All News

Self-Destructing SSD-Drive Evidence

Nearly a decade ago, Solid State drives (SSD) revolutionized computer storage, bringing to the table blazing fast access speeds, low power consumption, and absence of moving parts. Along with these benefits, consumers saw severely restricted lifespan. An older SSD could only withstand so much wear before it would start losing memory. A limited number of write cycles still remains a limitation today. By this day, we still have to cope with the same limitations thanks to the ever shrinking manufacturing process and the invention of new types of NAND cells (namely TLC cells that can keep 3 bits of information per physical cell instead of 2 bits in MLC and a single bit in SLC cells). In order to overcome these technological limitations while continuously reducing the cost-per-gigabyte of storage, manufacturers perfected some very smart software algorithms. These algorithms ensure that the load is distributed evenly among the cells, quickly remapping logical addresses of NAND cells to ensure that the next write operation will occur to a cell with the least wear. Another limitation of flash-based memory is the fact that one can only write new data into an empty (erased) cell. Once an SSD drive fills up, each subsequent write operation would involve erasing the content of a data block and then writing new data into the cell. Since erasing flash cells is a much slower process than writing data, manufacturers implemented garbage collection algorithms that erase cells containing data that is no longer used by the system. How does the SSD controller know which data block is used and which one is not? The operating system tells it by sending the controller a so-called ‘trim’ command. Once the trim command is sent, the controller ‘knows’ that certain data blocks are no longer used, and adds them to the list of ‘dirty’ blocks. These blocks are scheduled to be erased by the internal garbage collection algorithm. At the same time, the system does not have to wait while a certain physical cell is erased. Should the system need to write a new data block, the SSD controller immediately and instantly assigns a new empty flash cell to the logical address the OS is referring to. This is called remapping. In today’s SSD’s, remapping occurs all the time. The big forensic question is: what happens to a ‘dirty’ data block then? Does its content immediately disappear, or can it still be extracted from an SSD drive? Today more than ever, the answer is “it depends”. M.2: Thinner and Lighter SATA SSDs M.2 is a form factor. Devices conforming to the M.2 form factor can use SATA, PCI-E or USB3.0 connectivity. Most M.2 SSD drives are SATA or PCI-E devices using the AHCI as a logical interface. Some high-end models use PCI-E connectivity and NVMe for interfacing. A laptop equipped with an M.2 SSD drive may or may not be able to use trim if it runs Windows 7. Originally, SSD drives were available as 2.5” (notebook-size) disks. This was a real limitation when making ultra-portable devices. To overcome this problem, the industry started using M.2, a relatively new form factor for SSD modules used in thin and light devices. M.2 devices features a standard PCI-E connector. While most M.2 SSD drives conform to the AHCI specification, supporting all the features of their full-size counterparts and being recognized by the OS as a standard SATA SSD, some models conform to the newer NVMe specification that requires a different driver stack. Strictly speaking, an M.2 SSD drive can be one of the following: - Legacy SATA. Many M.2 SSD drives are employing the legacy SATA connection, and are interfaced through the AHCI driver. These M.2 drives behave no different from standard 2.5” SSD drives. - PCI-E using AHCI. This standard is used for those PCI-E SSDs that are utilizing the PCI Express lanes for connection and AHCI for interfacing with the device. These drives require the OS to include the correct drivers. - PCI-E using NVMe. These are the fastest SSD drives that are the least compatible, as they are very new. Installing an NVMe drive into a PC without proper BIOS support may result in an unbootable system. Many motherboards cannot boot from NVMe drives; however, Windows can access such drives with proper drivers even if an older motherboard is used. So far, we have not seen many of these, yet they make their way to some high-end models. PCI Express (PCI-E) SSDs PCI-E, or PCI Express, is a physical connectivity standard. PCI-E SSD drives are available in a wide range of form factors including full-size desktop expansion boards, M.2, proprietary and soldered portable storage solutions. PCI-E SSDs can use AHCI or NVMe for interfacing. Technically, M.2 SSDs are PCI-E devices. However, the PCI-E specification is much broader than M.2. As such, manufacturers can produce proprietary PCI-E SSD drives that do not conform to the M.2 standard, and that may not be used in computers designed to accept M.2 compliant SSD drives. PCI-E SSD drives are most commonly used in certain high-end workstations (full-size form factor) as well as in some ultra-slim models (such as, for example, Apple’s MacBook 2015). These proprietary storage devices attach directly to the computer’s PCI-E bus, and require the OS to use the correct driver. Most but not all PCI-E SSD drives support all of the same technologies as their full-size SATA-connected counterparts. Depending on the version of the driver, OS version, and the model of the PCI-E SSD drive, these disks may or may not work correctly with trim. On a logical level, PCI-E SSD drives can work via the AHCI or NVMe interface. In general, the following compatibility matrix applies to PCI-E SSDs: - Mac OS X: trimming is supported on all Apple devices with factory installed PCI-E SSD drives. - Macbook computers running Windows: Apple Macbooks use proprietary PCI-E SSD drives. Normally, Apple Bootcamp is used to install Windows as a double-boot or sole OS. In these configurations, trim pass-through is supported where applicable (see below). - Windows: trim support for PCI-E drives depends on Windows version and the presence of the correct driver. o Windows 7: trim not supported on PCI-E drives regardless of the drivers, even if the PCI-E SSD would accept the command. o Windows 8, 8.1 and Windows 10: trim supported with native Microsoft drivers. Trimming in NVMe-based PCI-E SSDs is also supported. Devices using the SCSI driver stack support ‘unmap’, which is a full analog of the trim command from SATA. NVM Express (NVMe) SSDs NVMe is a modern logical interface specification that replaces the old AHCI. NVMe is employed in certain high-end PCI-E SSD models in various form factors. Apple MacBook 2015 uses NVMe interface on a proprietary SSD drive soldered to the motherboard. NVMe is still fairly new, with some motherboards failing to recognize NVMe storage as bootable devices. NVM Express, or NVMe, is a relatively new logical drive interface for implementing non-volatile storage over a PCI Express (PCI-E) bus. NVMe has been designed from the ground up to realize the low latency and internal parallelism of flash-based storage devices. Similar to SATA SSD drives that exist as 2.5” drives and as slim M.2 boards, NVM Express devices are also available as full-size PCI Express expansion cards, laptop-size boards and 2.5” drives that look similar to SATA SSD drives, only utilizing a PCI Express interface through the U.2 connector instead of a SATA port. NVMe includes trim support as part of the optional command set. In real-life scenarios, NVMe SSD drives are typically found in high-end systems that are properly configured to enable data trimming. Imaging M.2 and PCI-E SSDs Forensic imaging of storage devices has its own demands. In particular, the connection to a write-blocking device is an obligatory requirement for digital forensics. Imaging an M.2 or PCI-E SSD drive requires the use of a dedicated adapter. At this time, there are very few forensic disk imaging solutions targeting M.2 or PCI-E storage devices. Considering that there are at least three different types of M.2 SSDs (here we will not talk about the differences between B-key and M-key connectors), you are looking for a solution to support M.2 SATA (AHCI), M.2 PCI-E (AHCI) and M.2 PCI-E (NVMe) devices. One solution that supports all three types of M.2 SSDs (albeit with M-key connectors only) is Atola DiskSense. The M.2 SSD drive is first connected to an adapter, then plugged into the imaging unit. Full support is available for SATA devices, while essential features (such as imaging and damaged drive support) are provided for PCI-E drives. Atola DiskSense creates forensically sound disk images that can be analyzed with your forensic tool of choice. Our preferred software is Belkasoft Evidence Center – integrated solution for forensic analysis of computer and mobile devices with support for 700 types of digital evidence: pictures and videos, documents, mobile apps, encrypted files and volumes, data from browsers, instant messengers, clouds and social media, system files, registries, SQLite databases, and more. Atola DiskSense is included in Computer Acquisition Module for Evidence Center. Together with portable RAM capturing tool, this combination of software and hardware will allow you to cover the full forensic cycle from acquisition stage to evidence discovery, analysis, and reporting. Evidence Center can mount and analyze disk images created by Atola DiskSense, as well as many other types of images Imaging Apple Proprietary PCI-E SSDs Apple-made SSD drives used in full-size Macbooks employ proprietary connectors. In addition to being PCI-E, Apple’s SSD drives are also NVMe (as opposed to being AHCI-compliant). Forensic solutions for reading NVMe drives are virtually non-existent, while finding forensic-grade hardware for acquiring Apple proprietary SSD drives can be plain difficult.

Read more

Spam in a Van: 39 Things a Good Surveillance Operative Knows

What the Good Surveillance Operative Knows On the journey to becoming a Good Surveillance Operative, you should gain a true and deep understanding of the tradecraft and the surveillance profession—and wear it like a second skin. Here are a few articles of faith: A Good Surveillance Operative… 1. Is nimble, flexible and understands what is required from the profession. 2. Relies on tried-and-true tradecraft and embraces new techniques and modern surveillance technology. 3. Knows when to be covert and when to be overt—in a covert way. 4. Has all the necessary equipment of their trade but needs the most basic tools to accomplish their mission. 5. Embraces the daily grind and continually works at improving their tradecraft. 6. Understands the general rule of law and how to accomplish their operations within the generous shade of her boundaries. 7. Knows that you must “get comfortable with being uncomfortable.” Whether it’s sitting in surveillance vehicles on brutally hot or freezing cold days, surveilling a subject in a tough neighborhood, following vehicles in heavy rush hour traffic or remote country roads, knocking on someone’s door at night to gather information, or being available 24/7/365 – to name a few “minor” inconveniences. 8. Will melt into the background, wherever they happen to be. “The trick is NOT to be tricky. The trick is NOT to be invisible. The trick is to be unremarkable.” 9. Knows the trade lingo, like: The subject and I got the eyeball; blockers and bracketing; get set-up; burrow-in; grab that plate; get an I.D. shot; whiz bottle; dumpster dive; choke points; spot-checks; head to the rez; the difference between fixed and mobile and foot and covert surveillance; getting burned and made; acting hinky and leap frogging; backing off and pulling off; re-engaging and going in; following from the front; soft-tails and parallel tails; progressive tails and hard-tails; hook a chain to his bumper; camo-up; got rolled up on; make a scam call; lost contact; got a fix on-em; nailed-em; and terminated for the day. 10. Knows the importance of Human Intelligence (HUMINT) and is constantly maintaining sources of information and cultivating new sources. 11. Understands that surveillance is, in-part, about falling into the routine and rhythm of your subject. People are creatures of habit, and those habits and routines are there for the operative to exploit. 12. Understands that streaks and slumps are part of the surveillance game. 13. Understands the importance of redundant systems and has a backup video camera, extra camera batteries and video cards, various covert body cams, extra surveillance vehicle keys, pens and paper, and pee bottles. Also has an assortment of props to change their look with hats and coats and canes and glasses and magnetic signs for their vehicle. 14. Knows that equipment will on occasion fail or not match the situational requirements. And that it is necessary to practice and test equipment in the field on a consistent basis. 15. Does NOT tempt the surveillance gods by being braggadocious or boastful. 16. Speaks of their exploits in vague terms and only to the most confidential of associates. 17. Knows the importance of “local knowledge” and what a plus it is (versus “parachuting in” to unknown territory). 18. Seeks out potential clients and is customer-service oriented. Is patient with clients and does not take them for granted—without customers, there is no work. 19. Provides unbiased reports of their findings, despite what the client may believe—and despite what the client may want to hear. 20. Knows that during surveillance, an operative may need to show sincere restraint, and that sometimes an operative must boldly attack. 21. Knows their limits, both physically and intellectually, and seeks a spiritual balance. 22. Knows the importance of taking notes, properly briefing clients, and writing reports. Report-writing is a fundamental skill that must be developed over time. And it is essential to take good notes in order to write good reports. If it isn’t written down, it didn’t happen. 23. Knows that they must ALSO have strong fact-finding and intelligence-gathering skills, i.e. locating and analyzing open-source intelligence and interviewing people. Routinely seeks the advice of more experienced surveillance operatives. 24. Knows that they must not approach all cases the same way, even if cases seem smiliar. Carefully considers numerous factors, such as surveillance locations, the subject’s background, the timeline of the case, whether the case has been worked before, whether an operative has been burned by the subject before, whether the subject has legal representation, the authorized budget, and counter-surveillance issues—to name but a few. 25. Maintains calm, even amid an inner storm of personal doubts and fears and external storms of raging voices and complaints. 26. Knows the effects of adrenalin on the body and mind. In a rush, anyone may lock keys in a surveillance vehicle, drop things, catastrophically misspeak, or experience explosive bowel or bladder failure. That’s why a good operative remembers to take a breath and check himself before leaving the scene: Spectacles, testicles, wallet, and cell phone. 27. Is the first to recognize when he has made a mistake, and the last to take credit when things go well. 28. Is self-aware, confident and humble, NOT egocentric, narcissistic or conceited. 29. Approaches each mission like a wolf attacking its prey but also has empathy for their subject—BUT does not let the latter affect the former. 30. Eschews other professional distractions. Surveillance and intelligence gathering are all they know and all they do. 31. Knows the importance of having an appropriate cover story and that the best cover stories are very simple, with very few moving parts to juggle or lies to remember. 32. When to use a magnifying glass and when to use a sledgehammer. 33. Needs neither badge nor gun to accomplish their mission. 34. Knows that in order to be successful in the surveillance game, grit, guile, and common sense are required. 35. Understands that surveillance work can be feast or famine. But no matter how slow the work is, another assignment is just around the corner. 36. Does NOT refer to himself as a Good Surveillance Operative, nor does he judge other surveillance operatives, in the much-beloved tradition of the Monday Morning Quarterback. 37. Knows how to fuse professional life and personal life, so that the two may coexist. 38. Knows that their work may go unappreciated and unrecognized and that they will receive very little credit for the important case intelligence that they gathered or the millions of dollars they saved their clients. And they are okay with that. 39. Knows that sometimes, despite performing only minimal effort, an operation may go really well, and that they will look like a Good Surveillance Operative. And sometimes, despite superior effort, an operation may go poorly, and they will look like an idiot.

Read more

First Previous 1 2 Next Last 
A Rated Social media

Contact us via Social Media platform!

Contact Us

A Rated Investigations is a Private Investigative Firm located in Bergen County, New Jersey.