That’s the title –without the question mark– of a report appearing in the Journal of Digital Forensics, Security, and Law (JDFSL). If there was a question, I think the answer is an emphatic Yes, and it affects both technologists and attorneys alike.
SSDs changing the technical and legal landscape
The report posits –and I agree– that the fact we computer forensics analysts have had access to a treasure trove of evidence found as deleted files and slack file space was just good fortune taken for granted, because the natural state of modern digital storage is not to ‘preserve deleted data’ as magnetic drives have done for the past few decades, but rather to purge deleted files to improve read and write speeds.
According to the article, we should be aware that a “paradigm shift” is taking place in technology storage from magnetic hard drives to solid-state drives (SSDs); that solid-state drives have the “capacity to destroy evidence catastrophically under their own volition;” that it is “imprudent and potentially reckless to rely on existing evidence collection processes and procedures;” and that conventional assumptions about the behaviour of storage media are no longer valid. Id.
Why computer forenscis analysts should care about SSDs:
In summation, report authors Bell & Boddington note that the latest generation of SSDs on the market (of which I own three) use firmware controllers to equally distribute data across the drive’s blocks, so that they’re being accessed and used with equally over time; and they use a “garbage collection” process to identify deleted or slack file data so as to make these blocks available for reuse subject to the aforesaid equal allocation. The authors further posit that, because the garbage collection runs within the SSD (just by turning it on), using a write-blocker on the SSD during an investigation will have no effect — i.e., evidence spoliation will resume as soon as the SSD is energized (which it must be to retrieve data from). The end-result is that deleted data and slack-file evidence, which historically has yielded an abundance for fruit in digital forensics investigations, is no longer persistent.
Why litigators should care about SSDs:
The following may be welcome news to defense attorneys, as authors Bell & Boddington warn:
- that data stored on all types of solid-state drives “should be immediately and henceforth considered to be a ‘grey area’ as far as forensic recovery and legal validation are concerned until extensive studies have been made of drive and data behavior;”
- that evidence spoliation may take place extremely suddenly, extremely quickly and automatically without human awareness or control;
- that present-day evidence indicating ‘no data’ does not authoritatively prove that data did not exist at the time of capture;
- that evidence of deleted data being permanently erased or partially corrupted is not evidence of intentional permanent erasure or corruption;
- that hashes not matching at the end of a forensic analysis should be evaluated to establish if the original or subsequent images could have been taken during or after a garbage collection;
- that past metadata and data blocks may be deleted without warning and without the opportunity to realise that they had existed at time of capture;
- that quick-formatting of disks is a reasonable activity that an innocent person might choose to do to improve performance, tidy up a disk, etc., yet may completely eradicate evidence from a disk within minutes;
- that there are no longer any guarantees for previously deleted file data to be preserved on an SSD, regardless of whether the drive image was taken during a ‘live’ capture of evidence or following a ‘dead’ capture of evidence;
- that drives can clearly self-modify their data after physical evidence has been gathered, despite best practice efforts by forensic analysts to prevent such behavior using traditionally effective write-blockers;
- that it would be an unwise investment of time for analysts to try to develop workaround procedures that operate against the drive controller behavior specifically identified, because new firmware & models are regularly released;
- that it would be imprudent to develop procedures for physical asset capture whereby operators attempt to distinguish SSDs from HDDs, because of the similar physical appearance of the drives and the need to gain access to the computer’s internals, and because hybrid disks incorporate both HDD and SSD technologies;
- that it is unwise to assume that irreversible file erasure suggests intent to destroy evidence in cases where a defendant has quick-formatted a SSD drive prior to police seizure; and
- that the issues identified in the Bell & Boddington report will later come to affect large USB flash drives as well.
Mobile Devices Changing the technical and legal Landscape
Perhaps needless to say, mobile devices are pervasive and, to a growing extent, replacing traditional PCs in the home. Some PC users, who have been besieged with and befuddled by malware, spyware, computer viruses, and maintaining a complex operation system (viz. Microsoft Windows), have replaced their computers with tablets and other devices, including Apple’s iPad, Sony WebTV, Samsung Galaxy, inter alia. Some people I know have even substituted their trouble-prone PCs with ordinary smart-phones (iPhone, Android, inter alia).
Because mobile devices use a variety of operating systems, file systems, and data storage models; and because some are proprietary and, perhaps, not subject to standards (or, at best, subject to rapidly evolving standards); and because some use proprietary hardware connections and protocols, an ordinary computer forensics analyst with expertise in Windows, Macintosh, or Linux has not the skills, software, or hardware to conduct a competent analysis. Further, the technology is evolving and being released with blinding speed.
Cloud Computing Changing the technical and legal Landscape
Cloud computing is defined by the National Institute of Standards and Technology (NIST) as “a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”
For companies, this may mean entrusting either data or computing resources or both to other companies’ data centers, like Microsoft (NASDAQ:MSFT), Salesforce (NYSE:CRM), or EMC (NYSE:EMC). For private individuals, it may mean entrusting personal data from their computer or mobile devices to, for example, Apple’s MobileMe, or Motorolla’s Motoblur.
Cloud computing raises digital evidence challenges regarding the location of potential responsive data, preservation, and analysis. Because data can be stored anywhere in the world, it may reside in a jurisdiction where subpoena power or privacy laws are non-existent or not enforced, and establishing a chain of custody might prove difficult or impossible, where data integrity and authenticity (where was it stored, who had access to it, was data leaked, was the data commingled, etc.) cannot be fully ascertained. Moreover, data entrusted to the cloud may be logically (and certainly physically) disassociated from the local metadata usually accompanying it (e.g., registry entries, temp files, etc.) and which may not exist in the virtual/cloud environment. For example, modifying data in a cloud environment, rather than locally, might be less likely to result in metadata written to a client device’s hard-drive (if it has one), and more likely to reside in the packets and client or host server logs, if applicable.
Conclusion
The foregoing is a summary, not an exhaustive discussion, of three challenges facing the discipline and profession of digital forensics examinations and electronic discovery. Computer forensics examiners will be hard-pressed to stay current, to diversify, and to rely on a network referral partners in order to understand and meet their clients’ needs. Lawyers will need to understand how these developments may hurt or help their clients’ causes, and to become even more vigilant in selecting a digital forensics consultant to identify what expertise is needed in a particular case. finally, it will be the lawyers’ responsibility, and not the experts or the courts, to understand these developments and the judiciary on its import, lest the outcome of justice be the result of ignorance.