Gone in a Flash…Or Is It? Emerging Legal Issues in SSD Flash Drive Technology
Recent articles and academic papers demonstrate emerging challenges from sold state drives (SSDs). [See sources below] SSDs pose at least three challenges for the legal community:
- potential limits on forensic imaging (e.g., during e-discovery),
- a potential defense to spoliation claims, and
- data security in the law firm.
What Are SSDs?
In layperson terms, solid state drives (or flash “hard drives”) use flash “memory” (similar to the memory in removable USB drives, pen drives, or thumb drives) rather than traditional magnetic discs to store information. As prices of flash memory have fallen, high capacity drives (128Gb or more) that mirror the capacity of traditional hard drives are cost-possible (these drives still carry a significant cost premium per GB so whether they are cost-effective is probably relative).
The advantages of SSDs are:
- no moving parts (better shock or fall protection),
- significantly better performance (3000+ times faster than magnetic hard drives),
- small size, and
- low power consumption.
The disadvantages of SSDs are also the underlying sources of the challenges for the legal community.
- SSDs have a relatively shorter life span (compared to magnetic hard drives) and degrade after approximately 10,000 write cycles and [FN1]
- SSDs write in “blocks” rather than the magnetic hard drive disk/sector model.
To over come the disadvantages, SSD manufacturers add “intelligent” management DIRECTLY to the SSD drives (unlike magnetic drives). In other words, there is a intermediate layer between the SSD and the computer that acts, according to recent research, separately from the computer. The intermediate layer is technically called a “controller.” The controller gives the SSD “a mind of its own” and that “mind” is the source of the potential challenges for the legal community.[FN2]
Limits on Forensic Current Imaging
Forensic imaging creates a bitwise image of a magnetic hard drive. (The proper term is image and not copy.) In simple terms, the technician connects the target hard drive to a special computer interface, a separate image hard drive to the same interface, and then executes a program that “copies” every bit on the target drive to the image drive. The technician takes great pains not to make any changes to the target drive before imaging or image drive after imaging. The technician then analyzes the image drive.
The fundamental assumption of forensic imaging is the image drive carries an exact image of the original target computer hard drive. Because the image drive is “locked” and thus prevents any changes, the forensic analysis proceeds assuming anything on the image drive represents the exact same information on the target drive.
Recent research indicates that this fundamental assumption does not necessarily apply when SSDs are the target drive. Because the SSD “has a mind of its own,” the mere process of making the image can alter information on the original target drive—potentially deleting, altering, or moving information. Thus, the forensic analyst, apparently, cannot guarantee that the image drive is indeed a true image of the target drive.
The legal implications are:
- potential admissibility problems,
- loss of data/disappearing data, or
- corruption of slack space/open space.
The negative implications are probably most relevant when pursuing claims that the target computer user deleted or altered data on the computer relevant to the claim or crime charged. For example, A files a sex discrimination claim against C Corp alleging manager M sent sexually suggestive emails to A. M deleted the emails. Forensic analysis might be able to recover the deleted emails from the hard drive. Unfortunately, if the “hard drive” was a SSD, the forensic analysis may fail because the SSD’s “mind of its own” may have deleted the deleted drive space.
Admissibility problems may arise in a case if the integrity of the forensic image is at issue. If the recent research is correct, the proponent of the SSD information might not be able to assure a court that the SSD was unaltered.
Defense to Spoliation Claims
In some cases, a party seeking data held on a SSD may claim the holder of the data deleted the information or “wiped” the drive. The party then may move for sanctions if a subsequent analysis determines the information as deleted or “wiped.” For a traditional magnetic hard drive, such claims might be valid. If the recent research is accurate, the same might not apply if a SSD was involved. The SSD itself may have “wiped” or deleted information. Thus, an advocate should pay close attention to the media type (magnetic hard drive or SSD) and overall context if an adverse party seeks sanctions (adverse inference instruction, summary judgment, or monetary sanctions). However, the defending advocate must also consider the overall context, claim, and circumstances—that is, a rote claim that a SSD was at issue is not a “magic bullet.” The overall circumstances will determine whether the inherent SSD issues apply as a defense. (For example, consider the above sex discrimination case. M may have deleted the emails. However, there is no evidence M “wiped” the drive. Thus, if a magnetic hard drive was used by M, the emails might be forensically recoverable. If M, alternatively, used a SSD, the SSD itself may have “wiped” the deleted messages. If A’s lawyer moves for spoliation sanctions, M’s attorney might be able to defend on SSD grounds assuming a SSD was involved.) A prudent lawyer might want to include a written waiver applicable to SSD in the discovery order or similar document for additional protection and avoid later disputes.
Data Security in the Law Firm
The third issue is more problematic. A second study indicates that even when one deletes information on a SSD, the information might not actually be deleted. (If you are puzzled and thinking “how can both of these studies be true because they are contradictory,” they can be reconciled.) This has always been true even with magnetic hard drives. [FN1] However, SSDs add a new, disturbing wrinkle. (Call this the “Through the Looking Glass” version of the above.) Remember, the SSD has “a mind of its own.” Traditionally, a number of utilities securely delete information from MAGNETIC drives. Basically, these utilities delete the file reference and overwrite the specific area of disk that contained the file with “garbage” data. This overwriting, on a MAGNETIC drive, securely deletes the information.
Now, the SSD, on the other hand, writes in blocks. The SSD “mind” tricks the computer into thinking the information is deleted. In other words, the computer utility that purports to securely delete information appears to run properly but in actuality might never delete the specific information on the SSD because the SSD’s “mind” or intermediary layer intercepts the overwriting commands and applies (or doesn’t apply) its own commands. These commands may leave “stale information” on the SSD which, to the computer, is invisible.
The issue is disturbing because there are times when you want to securely delete information on a hard drive. For example, a law firm chooses to discard several computers. Good operating practices call for a secure wipe of the hard drives before discarding. If the law firm executes the wipe on a SSD using standard hard drive wiping tools, the data may or may not be deleted. The Wei article (see sources below) and video presentation provides methods to perform a secure erase, but these methods are not obvious to an average user.
Thus, the two studies are reconcilable. One applies in cases when you do not want the data corrupted or deleted. One applies in cases when you do legitimately want the data deleted.
As SSDs drop in price, more and more devices may include the technology—mobile devices would particularly benefit due to low power consumption and drop tolerance while standard computers benefit from the performance from faster drive access. In other words, the issue probably will not go away soon.
Addendum: Self-Encrypting Hard Drives
Even traditional magnetic disk drives are similarly transitioning. Newer drives may include a controller to self-encrypt the drive. Apparently somewhat similar to the SSD controller issues above, the self-encrypting controller chip may limit forensic analysis by encrypting at the mechanical drive level rather than the traditional methods of encrypting in the system BIOS or via software. See my post entitled New, Active-controller Hard Drive Technologies Pose Challenges and Benefits about this issue at http://www.shannonbrownlaw.com/cms/archives/457.
The issues presented here are complex and this treatment raises awareness rather than being an exhaustive analysis. The take-away for lawyers is: know the technology involved.
FN2—While this article intentionally attempts to avoid the underlying, complex technical issues, the reason for the SSD’s “mind of its own” needs some explanation. Looking at the limits of SSDs (writing in blocks and degrading over time from disk writes), the SSD manufacturers attempt to legitimately extend the life of the SSD by “balancing” disk use across the disk. Basically, the SSD’s “mind” apparently tries to spread writing activity evenly across the disk to avoid “burn out” of a specific section. Thus, the SSD’s “mind” rotates the writes to different blocks to avoid “overusing” a specific block.
Graeme B. Bell and Richard Boddington, Solid State Drives: The Beginning of the End for Current Practice in Digital Forensic Recovery?, Journal of Digital Forensics, Security and Law, Vol. 5(3) (2010), available at http://www.jdfsl.org/subscriptions/JDFSL-V5N3-Bell.pdf. (technical study of the SSD issue)
Joseph Calamia, A Flash Memory That Doubles as DRAM, IEEE Inside Technology Spectrum (March 2011), http://spectrum.ieee.org/semiconductors/memory/a-flash-memory-that-doubles-as-dram.
John E Dunn, SSD drives difficult to wipe securely, researchers find, TechWorld (Feb. 22, 2011), available at http://news.techworld.com/storage/3262210/ssd-drives-difficult-to-wipe-securely-researchers-find/.
John E. Dunn, SSD firmware destroys digital evidence, researchers find, TechWorld (March 1, 2011), available at http://news.techworld.com/security/3263093/ssd-fimware-destroys-digital-evidence-researchers-find/
Dan Goodin, Self-erasing flash drives destroy court evidence, The Register (March 1, 2011), available at http://www.theregister.co.uk/2011/03/01/self_destructing_flash_drives/
Sold-state Drive, Wikipedia, https://secure.wikimedia.org/wikipedia/en/wiki/Solid-state_drive
SSDs Cause Crisis For Digital Forensics, SlashDot.org, (March 1, 2011) http://hardware.slashdot.org/story/11/03/01/1740240/SSDs-Cause-Crisis-For-Digital-Forensics
Michael Wei, et al., Reliably Erasing Data From Flash-Based Solid State Drives, University of California, Department of Computer Science and Engineering (2011) available at http://www.usenix.org/events/fast11/tech/full_papers/Wei.pdf. (Study of problems deleting information on SSDs). See also the video presentation of the topic at http://www.usenix.org/events/fast11/stream/wei/index.html (Link provided by Bruce Schneier, Crypto-Gram (March 15, 2011).
Original Publication Date: 11 March 2011
Updated: 25 May 2011
Updated: 06 July 2011
Update: 27 July 2011