SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads: Do SSD Drives Auto Destroy Forensic Evidence? Industrial Espionage, and Cloud Computing Forensics

Solid State Drives (SSD) Forensics continue as the top story this week. Two University researchers published shocking research that indicates that the firmware in SSDs can destroy forensic evidence as part of it's everyday functionality. Details in MUST Reads (upgrading this week from "Good Reads"). Apple made big news with the launch of new tablet (this week) and new laptop offerings (last week). We bring you news of forensic tools for the Mac. Plus, industrial espionage featuring Chinese spies paying American employees to steal intellectual property. And, do you have naked passwords?


  • MacQuisition 2.53 from BlackBag Technologies, is a forensic acquisition tool for legacy and new Mac hardware. The new version now supports Intel i5 and i7 processing architecture, enabling it to work with the latest Mac laptops and desktops. This update also offers dual boot options for working with new Intel powered Macs as well as legacy PowerPC Macs. According to, Drew Fahey, Director of Forensics at BlackBag Technology, "These enhancements offer Mac forensic professionals the most robust and flexible Mac imaging tool available today..." For more information about MacQuisition, such as an ovedrview video or data sheet, visit And, don't miss an excellent BlackBag Technology blog posting on imaging MacBook Air lap-tops.
  • Open source forensic tool The Sleuth Kit, version 3.2.1, was just released with some new features and a host of bug fixes.
  • UPDATE: Last month, your blogger reported on a new tool by called The Hiddn Crypto Adapter. This device can encrypt plain-Jane acquisition drives and adds FIPS-compliant two-factor authentication. The device was available for demo by your blogger at the RSA Conference 2011 in San Francisco. It's small, easy-to-use, and worked well with a Win/Lin laptop your blogger was sporting that day at RSA. Spokesperson said it works with Mac OS X, too. Worth looking into.

MUST Reads:

  • With the explosive growth of Solid State Drives( SSDs) in computers, and other computing devices like tablets and netbooks, there is some shocking news from Graeme B. Bell and Richard Boddington, two researchers at Murdoch University in Perth, Australia. According to these researchers, SSDs "have the capacity to destroy evidence catastrophically under their own volition..." Their work is contained in a paper written for the Journal of Digital Forensics, Security, and the Law entitled, 'Solid State Drives: The Beginning of the End for Current Practice in Digital Forensic Discovery?' Takeaway: Forensic professionals must deploy new approaches to SSD forensics. The current approach could miss important data in event time-lines. Your blogger had off-the-record discussions with some in the community that may have some solutions. Watch this space for updates.
  • Ironically, SSDs may also have problems with legit data destruction. If you missed it last week, read more from this 'Naked Security blog' post, "SSD's prove difficult to securely erase". The full paper can be found here.
  • Brett Kingston is the author of The Real War Against America, on industrial espionage featuring Chinese spies paying American employees to steal intellectual property. Brett Kingston invented a new way to manufacture fiber optic cables. The designs were stolen by insiders bribed by Chinese competitors. Brett worked with the FBI to track down and prosecute the Chinese competitors, and won a $40 million civil judgment against them. The competitor transfered all their funds out of the reach of the Courts, and they were tipped off by their lawyers. You can hear an interview your blogger conducted with Brett Kingstone at CyberJungle Radio; the interview begins at about the 18:25 mark. This is an excellent segment to share with non-technical managers to help them understand the challengers of forensics and incident response.


  • London Stock Exchange, and Morgan Stanley: Added to the list of financial services companies breached by cyber criminals. Don't worry, they "Take security very seriously."
  • New Hampshire local LE charge man for recording traffic stop using smart phone and voice mail
  • New Zeus account takeover attack targets users of mobile phone multi-factor authentication
  • Meanwhile, new proposed Fed Banking rules designed to fight Zues and other account takeover attacks could result in a wave of forensic and ediscovery-rich litigation
  • RSA Conference San Francisco had a full-house during a session with Aaron Turner on the legal and forensics issues with employee BYOD (Bring Your Own [mobile] Device). Aaron's talk was jammed packed with forensic information. For example, he advised professionals to buy a fresh phone before leaving the US. Use that phone outside of the US. Before leaving the country you have traveled to, turn on the phone and flush it down the toilet. The water and the phone's power will make data recovery very difficult. US Customs cannot inspect what they cannot get to. Read the full posting on this talk, and on the important topic of cloud computing forensics.


  • The whole idea of naked password is to encourage your users to enter stronger passwords. Sally tastefully removes items of clothing as the password grows stronger.

Coming Events:

If you have an article to suggest for case leads please email it to

by Ira Victor, G2700, GCFA, GPCI, GSEC, ISACA-CGEIT. Ira Victor is a forensic analyst with Data Clone Labs, He is also Co-Host of CyberJungle Radio, the news and talk on security, privacy and the law. Ira is President of Sierra-Nevada InfraGard, and a member of The High Tech Crime Investigator's Association (HTCIA). Follow Ira's security and forensics tweets: @ira_victor .


Posted March 5, 2011 at 9:04 AM | Permalink | Reply

Frank Phillips

It would be best if the SSD garbage collector could be disabled by pin or solder jumper on the hardware. An investigator with drive in hand would just have to open the case and move or solder a "GC disable" jumper before powering the drive.
There should be no reason why the microcontroller inside the SSD can't check this signal before proceeding with GC.
Even the smallest form factors should have room for this on the PCB.