2

Is there any solution to validate the integrity of an SSD image? If I know well in case of SSD low level disk maintenance stuff such as wear leveling is performed inside the drive in order to maximize its lifetime regardless of the use of a write blocker. These activities alters the filesystem and you cannot get the same hash next time when you are trying to validate the image.

Luc
  • 31,973
  • 8
  • 71
  • 135
Richard Leonard Kirner
  • 195
  • 2
  • 5
  • 2
    Wear leveling does not change the filesystem. It does change where and how the block are written, not the data. If you write the same 64k on the same file, the data will go to different physical cells, but the data is the same. – ThoriumBR Oct 18 '16 at 17:05
  • Good reference info here: https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20presentations/DEFCON-24-Tom-Kopchak-Sentient-Storage.pdf – HashHazard Oct 18 '16 at 20:35

1 Answers1

4

The "solution" is to thoroughly document your imaging procedure, including pictures, chain of custody, write blockers, and so on, so that if/when someone does call your methodology into question, you can defend it. Additionally, you should understand what's happening in an SSD so that if someone asks you about the hashes and why they don't match, you can explain clearly and concisely why that is expected behavior, and then fall back on your documented methodology to defend the integrity of your image.

I suppose if you were in a situation where an identical image was absolutely necessary, you could let the drive sit in a write blocker for a few hours and let all the trim/garbage collection activity on the drive finish so that it no longer moves data. Of course, this could destroy any possible deleted data that you may recover - and even then, the hashes still may not match at the end depending on how the SSD behaves.

Dislaimer: IANAL

fallacy
  • 66
  • 3
  • 2
    Chain of custody should be the no. 1 focus of any digital forensic person (+1). Without proper documentation of procedures someone can reject your claim as made up evidence. But *IANAL* as well. – grochmal Oct 18 '16 at 23:52