Comprehensive Black-box Methodology for Testing
the Forensic Characteristics of Solid-state Drives
DEFTcon
April 11th, 201...
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Table of conten...
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Introduction
St...
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
SSD Tehnology
•...
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Under the surfa...
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
FTL magic
• Wri...
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
In other words....
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Can we bypass t...
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Challenges in b...
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
An unclear pict...
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
The need for a ...
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Our testing met...
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Overview
Stefan...
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
What we test fo...
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
What we test fo...
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Our test drives...
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
A small but imp...
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Trimming
Stefan...
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Methodology
Dis...
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Results
• If TR...
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Garbage collect...
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Methodology
Dis...
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Results
• [2] f...
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Erasing pattern...
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Methodology
Dis...
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Results
• Certa...
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Compression
Ste...
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Methodology
Cre...
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Results
0
10
20...
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Wear Leveling
S...
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Methodology
Par...
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Results
• Not t...
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Files Recoverab...
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Methodology
Cho...
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Results
SSD FS ...
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Putting it toge...
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Methodology
4.1...
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Discussion and ...
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Limitations
• W...
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Conclusions
• S...
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Thank you for y...
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Acknowledgments...
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
References I
Ch...
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
References II
T...
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
References III
...
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
References IV
M...
Upcoming SlideShare
Loading in …5
×

Deftcon 2014 - Stefano Zanero - Comprehensive Black-box Methodology for Testing the Forensic Characteristics of Solid-state Drives (English)

1,073 views
919 views

Published on

Published in: Software, Technology, Education
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,073
On SlideShare
0
From Embeds
0
Number of Embeds
45
Actions
Shares
0
Downloads
39
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Deftcon 2014 - Stefano Zanero - Comprehensive Black-box Methodology for Testing the Forensic Characteristics of Solid-state Drives (English)

  1. 1. Comprehensive Black-box Methodology for Testing the Forensic Characteristics of Solid-state Drives DEFTcon April 11th, 2014 Gabriele Bonetti,Marco Viglione, Alessandro Frossi, Federico Maggi and Stefano Zanero Politecnico di Milano, Italy NElaboratory CST
  2. 2. Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions Table of contents 1 Introduction Challenges in black box analysis and goals 2 Our testing methodology Overview Trimming Garbage collection Erasing patterns Compression Wear Leveling Files Recoverability 3 Putting it together: forensic friendliness 4 Discussion and conclusions Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
  3. 3. Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions Introduction Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
  4. 4. Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions SSD Tehnology • NAND-based flash memory chips used as mass storage • Increasingly popular as prices drop • Widespread use in mobile devices • On the surface, a snap-in replacement for rotational drives (HDD) Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
  5. 5. Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions Under the surface... • SSDs have a shorter lifespan as cells have a physical limit of approx. 10,000 program-erase cycles • Rewrite = blanking of a complete block (16 to 512kB) • Led to development of flash translation layer (FTL) [5, 7], hw/sw combination that sits between ATA channel and memory chips Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
  6. 6. Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions FTL magic • Write caching • Trimming • Garbage collection • Data compression • Data encryption/obfuscation • Bad block handling • Wear leveling Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
  7. 7. Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions In other words... • In HDDs we can reliably phisically address a sector from the OS and read it on the drive • In SDDs FTL translates logical block addresses (LBA) as requested by the OS into the respective physical block addresses (PBA) on memory chips. The underlying mapping is completely transparent and can be modified by the FTL at any time for any reason. The FTL may move data around or blank data even if the OS is not running • Yay. Most forensic approaches and tools rely on the ability of the OS to access the raw data on the disk Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
  8. 8. Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions Can we bypass the FTL? • Not via software. • In theory, can be bypassed by reading directly the memory chips [3] (via flashing tools, JTAG port, or physical extraction of chips) • [4, 8] built a complete custom setup to interact with flash memory chips using an FPGA and custom wing boards. Their goal is prototyping but similar setup could be used to reimplement FTL logic and read memory chips • In any case: • extremely time and money consuming process (needs custom hardware, reverse engineer FTL implementation...) • non-repeatable, leads to alterattion or destruction of the evidence • very brittle process depending on firmware, hardware... • information not public and actually heavily protected IP of vendors Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
  9. 9. Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions Challenges in black box analysis and goals Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
  10. 10. Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions An unclear picture • Previous work suggests impact on black box forensic analysis. • [2] analyzes file recovery rate (SSDs vs HDDs) • Observes that even a write blocker does not prevent the FTL from modifying and in some cases blanking the evidence • Suggests a filesystem aware garbage collection feature in FTLs • [6] tested 16 SSDs with usage scenarios and concluded that different combinations of usage, OS and file size influence recoverability (most sensible and extensive paper to date) • [1] found that carving didn’t work at all on SSDs • Other (non-scientific) reports suggested that data duplication due to wear leveling would increase recoverability Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
  11. 11. Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions The need for a triage methodoloy • We developed a simple and affordable black-box triage procedure to: 1 assess impacts of FTL on the use of black-box tools 2 assess likelihood of success of a white-box attempt • Test driven workflow of experiments to assess the behavior of the FTL under different conditions • We can determine whether a SSD implements trimming, garbage collection, compression and/or wear leveling Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
  12. 12. Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions Our testing methodology Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
  13. 13. Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions Overview Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
  14. 14. Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions What we test for (1) TRIM: preemptive blanking of erased blocks marked for trimming by the OS. Negative impact on forensics as data persistence is reduced. [2] notes that this can occur even with a write blocker, impacting acquisition. Our methodology can determine the percentage of blocks that get erased and how fast Garbage collection: hypothesized by [2] to work with a filesystem-aware controller, that TRIMs block without OS support. Forensic impact obvious. We can determine whether it is employed by the SSD under examination Erasing patterns: peculiar behaviors shown by some SSDs when using TRIM Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
  15. 15. Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions What we test for (2) Compression: transparently employed by some drives to use less physical blocks and reduce wear. No challenges in black box analysis, but definite challenge in white box. We can verify whether compression is active Wear leveling: spreads consumption of cells as evenly as possible across the drive. We test for the so-called “write amplification” effect, which is a direct consequence of the wear leveling Files recoverability: a test on the efficacy of black box file recovery techniques Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
  16. 16. Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions Our test drives SSD WL TRIM GC Compression Corsair F60 Samsung S470 Crucial M4 Table : Test drives, and their features as reported by vendors. Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
  17. 17. Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions A small but important caveat • SSDs are equipped with a small amount of DRAM-based cache memory to reduce physical writes • This can bias any test using small files (i.e. smaller than 512MB-1GB, typical cache size) • Experiments in [1] were probably biased by this, and files were never written to disk, explaining zero carving results. Ditto for [6] • Solution is simply to disable cache (e.g. on Linux via hdparm -W 0) or to use large files. Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
  18. 18. Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions Trimming Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
  19. 19. Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions Methodology Disk formatting Disk filling at different percentages 25%, 50%, 75%, 100% NTFS or ext4 Start real-time analysis of disk zeroed space Single files deletion Quick format in OS with TRIM support Win7 for NTFS Ubuntu for ext4 Zeroing percentage verification Check state of deleted file's sectors hdparm --fibmap <filename> hdparm --read-sector <address> /dev/sdx Figure : TRIM test flow Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
  20. 20. Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions Results • If TRIM present and active, it activates in 1-10 seconds • On NTFS, Samsung S470 and Crucial M4 trimmed aggressively, wiping the disk/file in under 10 seconds • Weird behavior of Corsair F60 as in figure: erased blocks someway proportional to used space. Some files wiped in at most 3 seconds after deletion, others untouched 0 5 10 15 0 10 20 30 40 50 60 Zeroedspace[Gb] Allocated space on disk [Gb] • ext4 all disks erased in about 15 seconds with format. Samsung S470 did not erase on file delete. Crucial M4 was notified of TRIM only on unmounting. Corsair F60 erased all files “correctly” Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
  21. 21. Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions Garbage collection Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
  22. 22. Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions Methodology Disk filling at different percentages 25%, 50%, 75%, 100% Start real-time analysis of disk free space Quick format DEFT Keep disk active for a long time, overwriting files if not already in use, switch to a forensic OS Keep disk idle for a long time Periodic verification of free space percentage and zeroing time 16 h Figure : Garbage collection test flow. Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
  23. 23. Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions Results • [2] found out that GC triggers in almost 3 minutes. • non-authoritative sources state 3 to 12 hours • In our test, none of the SSDs performed garbage collection. We even tried to replicate the exact test of [2], with identical hardware, software and firmware version, but to no avail, even with the assistance of the author. Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
  24. 24. Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions Erasing patterns Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
  25. 25. Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions Methodology Disk formatting Disk filling at different percentagwes NTFS or ext4 Disk image acquisition Quick format in OS with TRIM support Win7 for NTFS Ubuntu for ext4 Disk image acquisition Comparison to find zeroing patterns 25%,50%,75%,100% Figure : Erasing patterns test flow. Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
  26. 26. Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions Results • Certain SSD controllers may exhibit unexpected trimming patterns • In our case, target of interest was the Corsair F60 SSD. See maps below: (a) 10%. (b) 50% (c) 75% (d) 100% • Validated on file recovery. Files in green stripes are recoverable only 0.34% of the times, outside 99% Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
  27. 27. Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions Compression Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
  28. 28. Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions Methodology Creation of low entropy data Creation of high entropy data Creation of data blocks of equal size Write time calculation /dev/zero /dev/urandom Write time calculation iostat Write time comparison OS write cache disabling 10 GB Copy data in main memory Copy data in main memory Figure : Compression test flow. Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
  29. 29. Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions Results 0 10 20 30 40 50 60 70 00:00 00:30 01:00 01:30 02:00 02:30 03:00 03:30 04:00 04:30 Throughput[MB/s] Time [m:s] (a) Samsung 0 20 40 60 80 100 120 00:00 00:15 00:30 00:45 01:00 01:15 01:30 01:45 Throughput[MB/s] Time [m:s] (b) Crucial 0 50 100 150 200 250 300 00:00 00:10 00:20 00:30 00:40 00:50 Throughput[MB/s] Time [m:s] (c) Corsair 0 10 20 30 40 50 60 70 00:00 00:30 01:00 01:30 02:00 02:30 03:00 03:30 04:00 04:30 Throughput[MB/s] Time [m:s] 0 20 40 60 80 100 120 00:00 00:15 00:30 00:45 01:00 01:15 01:30 01:45 Throughput[MB/s] Time [m:s] 0 10 20 30 40 50 60 70 00:00 00:30 01:00 01:30 02:00 02:30 03:00 03:30 Throughput[MB/s] Time [m:s] Figure : Mean and variance of the sampled throughput among 15 repeated transfers of 10GB low (top) and high (bottom) entropy files. Intuition is that overhead for hw compression negligible, thus takes less to write files that can be compressed. Samsung and Crucial drives show no difference: no compression; Corsair performs hw compression instead. Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
  30. 30. Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions Wear Leveling Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
  31. 31. Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions Methodology Partial disk filling at different percentages 25%, 50%, 75% Start real-time analysis of disk free space Creation of a file with known pattern Multiple overwrites of file with known pattern Disk image acquisition Carving to find multiple copies of known file 10,000 writes OS write cache disabling Periodic verfiication of zeroed space Figure : Wear leveling test flow Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
  32. 32. Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions Results • Not test for presence (almost default) but for usefulness for forensic analysis • From black box PoV, if write amplification does not happen, or is completely masked, there is no difference • No drives showed write amplification from an external PoV Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
  33. 33. Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions Files Recoverability Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
  34. 34. Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions Methodology Choice of a file easy to recover (to eliminate weight of carver errors) Disk image acquisition Disk filling Quick format Recovered files hash calculation Integrity check on recovered files File hash calculation Carving md5sum <file> sha1sum <file> Figure : Files recoverability test flow. Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
  35. 35. Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions Results SSD FS Written Recovered % Samsung NTFS 112,790 0 0 % ext4 110,322 0 0 % Corsair NTFS 101,155 71,607 70.79 % ext4 99,475 0 0 % Crucial NTFS 112,192 0 0 % ext4 110,124 0 0 % Table : Files recoverability test results: the drives implementing an aggressive version of TRIM (Samsung S470 on NTFS and Crucial M4), did not allow the recovery of any file after a format procedure. The Corsair F60 on NTFS, as expected, has a non-null recovery rate due to the erasing pattern its TRIM implementation exposes. On ext4, however, this same disk allowed the recovery of 0 out of 99,475 files. Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
  36. 36. Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions Putting it together: forensic friendliness Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
  37. 37. Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions Methodology 4.1 TRIM 4.2 Garbage Collection Zeroing detected? 4.6. Files Recoverability (single file removal) 4.6. Files Recoverability (quick format) Yes Yes 4.3 Erasing Patterns Yes Class A No Pattern detected? Antiforensics feasible Yes Class B Class C Class D Intact files recovered? Intact files recovered? Some files Partially None No Figure : Use case workflow for assessing the forensic friendliness of a SSD. Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
  38. 38. Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions Discussion and conclusions Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
  39. 39. Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions Limitations • We did not test multiple firmware versions, as firmware upgrades are one-way in most cases and this would make the experiments difficult to repeat • We did not test on difference of device driver and AHCI commands, for simplicity • If investigator does not know OS version in use, our methodology may not give usable insights Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
  40. 40. Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions Conclusions • SSDs implement techniques that are potentially disruptive to black box forensics • We created a triage workflow to understand impact and potential gain of white-box approach • We showed that the combination of controller, OS, filesystem and even disk usage can deeply influence forensic procedures • We showed that garbage collection is not currently offered by leading drives on the market Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
  41. 41. Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions Thank you for your attention. Questions? Let’s keep talking on Twitter (@raistolo) or on email (stefano.zanero@polimi.it) Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
  42. 42. Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions Acknowledgments The work has been partially funded by the European Union Seventh Framework Programme (FP7/2007-2013) under grant agreement n◦ 257007 “SysSec” Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
  43. 43. Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions References I Christopher J. Antonellis. Solid state disks and computer forensics. ISSA Journal, pages 36–38, July 2008. Graeme B. Bell and Richard Boddington. Solid state drives: The beginning of the end for current practice in digital forensic recovery? Journal of Digital Forensics, Security and Law, 5(3), December 2010. Marcel Breeuwsma, Martien De Jongh, Coert Klaver, Ronald Van Der Knijff, and Mark Roeloffs. Forensic data recovery from flash memory. Small Scale Digital Device Forensics Journal, 1:1–17, 2007. Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
  44. 44. Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions References II Trevor Bunker, Michael Wei, and Steven Swanson. Ming II: A flexible platform for NAND flash-based research. Technical Report CS2012-0978, UCSD CSE, 2012. Intel. AP-684: Understanding the flash translation layer (FTL) specification. Intel Application Note. http: //www.jbosn.com/download_documents/FTL_INTEL.pdf, 1998. Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
  45. 45. Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions References III Christopher King and Timothy Vidas. Empirical analysis of solid state disk data retention when used with contemporary operating systems. volume 8, pages S111–S117, Amsterdam, The Netherlands, The Netherlands, August 2011. Elsevier Science Publishers B. V. Robert Templeman and Apu Kapadia. Gangrene: exploring the mortality of flash memory. In HotSec’12, pages 1–1, Berkeley, CA, USA, 2012. USENIX Association. Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
  46. 46. Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions References IV Michael Wei, Laura M. Grupp, Frederick E. Spada, and Steven Swanson. Reliably erasing data from flash-based solid state drives. In FAST’11, pages 8–8, Berkeley, CA, USA, 2011. USENIX Association. Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs

×