Solid State Drives Destroy Forensic & Data Recovery Jobs: Animated!

Presented at DEF CON 16 (2008), Aug. 9, 2008, 6 p.m. (50 minutes)

This speech is all ANIMATION in 3D! Data on a Solid State Device is virtualized and the Physical Sector that you are asking for is not actually the sector it was 5 minutes ago. The data moves around using wear leveling schemes controlled by the drive using propriety methods. When you ask for Sector 125, its physical address block is converted to an LBA block and every 5 write cycles the data is moved to a new and empty previously erased block. This destroys metadata used in forensics & data recovery. File Slack Space disappears, you can no longer be sure that the exact physical sector you are recovering was in the same location or has not been moved or find out what it used to be! I will explain how Flash and Solid State Drives are different and compare them to hard drives in their ability to read and write data. What happens when they are damaged and a recovery needs to be done? In this process you will see how the data gets shuffled around and how some of the data is destroyed in the process making it impossible in many cases to recover some files and metadata that on a hard drive has been a simple task by comparison. You will also get an idea about how propriety methods that each vendor is using will isolate you from knowing what is happening to your data or even where it is on the drive. And at the very least the animation is the quality of the History Channel and you will enjoy what you are learning!

Presenters:

• Scott Moulton - President of Forensic Strategy Services, LLC
  Scott Moulton Scott Moulton began his forensic computer career with a specialty in rebuilding hard drives for investigation purposes and has rebuilt hard drives for several cases including murder investigations, corporate fraud, civil defense and criminal defense. Scott was the first person arrested for Port Scanning and won his case back in 2000 when the judge declared Port scans legal. Scott has also been fighting against computer forensic people and computer security people having to become private investigators for which laws are being passed in each state making it a felony to do any kind of 'digital investigation' without a PI License. Scott has spent more than a year digging into repairing Solid State Hard Drives and understands the ins and outs and how it will affect recovery and forensics in the future. Many forensic jobs will change due to fact that some information will not be accessible in the future.

Links:

• https://defcon.org/html/defcon-16/dc-16-speakers.html#Moulton2
• https://www.youtube.com/watch?v=llMuZQBIUqw

Similar Presentations:

• DEF CON 14 (2006) / Rebuilding HARD DRIVES for Data Recovery: Anatomy of a Hard Drive
• DEF CON 15 (2007) / Re-Animating Drives & Advanced Data Recovery
• DEF CON 24 (2016) / Sentient Storage - Do SSDs Have a Mind of Their Own?