Sentient Storage - Do SSDs Have a Mind of Their Own?

DEF CON 24

Presented by: Tom Kopchak
Date: Friday August 05, 2016
Time: 13:00 - 13:50
Location: DEF CON 101

Solid state drives drives are fundamentally changing the landscape of the digital forensics industry, primarily due to the manner in which they respond to the deletion of files. Previous research has demonstrated that SSDs do not always behave in an equivalent manner to magnetic hard drives, however, the scope of these differences and the conditions that lead to this behavior are still not well understood. This basic, undeniable anomaly regarding file storage and recovery begs one simple, yet critical question: can the data being mined for evidence be trusted?

This talk presents research on the forensic implications of SSDs from one of the most comprehensive studies to date. The goal of this study was to demonstrate and quantify differences across a sample pool of drives in an array of tests conducted in a controlled environment. These tests explored the variations between drive firmware, controllers, interfaces, operating systems, and TRIM state.

Further observations revealed that some drives behaved nearly identical to the control drive, while others showed that the prospects of recovering deleted data was significantly reduced. This presentation will demonstrate these differences and provide a framework to allow forensics investigators to determine the likelihood of successful deleted file recovery from an evidence bearing solid state drive.

Tom Kopchak

Tom Kopchak is the Director of Technical Operations at Hurricane Labs, where he pretends to manage a team of network and system engineers, but is still an engineer and technology geek at heart. While new to the DEF CON stage, Tom’s speaking experience includes numerous talks on breaking full disk encryption (including BSides LV) and numerous other talks at other conferences around the country. He holds a Master’s degree in Computing Security from the Rochester Institute of Technology. When he is not working with computers, Tom enjoys composing, music improvisation (Acts of Music), and playing both the piano and organ. Twitter: @tomkopchak


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats