Papers of the Month: Packet Injection & SSD Forensics

Below you can find a summary of the two more relevant papers I have read in this month:

This paper present a technique to inject raw frame at Layer 1 from the payload of upper-level Layers, for example HTTP. Tested for IEEE 802.15.4 and 2-FSK radio protocols.

This attack doesn’t work on encrypted channels since the raw frame inserted in the payload is encrypted too.

The image below shows a representation of the of the attack compared to a normal packet transmission:

The paper present as a real-world example an attack against ZigBee, which is based in IEEE 802.15.4, the next figure show a ZigBee packet with an embedded raw frame which starts right in the middle of the image, with the preamble 00 00 00 00 and the sync a7, which will cause the receiver to think a new packet is coming:

This paper present an analysis of 16 different disks and discusses the data recovery problems when TRIM command is used. The experiment shows that when TRIM is in place only 27% of blocks are recoverable, when without it nearly all can be recovered.

TRIM Command allows operating system changes garbage collection marking blocks as deleted telling the garbage collector to add those blocks to the free pool maintaining performance of SSDs.

They have only analyzed Windows 7 and Windows XP, I would like to see some future work showing results of other OSs including Unixes.

The following two figures show results for these two operating systems, show that when TRIM, Windows 7 and Intel’s SSDs are used together 0% of the data was recovered.

Originally published at http://www.gabrielgonzalezgarcia.com on August 22, 2011.