recovered, this is exactly the kind of story that I would tell them so that they would continue using SSDs.
Not that I'm paranoid or anything.
On magnetic storage I can change controller boards, even swap out the
platters in a clean environment into another drive with working heads.
For a few hundred to some thousands, your poor choice of having no backup media
can be resolved.
On SSD I can desolder the chips, dump them and then tell you there's nothing recoverable.
For a few hundred to some thousands, your poor choice of having no backup media
can be resolved.
Ultimately since the Flash Translation Layer goes and does things under-the-hood that are not externally visible, it is hard to be sure your data were erased, and it's also hard to be sure they were not erased... Essentially since there is an opaque interface at the logical-block level and the device is internally free to behave as it chooses so long as that interface is maintained, it makes it tricky to guess how the internal implementation will behave.
Plain old magnetic disks used a fairly predictable implementation of that interface so forensics goons got used to having an easy task on their plates.
---
Play Six Pack Man. I
Why the confusion, dear editor? This should be well understood.
If you want to recover, you can't. If you want to erase, you can't. It's Murphy's Law of Data Storage.
When Mindy the undergrad accidentally deletes her term paper and would be really REALLY grateful for a super smart and kinda cute geek to go in and recover the file with Backtrack... then you'll see the downside.
What? I reject your reality and substitute my own!
Forgive my ignorance, but how is this possible? Does this mean that the drives understand NTFS and are actually zeroing out data on the drive when the OS simply deletes the entry from the FAT table? How can the SSD second guess what the OS is doing? I thought that SSD's use the same interface as regular HD's and should behave the same.
...we better ban them, then.
-- Even if a god did exist, why the fsck should I worship it?
The whole point of the referenced article is that it is somehow a "problem" that data deleted (and intended to be deleted) by the owner of the SSD cannot be later recovered. Why should deleted data be recoverable? Will "police state" now require SSDs to stop this seemingly desirable behavior to ensure evidence be recoverable from an impounded device? I for one applaud the behavior of these new storage devices.
would mod you up one for that.
Quote: "So either SSDs are really hard to erase, or really hard to recover. I'm so confused."
;)
I work in a professional environment where we attempted to recover data from a crashed SSD. Nothing can be recovered. Consider the way an SSD Works. They are extremely expensive because each one contains a memory bank like RAM and a processor to handle reading and writing. If an operating system has "TRIM" enabled (or implemented to work like in Windows 7) then it will delete when a user deletes a file. It writes over the blocks with blank space. This ensures that writing speed does not slow down during the use of the device. So anynill delete when a user deletes a file. It writes over the blocks with blank space. This ensures that writing speed does not slow down during the use of the device. If thing deleted on a drive like that is really DELETED and cannot be recovered. -- Little google goes a long way
The drives have internal overprovisioning and perform internal garbage collection. This means that marked for deletion data has an unknown lifetime and may disappear at any point without interaction from a controller.
The hard to erase bit means that you really can't be sure something is totally erased without a full specific erase command to all flash blocks. Without that a page marked unused but not erased may be nestled in with a bunch of valid pages. As all pages in a block are erased together that marked unused page can hang around for a wile.
On the other side the firmware does garbage collection it actively looks for blocks with many erased pages and then tries to consolidate things so it can create more free blocks. This means if the drive is powered but not connected to a host machine it can still be doing data moves for consilidation and erasing marked for deletion pages.
There are thresholds for the garbage collection so it won't overwork and try for 100% consolidation. Thus you get both the presence of some really sticky stale marked unused pages and some active erasing of others.
I'm on the fence about this, and it's possible neither pasture is green. On the one hand, I might be the victim of a genuine crime, evidence of which happens to be hiding in an SSD drive. On the other hand, these techniques are just as routinely abused now to go after people for political noncriminal reasons that don't serve the Common Good at all, people and organizations like Julian Assange, Wikileaks, Bradley Manning, the U.S. Chamber of Commerce opponents... you name it.
These techniques are like nuclear physics: just as easily applied for Bad Things as Good. If we can't selectively prevent the abuses, maybe we should err on the side of caution and ban the techniques altogether. They aren't being universally applied to serve justice.
I thought that this was particularly telling. In the article it said:
... the state of the drive cannot be taken to indicate that its owner did or did not interact with it in ways that allow prosecutors to infer guilt or innocence. The fact that data has been purged does not mean a human knowingly did it (e.g. accidental guilt)...
So in other words, until SSDs came along, evidence of purged data was evidence of guilt... at least in Austrailia.
"So either SSDs are really hard to erase, or really hard to recover. I'm so confused"
It's easy - if you need it back, it will be hard to recover. If you desperately depend on nobody ever seeing it, it will be hard to erase. I'm pretty sure this is a consequence of the Uncertainty Principle, but I have not yet completed my paper proving it.
"Firmware built into many solid state drives (SSDs) to improve their storage efficiency could be making forensic analysis at a later date by police forces and intelligence agencies almost impossible to carry out to legally safe standards, Australian researchers have discovered..."
So expect some government intervention on matters concerning which firmware should be built into the devices we use.
I cannot see any government worth its credibility endorse a product which if employed in crime and confiscated (by police), it is almost impossible to use it to prosecute the perpetrators by government agencies and the FBI in the case of these United States.
You might wonder how a government might endorse a product:
By allowing its importation or production and subsequent collection of taxes from transactions related to the product.
could be making forensic analysis at a later date by police forces and intelligence agencies almost impossible to carry out to legally safe standards
So then they're sending SSDs out of the country for hard-core, waterboarding-style data extraction?
sysadmins and parents of newborns get the same amount of sleep.
...a foregone conclusion ever since ATA Secure Erase and TRIM were introduced?
Secure Erase basically tells the SSD that all of its cells are now blank (AFAIK implementations actually zero the drive as well but I'm happy to be corrected on that); therefore as soon as anything is written to the disc, it will be written here, there and everywhere. It took about 30s to run on my first vertex and I couldn't find any trace of
TRIM support in the ATA spec, along with kernel/filesystem support, tells the disc that when file A is deleted, cells X, Y, and ABQ are now officially "empty" and that if the controller feels like it, it can zero them out, shunt other data in there, or have a mardi gras for all it cares. The same happens when a drive is formatted; OS tells drive controller "I've just formatted you" and for the sake of preserving performance the controller goes "Brilliant! I can chuck out all this shit I've been saddled with."
As soon as hard drives start intelligently erasing/shuffling bits of themselves about so that cells are utilised to their utmost efficiency this was bound to happen. Unlike spinning platters where bad blocks were reallocated only if a) the hard disc knew about it and b) the data could actually be read/recovered, it becomes terribly obvious that data on SSD's is going to be read and written and deleted completely and utterly all over the place, without sequential series of sector found in slackspace like you would on a magnetic drive.
Magnetic drives have no performance penalties for not actually erasing the data, so if you work your way around that double negative you'll see that one of the staples of digital forensics (e.g. recovering files from slack) is a by-product of people trying to make magnetic platters as fast as possible by not actually erasing stuff, because as long as the controller knows that sector is blank then it'll just be overwritten as needed. Technology has now changed sufficiently that the performance gains from new solid state tech are helped by a drive controller that erases stuff as soon as possible, since writing over an occupied cell is slower than writing over a blank one.
I'm sure there'll be new methods to mitigate the change in tech, we're just somewhat on the cusp of a completely new tech. They'll probably come to an agreement that TRIM doesn't actually delete stuff until the amount of free space in the cells reaches a certain threshold or something like that.
Disclaimer: I'm not a digital forensic scientist, but am friends with one and we discussed this problem over some exquisite cocktails a few months back. And I don't think TRIM instructions follow the exact specifications I laid out above (e.g. using Brilliant! as an ACK).
Moderation Total: -1 Troll, +3 Goat
When Mindy the undergrad accidentally deletes her term paper and would be really REALLY grateful for a super smart and kinda cute geek to go in and recover the file with Backtrack...
OH NOES, what will I ever do without being told "thank you" and about what a nice guy I am.
Yeah it never goes any further than that outside of geek fantasies.
Not even in pornos. <-- business opportunity
"When information is power, privacy is freedom" - Jah-Wren Ryel
When Mindy the undergrad accidentally deletes her term paper and would be really REALLY grateful for a super smart and kinda cute geek to go in and recover the file with Backtrack... then you'll see the downside.
That's where da recycle bin comes in.
Most geeks that would try to leverage something like that to get laid will still fail at getting to the getting laid part.
Most girls that would dangle that sort of carrot know that teasing is just as effective as giving where geeks are concerned.
My God! It's full of eval()'s.
(1.) It may be hard to securely erase an SSD. Due to things such as wear leveling, the relationship between sector addresses and physical flash cells isn't transparent to the OS. And ATA Secure Erase isn't implemented or isn't implemented correctly on all SSDs. (2.) SSDs are hard to recover. That's because they may start erasing some blocks containing data (and not just the entry in the file allocation table) shortly after you delete a file in the file system. Again, this happens due to things such as wear leveling and isn't transparent to the OS. Contrast this to a hard drive where, following a file delete, only the entry in the allocation table is deleted but no actual data. I don't see anything contradictory or confusing here
Why does the government have this expectation that technology should be built in order to make it easy to spy on citizens?
Business Tip #1: Get payment up front.
Nice guys don't get laid as much either....
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
Protip: Put up a fake "progress" bar on the screen while you are "recovering" the files. Set it for something like 20 minutes. Now you at least have a chance to talk to a girl for that time, unless you're a real sucker and you let her find an excuse to leave you alone for 20 minutes.
I don't now remember what the case was, but: a few months ago a read about a guy who was charged with some crime or other. They were unable to convict him of whatever it was, but they did convict him of obstruction of justice. Why? Because the computer forensics expert stated that he had deliberately deleted some files and then run a defrag.
Enjoy life! This is not a dress rehearsal.
I think I've read somewhere that evidence has also be reproducible by the defense. If you destroy the device in the process of recovering data, that might be hard to do; or not ... I'm just guessing really.
I think some tests inherently destroy evidence. For such cases it may be that the defense has the right to observe the testing to ensure that it was done properly.
In case the harddrive is full disc encrypted it all should not matter...
You don't get laid too often being a dick either.
(Or by tryin to get laid for undeleting a file)
Only a problem if the retard windows admin disabled the recycle bin because it interfered with his OCD.
Do you even lift?
These aren't the 'roids you're looking for.
except a lot of SSDs come in USB key form and Winderz deletes files off those immediately.
... which might be considered tampering and leaves room for the other side's lawyers to ask "and then you took a soldering iron to a delicate IC?" ...
Because the odds of the randomly generated bits creating an email to Bernie Madoff discussing the ponzi scheme falls within a range considered to be reasonable doubt? You would need a fairly ignorant and gullible jury to buy that ... oh wait ... OK that may work for a celebrity defendant but I wouldn't count on that saving the average guy.
actually my girlfriend of 4 years I first started going out with her after coding a trivial little java app for her final year project.
so it does sometimes go beyond "thank you".
I think it's about impoliteness when asking favors. Friends help each other: I'm quite ok fixing my non-technical friend's WLAN, just as he's ok with giving me a hand when I'm moving houses. That's the social norm, and thus asking someone for a favor also indicates how you feel about them.
So if you don't like someone, if you would under normal circumstances not want to spend time with them - then you don't ask them for favors. That would be plain rude.
If you don't have an actual friend to provide tech services - just purchase said services.
It's nearly orthogonal. Confidence and power are what counts. Being nice or a jerk, while displaying weakness or impotency, won't get you anywhere. Being a jerk sometimes projects the illusion of strength, true; but it's not necessary. Being nice without being wishy-washy and fawning is best for a long-term relationship.
You often get laid for being a dick. Hell, if you're in the right place at the right time, with low enough standards, you can get laid just for *having* a dick.
Learn about Photography Basics.
Err...we're talking about getting laid often here...not long term relationships.
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
My data shouldn't be easy to get off, I know a while ago there was a post about SSD's being high risk for data but now it appears there more safe? If the police want my data they can figure out how to get it off, of course if I'm doing something illegal I'd have it highly encrypted but then again why would I care. They want the data they can work to get it!
Getting told that I'm a nice guy or getting laid... decisions, decisions...
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
You ... you mean ... you mean it didn't really take her 30 minutes to wash her hair?
*sob* Why did you have to tell me?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Plaintiff's Attorney: "Sir, what are the chances of the drive automatically generating the exact sequence of bits required to form this email?"
Expert Witness: "Billions to one, certainly."
Defendant's Attorney: "And how many times will that this 2KB email fit on the drive?"
Expert Witness: "Well, it's a 2TB drive, so... about a billion, give or take."
Defendant's Attorney: "So, assuming the data on the drive is random, then it's safe to say there are at least two billion opportunities on this drive to produce this email?"
Expert Witness: "That's not what I meant..."
Defendant's Attorney: "Yes or no?"
Expert Witness: "Well, yes, but..."
Defendant's Attorney: "No further questions"
Learn about Photography Basics.
I miss Mindy. She was in my freshman English class- long, long ago. We worked on a project together. Unfortunately she had a fiance. She also never needed any computer assistance.
Self proclaimed typo king, and inventor of the bear destroying coffee table (patent not pending).
"'dd' is not recognized as an internal or external command, operable program or batch file."
Thank goodness for the inherent security in Windows. If I had run that in Linux, who knows what could have happened? ;)
"This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
It used to be the drive remapping meant that if you deleted something (or even overwrote it), there was no guarantee it would be gone - SSD controllers do wear leveling to avoid having part of the drive get used excessively. Forensic analysts could go pull the raw data from the NAND flash.
The problem was that the wear leveling algorithms need a "free block" pool to work well. Drives that have been used heavily deplete the free block pool, and the drive slows down. For a long time, SSDs would have no knowledge of whether a file had been deleted or not.
The ATA TRIM command was added for just this purpose - with TRIM, when the OS deletes a file that references a block, it can tell the SSD controller that those blocks are free. The SSD controller will then begin erasing those blocks in its free time. (SSDs can be written one block at a time, but must be erased one page at a time. A page consists of multiple blocks. Oh, and I may have page/block swapped here.) So you get a lot of performance improvement by having a bunch of pre-erased pages - these can just have individual blocks written without a read/erase/modify/write on a whole page.
Pre-TRIM, SSDs were probably great for forensic analysts. Post-TRIM, SSDs are not. Oh, and I think the latest ATA standard added a "sanitize" command to make life easier for information assurance types, for whom SSDs have always been a pain.
retrorocket.o not found, launch anyway?
Especially on Linux systems with more than 23 physical drives!
Some good news for a change.
To be fair, unless that girl is a completely worthless cunt, there's probably some pair bonding going on for generosity and helpfulness, you know. So you get a girl that is nice and grateful for the help and likes talking to you and bakes cookies. Maybe somewhere down the line you get laid, maybe not.
Point is it's a good ice breaker and it makes you useful.
Support my political activism on Patreon.
This is great news for r@ygold, hussyfan, kingpass, vicky series collectors course knowing hard drive manufacturers they will cripple the ssd's somehow so they keep ghosts of the files like older drives did
Heh, good point. I suspect sda and sdb would be safe.
Especially since it appears that the command is copying from sdx to random, and not the other way 'round.
"This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
You seem to think you're entitled to sex for helping someone with computer issues, or that a "thank you" is insufficient payment for a favor: I'm guessing you don't get told you're a nice guy very often.
Uh, what?
AC breaks it down for you:
http://slashdot.org/comments.pl?sid=2017726&cid=35349690
"When information is power, privacy is freedom" - Jah-Wren Ryel
That won't work. First of you want your outfile (of) to be the drive, not the infile (in), as writing your drives content to /dev/random won't do any harm. Secondly you really don't want to use /dev/random, as real randomness is extremely slow on your average system, in the order of 5bytes/second, which would take some 500 years to fill up your 80GB SSD drive. So:
dd if=/dev/urandom of=/dev/sdx
or just:
dd if=/dev/zero of=/dev/sdx
Only criminals are worried about protecting their personal data. Really? Doctors, lawyers, researchers, need I go on?
Only criminals have guns. You what? Police are criminals in the US then? Soldiers are criminals?
Grow up and get a new perspective.
Why would anyone regret that? Well other than if you were doing encryption at the time...
So either SSDs are really hard to erase, or really hard to recover. I'm so confused.
It's both. The internal optimization of SSDs includes, essentially, a degree of abstraction between what the computer says to do and what is actually done. With that kind of direct low-level control taken away, any task related to direct, granular control over what happens to what the computer sees as 'sectors' on a disk (but which don't really exist, since there is no such physical form) becomes unreliable. The reasons why it is unreliable differ between deletion and recovery, but the effect is the same and has the same basic root cause.
For your security, this post has been encrypted with ROT-13, twice.
All "Mindy" does is whine and pretend not to understand what happened until you fix it for her, then she will give you a courtesy thank-you and never talk to you again. You see, she's too busy trying to get knocked up by the biggest asshole she can find that still tells her what she wants to hear, natural selection and all. But, hey, at least you get to keep pretending you are a white night!
Any sufficiently advanced influence is indistinguishable from control.
The expert witness is patently incorrect: Billions is 2^32, but with 2KB that's 2^2048 which is somewhere around a 1 with 616 zeroes after it.
Support my political activism on Patreon.
Everyone involved in that exchange failed basic math.
Assuming seven bit ANSI, that's not even five characters to get a billion combinations.
And a 2k e-mail would be 2^2048 combinations.
Plaintiff's Attorney: "Sir, what are the chances of the drive automatically generating the exact sequence of bits required to form this email?"
Expert Witness: "Billions to one, certainly."
errmm, a quick run with numbers: 128 possible values for a single byte and lets say 1 KB messages, that would be 128^1024 possible combinations, wouldn't it? Which is WAY more than 'billions'. Not much of an expert that witness.
Here we go again!
I've spent the last hour writing replies for questions/comments on the thread using this throwaway account: could someone with uber-powers please mod them up a bit?
Thanks very much in advance, and thanks also to everyone making suggestions/comments about the article. :-)
Graeme.
+5 Truth.
The important thing here is not what that girl thinks of you for helping, but what she tells her friends about you. Having a woman tell other woman what a nice, helpful man you are will get you way more attention in the long run. Having a reputation as a good guy that is discreet will score way more points than a jerk that likes to brag.
How come Slashdot never gets Slashdotted?
>white night
He gets to pretend he's a snow covered winter's night?
I had a boss tell me that getting laid was always a valid excuse for being late/absent to work.
The melting point of a surface mount IC is a lot less than that of a spinning platter.
Considering that all you need to melt a hard disk platter is a flower pot, a haird rier, and some charcoal that shouldn't be any problem.
Hello, I'm one of the authors of the paper. To explain the apparent paradox in rough terms:
Drive data was traditionally purged manually, by having the computer tell the drive to write something else over the top of the old data. In the absence of such an overwrite, magnetically stored data persists. However, if you try that trick on an SSD, it may not work. The logical address you try to overwrite may be remapped on the fly, so that your 'overwrite' goes to some other physical cell rather than the one which stored the data. From a logical viewpoint, it looks like the overwrite worked - you can't access the data any more through your computer's OS. But from the drives point of view, the data is still there, lurking in some physical cell that is presently out of use as far as the logical sector list is concerned. A cunning firmware or a hacker with a soldering iron might still get at it.
However, separately to this, modern SSD drives use tricks to try and automatically improve their performance, and one of these tricks is to pre-empetively wipe data cells that contain data no longer referenced by the filesystem. Here, the drive is actively attempting to permanently purge everything it can from the drive, all of it's own accord, in the interests of accelerating future writes by having a pool of completely unused cells available.
Summary:
- If you're a computer telling a drive to zero over some data, the drive may lie to you a bit, and not bother to zero it.
- If you're a drive, you do whatever the heck you like, and you see the physical layer directly (unlike the computer). That means the drive can open up the NTFS metadata, looking for data cells which could be preemptively reset, and nuking that data out of existence (when it might traditionally have been recoverable to an expert).
In summary. If your drive wants to nuke something, (and we've shown, they really DO want to nuke everything they can at a few minutes notice), it gets nuked. If your PC wants to nuke something, it may or may not get nuked by attempting an overwrite.
Finally, separate to this is TRIM, which is a hybrid of the two situations - an ATA command by which the OS can signal to the drive that it would like the corresponding physical cell for a particular logical sector address to be nuked, thank you very much.
Hope that clears things up.
Graeme.
Grow up and get a new perspective.
*whoosh*
Unless it wasn't your boss that was late...
Come on, even I knew that was supposed to be funny.
So, certain SSDs have a firmware "garbage collection" that analyzes the file system and marks blocks that are unused, even when the OS does not issue any trim commands.
While perhaps a nightmare for forensics, this seems like a particularly useful thing for normal use.
Presumably it only works for NTFS, but it would be very useful for windows xp, which I assume does not fully support TRIM.
How can I tell which ssd supports this option?
is there a marketing name for it?
Whoosh.
OK, so police and intelligence agencies now have a very hard time reading the private data of other people. And yes, I can see how government worshippers who get agitated at the thought of any limit to the absolute power of governments might be upset at this.
Myself, I don't think governments have any more right to peruse my private data on my private hardware than, say, Microsoft or AT&T do. So I don't find any problem here.
Actually the number of possible combinations are 2^(2048*8) bits. I'm just going to guess here that 2^16384 is more than the number of atoms in the galaxy, or even the universe.
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
There's still "reasonable doubt" that the prosecution wasn't corrupt and faked the data, if you can't reproduce the recovery a second time. One time is good enough if you've lost important data, but not good enough for criminal evidence.
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
Exactly. Look how many women run after men who are in and out of prison. The fact is, women like assholes. No, these kind of relationships don't last long, but that doesn't matter: these men get laid all the time (frequently as soon as they're released from prison), plus they father lots of kids, so they get to pass their screwed-up genes on to the next generation.
No, not all women are this dumb. But so many of them are, that being an asshole with a long rap sheet won't keep you from getting pussy and fathering a dozen kids. Sure, nice guys might succeed here and there in getting a wife and having a kid, but then that kid will be killed by one of the inmate's illegitimate kids during a crime. Eventually, we're going to have more criminals in the population than productive citizens.
What about, not answering yes or no with a yes or no. Also the attorney can't cut the witness off, he can just say, "I wan'st finished answering". They don't have the right to edit / truncate your answers.
Defendant's Attorney: "Yes or no?"
Expert Witness: I was using "billions" metaphorically not as an exact figure. There is about 3240 characters in that email so it would occur randomly about 2^3240 ~ 10^1080
You don't need the metadata, you just need the allocation table (an array of block IDs on some OSes, a bitmap on others), and enough superblock information to verify the filesystem type and find the allocation table. I guess this would be harder on filesystems that don't use an array or bitmap. I think ext2/ext3 uses free block lists spread sparsely around the drive. Also, partitioning the flash drive might complicate things, since most flash drives aren't partitioned.
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
Great, so the cute girl with computer problems tells her friends what a nice, helpful carpet mat you are, and at the least, this gets you a bunch more calls for free computer service (with nothing but a thank-you in return). At the best, they'll see you're single and fix you up with their massively-overweight girlfriend who can never get a date. Meanwhile, the cute girls whose computers you fix for free are dating the assholes on the college football team.
You'll probably be more successful in dating one of these girls if you act like you're running your own computer repair business, use actual invoices and such, and charge her for the service. Then she'll think you're someone who's going to make lots of money as a businessman, and the thought of that always gets women wet.
When Mindy the undergrad accidentally deletes her term paper and would be really REALLY grateful for a super smart and kinda cute geek to go in and recover the file with Backtrack... then you'll see the downside.
I still don't get it. The only difference is the phrase, "just friends", will be told to your face versus her just silently thinking it. So what is the downside?
except a lot of SSDs come in USB key form and Winderz deletes files off those immediately.
Er... Ok... what idiot would put their term paper on a USB key (except as a backup)?
Seeing how easily USB keys are lost, accidentally dropped, or crushed, and how prone to failure the $5 electronics in them are. Putting the only copy of your termpaper on one is asking for trouble.
you're right, although the relevance of the point still stands. Billions vs 1 billion is different from billions vs 10^616. But yeah.
Support my political activism on Patreon.
This source estimates the number of atoms as 4*10^79, which is between 2^264 and 2^265, which is negligible compared to 2^16384. Even if the estimate should be a few dozen orders of magnitudes wrong, it still wouldn't come anywhere near.
The Tao of math: The numbers you can count are not the real numbers.
Sure, it makes forensic data recovery harder, but I see no reason other than $ that the feds can't disassemble the things, desolder the RAM from the controller, and attach it to their own custom-built data-extraction device.
Sure, there may be some devices out there that are pretty much impossible to disassemble in this way, but I'm sure Congress will quietly pass a bill making any future device that isn't "forensically recoverable" in this way illegal without special government permission.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
The same properties that make it hard to prove you deleted the contents make it hard to *prove* what the contents were. No surprise here really. SSDs are a b*tch no matter which side you're on.
For hiding stuff, the best policy is to never store unencrypted data on the device. Install full-disk encryption, then data.
For recovering stuff *to legal standards*.. Who knows. The courts are fickle at first, but standards of evidence will emerge over time.
Blessed are the pessimists, for they have made backups.
Certainly hope the app was just a trivial part of her project and not her actual project. Never a good idea to get into a relationship with someone who doesn't do things themselves.
You're missing the point, though. The questions isn't "are there are enough monkeys locked in the room to write the complete works of Shakespeare?" - it's about the fact that the numbers are extremely large, and difficult to comprehend for the average juror. If they don't understand the math, then there is a reasonable (in the mind of the juror) doubt.
And yes, a lawyer can ask a yes/no question, and the judge will typically compel the witness to answer it in that fashion. There may be further discussion before or after, but a yes or a no will be the result.
Learn about Photography Basics.
It's too bad - or perhaps good if the cops seized your PCs and you have a good lawyer - that the devices don't have both a "high-level" interface and a "low-level" interface, where the "low-level" interface gives you complete control over the device - no writes happen without your explicit say-so. Couple this with a "disable automatic background behavior" pin that's checked on power-up, and you should have a device that's not only forensically readable, but much easier to do scientific research or any other task that requires predictable repeatability.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I heard she shacked up with some crazed freak who called himself "Mork".
Don't be a carpet mat then.
I do run my own computer business, with actual invoices and such, but I do not charge my friends for my services. Instead, we trade - a home-made dinner for getting rid of Anti Virus Studio 2010 and installing Avast, help painting my living room in exchange for setting up their wireless network, a bath and grooming for my dog after installing a new hard drive - nothing that costs me or them actual money, but we trade something of value.
So it should be with the cute girl. Never do something for nothing and always, always schedule a time - just don't drop everything to rush over and help unless it is a genuine emergency. I always leave a couple of business cards with people so they can refer me easily. Make sure that people realize your time is valuable, but that you can help them. That's the way I've operated for fifteen years and the number of referrals I've gotten from helping friends has me happily busy.
Word of mouth is the best advertising you can have, no matter if that is in business or in your personal life. You just have to work as hard to earn it as the dollars you would charge. And whether it is business or personal, YOU have to believe that what you offer is worth something.
How come Slashdot never gets Slashdotted?
The solution to this would be to add a new command to the ATA spec, call it FREEZE or something. If a drive receives this command, it won't do any writing/erasing, neither on its own or in response to ATA commands. Then you just create write blockers that also send this command.
Of course, this both requires new drives and new write blocker hardware, so it probably won't be implemented.
Very good advice. The problem is that many geeks are tempted to give away their services for free to cute girls in school, in the hopes of a possible relationship, and it never happens. The girls just think of you as a carpet mat, a provider of free services, and certainly not as a possible romantic interest.
Eventually, we're going to have more criminals in the population than productive citizens.
Eventually? You mean that hasn't happened already?
"Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
If you encrypt the entire drive, the SSD firmware will have no idea which sectors are no longer referenced and can be deleted. You won't get the performance advantage of the SSD's speculative pre-erase. And if by chance your encryption gets exposed, it will not have overwritten those sensitive sectors in files you deleted that haven't yet been re-allocated to another file. But you'll probably be a little safer overall.
now we need to go OSS in diesel cars
Want to wipe deleted data off a drive? It's really simple, there is a method I always use before making an image of a drive. dd if=/dev/zero of=/location_on_drive Wait for the file to use all the space on the drive then delete it. I use it to make drive ghosts more compressable. Though if you wanted it for privacy you could always source from urandom instead of zero.
You're off by so many orders of magnitude, it hurts.
The chance of generating that particular e-mail, if it's 2 KiB, is 1 in 2^16384. (That's not really the number you want -- you want the chance of generating a similarly-incriminating e-mail. They're roughly equally improbable, though.)
So that's 1 in 2^16384 compared to 2^30 copies of the e-mail that would fit on the drive.
If the prosecution scoured every drive ever made for a random sequence of bits that looked like that e-mail, they'd never find it.
Plus, the expert witness generally has a better and less technical answer. Defense lawyers don't ask technical questions like that: the expert witness will undoubtedly have an answer, and you'll bore the jury to tears, which they hate.
"This story comes just 2 weeks after another story on slashdot saying that your data doesn't actually get deleted:"
The two papers are similar in that they both highlight unexpected and poorly documented behaviours of real world SSDs that diverge from traditional hard disk behaviour, and raise issues for digital forensics and data recovery. The irony is that the USENIX authors have shown SSDs may not purge data even when you try your best to make them do so (i.e. a problem for information security); whereas here, we show they may purge data permanently when you don't want or expect them to (i.e. a problem for digital forensics & law).
Graeme
You are missing the point. "How many 2KB sets of data could be on the disk? A billion" is being played off against "What is the chance that this email appeared in random data? 128^1024" which is also true.
So the weasel question is "So, assuming the data on the drive is random, then it's safe to say there are at least two billion opportunities on this drive to produce this email?" - (Actually it is even more - who says that the email needs to be byte aligned?).
The answer is "Because the size of the email is relatively larfge there is about the same amount of chance as all the atoms in your underwear jumping a meter to the left in the next 5 seconds - it is very, very, very improbable".
Ever been to court? Whether you can answer more than "yes or no" to a "yes or no" is rather up to the whims of the bewigged asshat at the front of the room.
Jesus was all right but his disciples were thick and ordinary. -John Lennon
I guess it depends on how old you are and what you consider an "old lady." When I was in college, someone who was more years older than you than you'd been alive counted.
IMNSHO You haven't scored until you've spent a sweaty night or three with a woman who's had a couple of decades to learn her way around a guy and to work up a good sense of adventure.
Yes I have, I've testified in multiple trials. And the "bewigged asshats" have never pulled anything remotely like that.
Reading from Flash is fast. Writing to an erased area of Flash is slower, but not too bad. You can only write to areas that have been erased. Erasing a Flash block is sloooooooooow.
Erasing turns all the bits to 1s in a block. Then turning a single 1 into a single 0 is relatively fast. However that 0 won't turn back into a 1 without an erase and the erase applies to a full block at once (64K or larger). Erasing involves applying some higher voltages for a certain duration of the right polarity, etc. This erase may take a few hundred milliseconds up to a second or more, depending on the type and how many times you've erased the block before.
Flash is like an Etch-a-Sketch. Writing means you just turn the knobs. But you can't un-write anything by turning the knobs. Instead you have to pick up the Etch-a-Sketch and hold it upside down and shake vigorously. Ok, silly analogy but I couldn't think of an automobile one. Or they're a bit like the old PROMs where you could only erase them by holding a window under a UV light for a period of time.
Which is WAY more than 'billions'. Not much of an expert that witness.
lol...well it is billions, just an absolute freakin' shitload of billions ;)
Well what are the laws right now for servers? Mainframes/Minis/Servers for decades have had automated processes running on them. They have all sorts of custom data formats so you can't use standardized tools....
Lucky you.
Jesus was all right but his disciples were thick and ordinary. -John Lennon
Lots of people sadly. Heck, it wasn't that long ago that people would unwisely carry around the only copy of their termpaper on a floppy disk. If you think USB thumbdrives have issues...
Well it was never my money at stake.
What judge would want:
During appeal: "Mr Bolden you were cut off by the judge is that correct"
JB: Yes
DA: Does this answer accurately reflect your opinion at the time?
JB: No
DA: Could this answer have misled the jury
JB: Yes.
etc...
Ah, I see the trick: better attorneys than I could afford.
Jesus was all right but his disciples were thick and ordinary. -John Lennon
Yeah. The nice guys won't sleep around because they know most girls don't really like it.
The bad guys on the other hand don't care about such stuff.
This was known way back in 2009.
"There is much pleasure to be gained from useless knowledge." - Bertrand Russell.
Isn't it more like that window7 support TRIM, meaning that it will issue a trim command to the SSD after a delete? The SSD firmware already has enough worries then to dive into a native file system.
oh no.
it was all above board.
it was for the data collection step: she needed prompts/information to appear on the screen for a very specific amount of time then for it to prompt people for answers.
I got an appendix.
Her supervisor even asked me about coding up a couple more for other students.
SSDs can do this? Call me when they can do STDs and I'll be more impressed.
"Be polite, be professional, but have a plan to kill everybody you meet." General James Mattis
So does running the Linux command shred completely obliterate data stored on an SSD, or not?
Ceci n'est pas une
A typical SSD is hampered by it's HDD FTL that *cannot* know what you want to do, so all operations except reading are very slow.
The only reason we use the HDD FTL is because of some operating systems don't support any good filesystems.
Since flash memory is different than a HDD, pretending it's not, is always going to be a headache, and cause unintended problems for the user.
It seems retarded that FTL coders are now trying to second-guess the operating systems by trying to understand what filesystem *may* be on it.
This will obviously cause any amount of headache for users, if data written on the block device just happens to look like fat32 or ntfs...
There's a much cooler and older technology out there, which is connecting flash directly to any of your fast buses. And using a modern filesystem that works well on flash, such as ubifs.
Nokia n900 was a good device to test the pros and cons of using flash directly (via ubifs) or indirectly on an MMC.
The performance on the direct flash memory totally overwhelms that of the indirect memory. in addition, you know things like bad blocks, can execute in place, append and proper compression support.
And most likely your flash memory will last a decade longer in normal use.
Most importantly, using flash directly makes this article pointless, since you *know* what has and hasn't been deleted.
On a magnitude scale, you would have reached atoms in the known universe not too long after 2^256. 2^16384 is thousands of magnitudes more than that.