SSD Data Evaporation

are you ready yeah okay all right so I want to talk about SSD data evaporation if you have a hard drive and you save a file on it and you delete it it's not gone right even if you reformat the drive it's not gone it'll resist there until you reuse those blocks but a paper came out in 2010 saying this be the end of computer frantics because that's not true anymore for ssds um ssds have a background process of garbage collection so they recover lost blocks unfortunately it is not simple at all um and I don't think it's fair to say it's the end of computer frantic but what I think it is is computer Franc

getting off its high horse and pretending to be perfect and exact and reproducible and getting down to the same level as every other kind of franic like if there's a fingerprint on a door and you dust it with powder and get a picture you can't do it again and get exactly the same answer and calculate some md5 hash and have it be the same you just have to do it right you have to go to court and say I'm competent because I have a Le certificates or something that proves like did it right you just have to trust me and computer franic is going to become the same way um ssds are going to be like one quarter

of the market in a couple of years and ssds do frequently have data evaporate and I'm going to attempt to demonstrate one demonstration will work the other is a random chance of working what I've done is I've taken this is a Mac MacBook Air with the built-in SSD and I took in order to demonstrate this there are two ways to do it on the Mac you have to one important trick though is you have to use big files you have to have about a gigabyte of data or things won't work here's the spam folder and in that spam folder I have one gigabyte of files I have five little files name spam and if you open one of

those files you will see it is just full the word spam spam spam spam spam all over and over again until 200 megabytes of spam so when I made these files about 5 minutes ago sitting out there I copied them from another folder into this folder and when I did that one of them was open in this textt editor and unbeknownst to me that created the situation where it made a temporary file that was deleted so let me do my original plan which is delete all five of these files right now and then I'll talk about stuff while time passes so this there that goes away so all of these files here I've got to

delete them okay and now I got to empty the trash okay now they should be gone I want to permanently erase them and this is of course the issue the same thing will happen on the PC a box will come up you are permanently racing this stuff is that okay and that's of course the question why am I really permanently racing that stuff or not and the answer on SSD is it's not that simple if you get a a friendship recovery tool like this 31 called dis drill when I ran it a few minutes ago it found one file called spam which is that temporary one created for some reason by the the fact that I used a text editor but I

can recover now um I get lost stay with basic me just go back okay on the Macintosh SSD I can do a quick scan which is all you need to do in this case and let's see I just deleted five more files and it was maybe 30 seconds ago this scan will only take about a minute to run and let's just see what the results are because one of those files deleted 5 or 10 minutes earlier and anyway while this has taken a minute to run let me just tell you the result the result if you work on the desktop of a MacBook Air is these files will vanish but the time it takes for

them to vanish is random and it varies from 10 minutes to an hour I did it about 10 times made a graph so the under so the background garbage collection process on the Mac is random if you're doing things on the desktop let me go down to here okay desktop and okay this is right now it has seven files in there I don't know why I'm getting seven instead of five but right now it was able to recover all the files now if you just wait and keep running this recovery tool there will come a time when some of them vanish and then like half an hour later the rest will all be gone so there's some process

and I don't know what it is happening in the background erasing them so I decided I wanted to make a tool to test this more precisely so I made a command line tool to do it and what I did was make a partition just for this purpose because I'm following that earlier paper from 20 0 and they did it on a separate partition and I decided that's the fun way to do it so I took my Macintosh SSD and I partitioned it with the partition tool here so it's got one big partition and it's got one little partition down here which I named SSD and that is just one gigabyte of partition and after messing around with

some bad scripts I was able to make a fun little um tool here to demonstrate this let me make this big I'll probably do okay and then uh the program to run is evap one got to run it as administrator all right so um but you have to do is you have to make that one gig partition give it the expected name and make sure that the home directory points to some place because it's got to store a gigabyte of temporary files on your normal hard drive on your normal partition which you'll copy the others so now let me play with that partition I'm going to um erase it by creating by completely formatting the partition with

the very newest Macintosh format which is J HFS plus journaling um hierarchical file system so now that volume is erased and I can scan it and I'm scanning it by just use making an entire image of it just printing um bites scattered across the disc so you get not everything on the disc you get a random you get a systematic sample of about 80 measurements of what's on that disc um spread across so right now these minus signs show you that this disc is all zero right now there's nothing on there so now I'm going to write some test files on there and I've just made a bunch of text files that are a b CDE e

so I create a pattern on a dis so now if you scan the dis you can see what's on there just a list of ASP characters going across so now I'm going to delete those files with just a delete command and then scan it again and you see this is what SSD data evaporation does and there are two things I want to point out the first thing is it's instantaneous it's it's so fast I I can't detect how long it's taking it seems to be just one second or less than that and it's not perfect it didn't get all of it parts of the data are left so this is what happens on ssds if you have the

very latest file system and the very latest operating system and the trim command enabled so the SSD firmware is informed when you delete files is background garbage collection does whatever it's going to do the problem is you can't erase one block on an SSD you have to erase 640 contous blocks and so it if you erase a small file or if you erase a file fragmented when it comes around it thinks it's time to clean up the garbage there's parts of that file it will decide not to clean up until later because you can only erase an SSD block so many times before it's worn out so behind the scenes your controller is doing proprietary things they won't tell

you to arrange to not perform any unnecessary erase cycles and yet to perform erase Cycles before it comes back to right again because it's slow to erase because it has to erase so much so it's not okay to wait until until you need that space and embrace it just when you're going to use it the way hard drives did it has to proactively do garbage collection in the background and that does means if you you save something and you delete it and you want to question you want to answer this question is that file still on there the answer is maybe yes maybe no and maybe only part of it is still there and maybe

only part of it is still there until sometime in the future in which case that part will vanish so this means when you're making a forensic image not only are you not getting all the data but the contents of the drive are changing while you're Imaging it and I've heard about this from anecdotes and people in field they Imaging SSD they calculate the md5 they make another IM and they get a different md5 and they say my right blocker is broken something's wrong this is driving me mad that's the way it's going to be and by the way it doesn't even always happen at all that's why I have this earlier format available if you make this partition with the older

HFS file system so I'm just going to reformat that partition and now if I scan it it's all empty again now if I write stuff put on all that stuff oops uh I did the wrong thing uh F to format it and then s to scan it and then to WR the files and what is it uh what is w okay good W will write the test files on there and then s will scan it and show that they're there and D will delete all those files and then s will scan it and they're all still there there is no longer any data evaporation on that volume at all because I'm not using the very latest

format and if you were using the Windows machine which I'll demonstrate in a couple days of deathcon it depends on your bios settings if your bios is set to use a there's IDE emulation mode and then there's SATA mode if you're not using SATA mode you will never see any evaporation because of normal hard drives in the old ATA format they will never um the ID the ID mode they will never know that a file is deleted because it doesn't support trim and USB drives it won't happen because USB doesn't support trim trim is the protocol needed for the drive controller to know you Del leet it a file otherwise it doesn't know what's happened and it can't trigger this

garbage collection anyway the last all I wanted to show you I just wonder if what's going to happen if I do this recovery again because it could take up to an hour so you might see the same thing but right now we have seven files recovered in that folder and so if I do it again I might get lucky and get some number other than seven should be a lower number if some of them have evaporated right now and I do not understand this at all this is the same physical hard drive showing two completely different time profiles for evaporation and you need somebody to know the internals of Apple's controller to understand why and

what other strange consequences there might be that's why my answer to list was to make a tool so you can test it because it's not simple at all so if I had to answer any questions in court I would want to just test with the same kind of SSD and then I would know what to say desktop y now there's only two files in there that's perfect that's what so some of them evaporated but not all of them so you know this is a WTF moment now when people ask me a question I'm supposed to give a nice answer I say well you know maybe that data is there maybe it's gone maybe half of it's there

maybe it's there and it's going to vanish pretty soon before I can image it and I'm sorry I sound like an idiot that's the way it really is that's what I wanted to tell you got any questions are you going to this out on GitHub so we can try it or uh it's on my website if you want to this stuff um it's too simple to even go on GitHub it's just a bash script about 50 lines I'm a real wimpy programmer you know nothing complic just go to Sams classinfo and right here is my research stuff and one of them is SSA evaporations just right there and I got a card if you want something with piece

of paper that URL on but yeah that's um that's where all my stuff is great anything else well I get out of the way I don't know if there's another speaker or not there might be uh you were currently the last one scheduled thank you so

much e