View
626
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
Comprehensive Black-box Methodology for Testingthe Forensic Characteristics of Solid-state Drives
DEFTconApril 11th, 2014
Gabriele Bonetti,Marco Viglione, Alessandro Frossi,Federico Maggi and Stefano Zanero
Politecnico di Milano, Italy
NElaboratoryCST
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Table of contents
1 IntroductionChallenges in black box analysis and goals
2 Our testing methodologyOverviewTrimmingGarbage collectionErasing patternsCompressionWear LevelingFiles Recoverability
3 Putting it together: forensic friendliness
4 Discussion and conclusions
Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Introduction
Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
SSD Tehnology
• NAND-based flash memory chips used as mass storage• Increasingly popular as prices drop• Widespread use in mobile devices• On the surface, a snap-in replacement for rotational drives(HDD)
Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Under the surface...
• SSDs have a shorter lifespan as cells have a physical limit ofapprox. 10,000 program-erase cycles
• Rewrite = blanking of a complete block (16 to 512kB)• Led to development of flash translation layer (FTL) [5, 7],hw/sw combination that sits between ATA channel andmemory chips
Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
FTL magic
• Write caching• Trimming• Garbage collection• Data compression• Data encryption/obfuscation• Bad block handling• Wear leveling
Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
In other words...
• In HDDs we can reliably phisically address a sector from theOS and read it on the drive
• In SDDs FTL translates logical block addresses (LBA) asrequested by the OS into the respective physical blockaddresses (PBA) on memory chips. The underlying mapping iscompletely transparent and can be modified by the FTL at anytime for any reason. The FTL may move data around or blankdata even if the OS is not running
• Yay. Most forensic approaches and tools rely on the ability ofthe OS to access the raw data on the disk
Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Can we bypass the FTL?
• Not via software.• In theory, can be bypassed by reading directly the memorychips [3] (via flashing tools, JTAG port, or physical extractionof chips)
• [4, 8] built a complete custom setup to interact with flashmemory chips using an FPGA and custom wing boards. Theirgoal is prototyping but similar setup could be used toreimplement FTL logic and read memory chips
• In any case:• extremely time and money consuming process (needs custom
hardware, reverse engineer FTL implementation...)• non-repeatable, leads to alterattion or destruction of the
evidence• very brittle process depending on firmware, hardware...• information not public and actually heavily protected IP of
vendorsStefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Challenges in black box analysis and goals
Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
An unclear picture
• Previous work suggests impact on black box forensic analysis.• [2] analyzes file recovery rate (SSDs vs HDDs)
• Observes that even a write blocker does not prevent the FTLfrom modifying and in some cases blanking the evidence
• Suggests a filesystem aware garbage collection feature in FTLs
• [6] tested 16 SSDs with usage scenarios and concluded thatdifferent combinations of usage, OS and file size influencerecoverability (most sensible and extensive paper to date)
• [1] found that carving didn’t work at all on SSDs• Other (non-scientific) reports suggested that data duplicationdue to wear leveling would increase recoverability
Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
The need for a triage methodoloy
• We developed a simple and affordable black-box triageprocedure to:
1 assess impacts of FTL on the use of black-box tools2 assess likelihood of success of a white-box attempt
• Test driven workflow of experiments to assess the behavior ofthe FTL under different conditions
• We can determine whether a SSD implements trimming,garbage collection, compression and/or wear leveling
Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Our testing methodology
Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Overview
Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
What we test for (1)
TRIM: preemptive blanking of erased blocks marked fortrimming by the OS. Negative impact on forensics asdata persistence is reduced. [2] notes that this canoccur even with a write blocker, impactingacquisition. Our methodology can determine thepercentage of blocks that get erased and how fast
Garbage collection: hypothesized by [2] to work with afilesystem-aware controller, that TRIMs block withoutOS support. Forensic impact obvious. We candetermine whether it is employed by the SSD underexamination
Erasing patterns: peculiar behaviors shown by some SSDs whenusing TRIM
Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
What we test for (2)
Compression: transparently employed by some drives to use lessphysical blocks and reduce wear. No challenges inblack box analysis, but definite challenge in whitebox. We can verify whether compression is active
Wear leveling: spreads consumption of cells as evenly as possibleacross the drive. We test for the so-called “writeamplification” effect, which is a direct consequence ofthe wear leveling
Files recoverability: a test on the efficacy of black box file recoverytechniques
Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Our test drives
SSD WL TRIM GC CompressionCorsair F60 X X X X
Samsung S470 X X XCrucial M4 X X
Table : Test drives, and their features as reported by vendors.
Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
A small but important caveat
• SSDs are equipped with a small amount of DRAM-basedcache memory to reduce physical writes
• This can bias any test using small files (i.e. smaller than512MB-1GB, typical cache size)
• Experiments in [1] were probably biased by this, and files werenever written to disk, explaining zero carving results. Ditto for[6]
• Solution is simply to disable cache (e.g. on Linux via hdparm-W 0) or to use large files.
Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Trimming
Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Methodology
Disk formatting
Disk filling atdifferent percentages
25%, 50%, 75%, 100%
NTFS or ext4
Start real-time analysisof disk zeroed space
Single filesdeletion
Quick format in OSwith TRIM support
Win7 for NTFSUbuntu for ext4
Zeroing percentageverification
Check stateof deleted
file's sectors
hdparm --fibmap<filename>
hdparm --read-sector<address> /dev/sdx
Figure : TRIM test flow
Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Results
• If TRIM present and active, it activates in 1-10 seconds• On NTFS, Samsung S470 and Crucial M4 trimmedaggressively, wiping the disk/file in under 10 seconds
• Weird behavior of Corsair F60 as in figure: erased blockssomeway proportional to used space. Some files wiped in atmost 3 seconds after deletion, others untouched
0
5
10
15
0 10 20 30 40 50 60
Zer
oed
spac
e [G
b]
Allocated space on disk [Gb]
• ext4 all disks erased in about 15 seconds with format.Samsung S470 did not erase on file delete. Crucial M4 wasnotified of TRIM only on unmounting. Corsair F60 erased allfiles “correctly”
Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Garbage collection
Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Methodology
Disk filling atdifferent percentages
25%, 50%, 75%, 100%
Start real-time analysisof disk free space
Quick format
DEFT
Keep disk active fora long time,
overwriting files
if not already in use,switch to a forensic OS
Keep disk idle fora long time
Periodic verification offree space percentage
and zeroing time
16 h
Figure : Garbage collection test flow.
Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Results
• [2] found out that GC triggers in almost 3 minutes.• non-authoritative sources state 3 to 12 hours• In our test, none of the SSDs performed garbage collection.We even tried to replicate the exact test of [2], with identicalhardware, software and firmware version, but to no avail, evenwith the assistance of the author.
Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Erasing patterns
Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Methodology
Disk formatting
Disk filling atdifferent percentagwes
NTFS or ext4
Disk imageacquisition
Quick format in OSwith TRIM support
Win7 for NTFSUbuntu for ext4
Disk imageacquisition
Comparison to findzeroing patterns
25%,50%,75%,100%
Figure : Erasing patterns test flow.
Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Results
• Certain SSD controllers may exhibit unexpected trimmingpatterns
• In our case, target of interest was the Corsair F60 SSD. Seemaps below:
(a) 10%. (b) 50% (c) 75% (d) 100%
• Validated on file recovery. Files in green stripes are recoverableonly 0.34% of the times, outside 99%
Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Compression
Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Methodology
Creation oflow entropy data
Creation ofhigh entropy data
Creation of datablocks of equal size
Write timecalculation
/dev/zero /dev/urandom
Write timecalculation
iostat
Write timecomparison
OS write cachedisabling
10 GB
Copy data inmain memory
Copy data inmain memory
Figure : Compression test flow.
Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Results
0
10
20
30
40
50
60
70
00:00 00:30 01:00 01:30 02:00 02:30 03:00 03:30 04:00 04:30
Thro
ughput
[MB
/s]
Time [m:s]
(a) Samsung
0
20
40
60
80
100
120
00:00 00:15 00:30 00:45 01:00 01:15 01:30 01:45
Thro
ughput
[MB
/s]
Time [m:s]
(b) Crucial
0
50
100
150
200
250
300
00:00 00:10 00:20 00:30 00:40 00:50
Thro
ughput
[MB
/s]
Time [m:s]
(c) Corsair
0
10
20
30
40
50
60
70
00:00 00:30 01:00 01:30 02:00 02:30 03:00 03:30 04:00 04:30
Thro
ughput
[MB
/s]
Time [m:s]
0
20
40
60
80
100
120
00:00 00:15 00:30 00:45 01:00 01:15 01:30 01:45
Thro
ughput
[MB
/s]
Time [m:s]
0
10
20
30
40
50
60
70
00:00 00:30 01:00 01:30 02:00 02:30 03:00 03:30
Thro
ughput
[MB
/s]
Time [m:s]
Figure : Mean and variance of the sampled throughput among 15repeated transfers of 10GB low (top) and high (bottom) entropy files.Intuition is that overhead for hw compression negligible, thus takes lessto write files that can be compressed. Samsung and Crucial drives showno difference: no compression; Corsair performs hw compression instead.
Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Wear Leveling
Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Methodology
Partial disk filling atdifferent percentages
25%, 50%, 75%
Start real-time analysisof disk free space
Creation of a filewith known pattern
Multiple overwrites offile with known pattern
Disk imageacquisition
Carving to find multiplecopies of known file
10,000 writes
OS write cachedisabling
Periodic verfiicationof zeroed space
Figure : Wear leveling test flow
Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Results
• Not test for presence (almost default) but for usefulness forforensic analysis
• From black box PoV, if write amplification does not happen,or is completely masked, there is no difference
• No drives showed write amplification from an external PoV
Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Files Recoverability
Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Methodology
Choice of a fileeasy to recover
(to eliminate weightof carver errors)
Disk imageacquisition
Disk filling
Quick format
Recovered fileshash calculation
Integrity check onrecovered files
File hashcalculation
Carving
md5sum <file>
sha1sum <file>
Figure : Files recoverability test flow.
Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Results
SSD FS Written Recovered %
Samsung NTFS 112,790 0 0 %ext4 110,322 0 0 %
Corsair NTFS 101,155 71,607 70.79 %ext4 99,475 0 0 %
Crucial NTFS 112,192 0 0 %ext4 110,124 0 0 %
Table : Files recoverability test results: the drives implementing anaggressive version of TRIM (Samsung S470 on NTFS and Crucial M4),did not allow the recovery of any file after a format procedure. TheCorsair F60 on NTFS, as expected, has a non-null recovery rate due tothe erasing pattern its TRIM implementation exposes. On ext4, however,this same disk allowed the recovery of 0 out of 99,475 files.
Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Putting it together: forensic friendliness
Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Methodology
4.1 TRIM4.2 Garbage
Collection
Zeroing detected?
4.6. Files Recoverability
(single file removal)
4.6. Files Recoverability (quick format)
Yes Yes
4.3 Erasing Patterns
Yes
Class A No
Pattern detected?
Antiforensics feasible
Yes
Class B
Class C
Class D
Intact files recovered?
Intact files recovered?
Some files PartiallyNone No
Figure : Use case workflow for assessing the forensic friendliness of a SSD.
Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Discussion and conclusions
Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Limitations
• We did not test multiple firmware versions, as firmwareupgrades are one-way in most cases and this would make theexperiments difficult to repeat
• We did not test on difference of device driver and AHCIcommands, for simplicity
• If investigator does not know OS version in use, ourmethodology may not give usable insights
Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Conclusions
• SSDs implement techniques that are potentially disruptive toblack box forensics
• We created a triage workflow to understand impact andpotential gain of white-box approach
• We showed that the combination of controller, OS, filesystemand even disk usage can deeply influence forensic procedures
• We showed that garbage collection is not currently offered byleading drives on the market
Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Thank you for your attention. Questions?
Let’s keep talking on Twitter (@raistolo) or on email([email protected])
Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
Acknowledgments
The work has been partially funded by the European Union SeventhFramework Programme (FP7/2007-2013) under grant agreementn◦ 257007 “SysSec”
Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
References I
Christopher J. Antonellis.Solid state disks and computer forensics.ISSA Journal, pages 36–38, July 2008.
Graeme B. Bell and Richard Boddington.Solid state drives: The beginning of the end for currentpractice in digital forensic recovery?Journal of Digital Forensics, Security and Law, 5(3), December2010.
Marcel Breeuwsma, Martien De Jongh, Coert Klaver, RonaldVan Der Knijff, and Mark Roeloffs.Forensic data recovery from flash memory.Small Scale Digital Device Forensics Journal, 1:1–17, 2007.
Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
References II
Trevor Bunker, Michael Wei, and Steven Swanson.Ming II: A flexible platform for NAND flash-based research.Technical Report CS2012-0978, UCSD CSE, 2012.
Intel.AP-684: Understanding the flash translation layer (FTL)specification.Intel Application Note. http://www.jbosn.com/download_documents/FTL_INTEL.pdf,1998.
Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
References III
Christopher King and Timothy Vidas.Empirical analysis of solid state disk data retention when usedwith contemporary operating systems.volume 8, pages S111–S117, Amsterdam, The Netherlands,The Netherlands, August 2011. Elsevier Science Publishers B.V.
Robert Templeman and Apu Kapadia.Gangrene: exploring the mortality of flash memory.In HotSec’12, pages 1–1, Berkeley, CA, USA, 2012. USENIXAssociation.
Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs
Introduction Our testing methodology Putting it together: forensic friendliness Discussion and conclusions
References IV
Michael Wei, Laura M. Grupp, Frederick E. Spada, and StevenSwanson.Reliably erasing data from flash-based solid state drives.In FAST’11, pages 8–8, Berkeley, CA, USA, 2011. USENIXAssociation.
Stefano Zanero Comprehensive Black-box Methodology for Testing the Forensic Characteristics of SSDs