Saturday, September 26, 2015

Android to iPhone: Day 0

After 4 years of being a loyal Android user, I've decided to try iOS. The primary reasons were better security, privacy, applications, and support.

The release of the iPhone 6S couldn't have come at a better time. My Oneplus One had been crippled by a variety of hardware issues, including the commonly cited touchscreen grounding issue that essentially bricked the phone in humid environments, as well as problems with WiFi and USB connectivity. The massive 5.5in screen was great to look at but made one-handed use a chore and wasn't comfortable in my pockets.

Before I go into my initial experiences, I wanted to review the primary reasons I made the jump:

Security: 

iOS is more secure than Android. While a non-rooted Android phone is mostly safe from malicious applications, Google can't patch discovered vulnerabilities on most Android phones.
The insistence of major manufacturers and carriers on making their on "flavors" of Android also means those manufacturers are the only ones who can patch phones. Why is this a big deal?
Imagine if a new Windows zero-day exploit was discovered but you couldn't download a patch from Microsoft: rather, you have to wait for HP, Dell, or Lenovo to release their own version of the patch. This is the reality for Android users, who remain vulnerable to discovered threats for an unacceptably long time.
For example, Stagefright was discovered in July 2015 and wasn't patched on the Galaxy S4 for Verizon until late August.
iOS, of course, benefits from Apple's total control over the ecosystem which results in much faster vulnerability patching.

Privacy: 

Security and privacy are related. To me, security is concerned with compromise of personal information without user consent, while privacy relates to giving away information with a user's consent, usually through 20 page EULAs that no one reads. 
Digital privacy often boils down to business models. Apple is in the business of (primarily) selling phones, and they are very good at doing that: estimates of per-unit profit margins on iPhones are around 70%
Google, on the other hand, is in the business of selling ads: it gives Android away because the OS gives Google better access to and more information about users. Google has a business incentive to collect data on its users because it makes them more valuable to Google's actual customers: advertisers. 
While the personal information Google tracks certainly makes the Android experience better in some ways, it also hurts if you're against the notion of a company (and by extension, the government) knowing the most intimate details of your private life. 
Apple, for example, uses public key encryption in iMessage, making it impossible for anyone besides the end users to read the contents of messages. One of the main reasons why similar encryption for Gmail isn't enabled is because Google needs to be able to read your emails to give you targeted ads.

Applications: 

iOS often gets new applications and updates before Android. This is ironic because Android has a bigger app store and it technically costs less to develop on Android: the SDK is free while Apple's SDK costs 100 dollars and only runs on Macs. 
My mobile developer friends, however, say most companies write for iOS first due to ease of development and profits. Since there's only a few models of iPhones out there, iOS developers don't have to worry about supporting dozens of different hardware configurations as Android developers must. 
Furthermore, iPhone users are generally more willing to pay for apps while Android users are accustomed to free, ad-supported apps. This also leads to some low quality apps in the Android Market: for example, the flashlight app that needs network and location access to serve me targeted banner ads.

Support: 

With an essential tool like a smartphone, fast customer service is essential, and Apple is well-known for speedy customer service. When my started encountering issues on my Oneplus One months ago, I was stuck: to fix it under warranty, I'd have to send it to China and wait at least 3 weeks for them to ship it back. 
This was of course a huge problem: I couldn't be without my phone for 2 days, much less a month, and I didn't have a spare. With an iPhone, however, I can expect to walk into an Apple store for a warranty repair or exchange within a few hours. Android manufactures don't have the luxury of 70% unit margins to provide such class-leading service.
As a college student, spending $800 dollars on a phone (or paying even more over 2 years under a contract) was untenable. So when I finally got a full-time job, I preordered the 64GB iPhone 6S and it came on launch day: I hadn't been this excited for a new piece of tech in a long time. 
I'll update this blog tomorrow with my initial setup experience.

Thursday, June 18, 2015

Unique Challenges in SSD Forensics

Introduction

In today’s computers, traditional hard disk drives (HDDs) are being rendered obsolete by solid state drives (SSDs) that are faster, smaller, and more reliable. (Domingo, 2015) SSDs accounted for 13.6% of total PC storage sold in 2013, but are predicted to account for over 33% in 2017. (Kingsley-Hughes, 2013) Popular computers like Apple’s Macbook Pro and Air lines now exclusively use SSD memory. From the user’s perspective, an SSD is a drop-in replacement for a HDD, but their underlying method of operation is fundamentally different and presents several unique challenges to forensic investigators.

SSD Method of Operation

Consumer SSDs consist of multiple NAND flash memory cells, where data is stored, and a microcontroller that interfaces between the memory cells and the computer. It is much faster to read NAND flash memory than to write to it, and manufacturers of SSDs have employed a variety of techniques such as TRIM, wear-leveling, hardware compression, and overprovisioning to overcome the slow write speeds of NAND flash. These technologies impact the ability of forensic investigators to make forensically sound copies of SSDs and recover deleted data.

TRIM

How It Works

Unlike magnetic storage like HDDs, the NAND flash storage used in SSDs needs to be erased before being re-written. Data is written to NAND memory in “pages” of 4 or 8KB each, but can only be erased in “blocks” that contain hundreds of pages. Since erasing and re-writing hundreds of pages is a slow operation, SSDs write data to empty pages first rather than erase deleted blocks. If this operation was left unchecked, however, the SSD will suffer severe performance degradation once empty space has been used up. The TRIM function was created to prevent this from happening by telling SSD controllers to erase deleted blocks as part of a background process. When data is deleted or re-written with TRIM enabled, the SSD queues the block to a background process known as the “garbage collector” which erases the blocks on during idle time. As a result, the performance impact of erasing deleted blocks is hidden from the user and fresh blocks remain available for writing. Practically all modern SSDs support TRIM. (Gubanov, 2012) (Belkasoft, 2014)

TRIM’s Impact on Forensics

Since TRIM commands are executed by the SSD microcontroller, it is impossible to stop once started. TRIM commands will finish even if the SSD is powered cycled. Additionally, a re-format command will cause TRIM to clear the whole partition. This means that a forensic investigator will not be able to read deleted data from a TRIM-enabled SSD, and users can effectively erase whole partitions just seconds before acquisition.
There is a notable exception to this, however, involving files smaller than 2MB. Since these files will take up less than 1 block of NAND space, they will not be subject to TRIM if that same block also contains part of a non-deleted file. There are several other limitations: TRIM is disabled if the operating system doesn’t support it or if the physical interface doesn’t transmit TRIM commands. The USB interface, for example, doesn’t support TRIM and therefore deleted data may be recovered from external USB SSDs. (Belkasoft, 2014) Generally, pre-configured PCs with internal SSDs will have TRIM properly configured.

Wear-Leveling

How it Works

Wear-leveling is a feature in SSDs that increase speed and longevity by distributing data across the whole drive. NAND has limited life compared to HDDs: each block on an NAND chip can only be erased 10 to 100 thousand times before becoming unusable. To ensure no blocks fail prematurely, SSD manufacturers built wear-leveling algorithms into SSD microcontrollers to ensure that each memory block is written to equally. There are two types of wear-leveling: dynamic wear leveling algorithms distribute new data across the blocks with the least number of previous writes, and static wear-leveling also cycles existing data out of less-used blocks so that all blocks can be written to equally. (Memon, 2009) Both of these types of wear-leveling hinder the abilities of forensic investigators.

Wear-Leveling’s Impact on Forensics

Dynamic and static wear-leveling result in extreme fragmentation of data in the physical NAND chips, since data is not store sequentially but rather in whatever blocks have the least number of previous writes. This fragmentation is not predictable. If the chips were to be removed from the SSD to be examined with a custom-built reader, a process known as chip-off, it is difficult and sometimes impossible to re-combine the resulting data into whole files. (Memon, 2009)
Static wear-leveling presents the additional challenge of invalidating cypto-hashes. Forensic investigators generate a cryptographic hash of an acquired drive before and after imaging the drive to prove that the drive was not tampered with during the process. They also take a hash of the image and compare it to the hash of the drive to ensure that their image is a perfect copy of the original. If the drive is an SSD with static wear-leveling, however, the wear-leveling process can move blocks around in the background as soon as the drive is powered on, resulting in a different hash before and after imaging. The wear-leveling process, like TRIM, is executed by the SSD’s internal microcontroller and therefore cannot be stopped unless the NAND chips are physically removed from the circuit board. (Wiebe, 2013)

Compressing Controllers

How it Works

As explained earlier, the NAND flash chips used in SSDs have limited read-write lifespans. To prolong the life of NAND chips, some SSD manufactures use microcontrollers (Sandforce is a well-known brand) that compress data on the fly before writing it to NAND. By reducing the amount of data written to the NAND cells, compressing controllers can significantly improve the lifespan of SSDs. (Memon, 2009)

Compressing Controllers’ Effect on Forensics

Since these compression algorithms are proprietary to the chipset manufacturer, there’s currently no way to decompress data through off-chip analysis short of sending the drive to the manufacturer. This is an expensive and time-consuming process that is reserved for only the most critical investigations. If a forensic investigator acquires a drive equipped with a compressing controller, the only option is to use acquire the image through the SSD’s interface and risk forensic spoilage as a result of static wear-leveling.

Overprovisioning and Secure Erase

How it Works

Since NAND blocks have limited life expectancy, SSD manufacturers often incorporate extra NAND capacity in their devices to take the place of prematurely failing NAND. This practice is known as overprovisioning. Since this extra memory is not directly accessible to the consumer, concerns were raised by the US government about the ability to securely erase the contents of SSDs. The secure erase command addresses this concern by sending a TRIM command to every available block on the SSD, including these “backup” blocks. When properly implemented, secure erase completely destroys all data on the SSD. (Gubanov, 2012)

Secure Erase’s Effect on Forensics

Using secure erase, a SSD user can destroy digital evidence much faster than with a HDD. Secure erase takes just minutes rather than hours as in HDDs, so it’s feasible that a suspect can issue a secure erase command immediately before the acquisition of the device- for example by seeing investigators outside his/her window. As with individual file deletion, secure erase is ultimately processed by the SSD microcontroller and therefore can’t be stopped once started unless de-chipped.

Conclusion

SSDs have been engineered to overcome the limitations of NAND flash memory, and the resulting technologies pose real challenges to forensic investigators. As a general rule, it is much easier for users to securely delete data and much harder for forensic investigators to recover deleted data from SSDs. Background processes like static wear leveling make it harder for investigators to prove cryptographically that drives weren’t tampered with, and even processes like chip-off where the NAND chips are physically read without the interference of the controller will often fail due to fragmentation or compression. As SSDs increase in popularity, digital forensics will face greater challenges recovering evidence from computing devices unless significant innovations are made in the field.



Bibliography

Belkasoft. (2014, September 23). Recovering Evidence from SSD Drives in 2014: Understanding TRIM, Garbage Collection and Exclusions. Retrieved from Forensic Focus: http://articles.forensicfocus.com/2014/09/23/recovering-evidence-from-ssd-drives-in-2014-understanding-trim-garbage-collection-and-exclusions/
Domingo, J. S. (2015, February 17). PCWorld. Retrieved from SSD vs. HDD: What's the Difference?: http://www.pcmag.com/article2/0,2817,2404258,00.asp
Gubanov, Y. (2012, October). Why SSDs Destroy Cort Evidence, and What Can Be Done About It. Retrieved from Belkasoft: https://belkasoft.com/en/why-ssd-destroy-court-evidence
Kingsley-Hughes, A. (2013, May 7). SSDs set to grab over one third of PC storage solutions market by 2017: IHS. Retrieved from ZDNet: http://www.zdnet.com/article/ssds-set-to-grab-over-one-third-of-pc-storage-solutions-market-by-2017-ihs/
Memon, N. (2009, December 14). Challenges of SSD Forensic Analysis. Retrieved from Digital Assembly: http://digital-assembly.com/technology/research/talks/challenges-of-ssd-forensic-analysis.pdf

Wiebe, J. (2013, May 28). Forensic Insight into Solid State Drives. Retrieved from Forensic Mag: http://www.forensicmag.com/articles/2013/05/forensic-insight-solid-state-drives