Incollection
Solid State Drive Forensics: Where Do We Stand?
Contribution Summary
This paper provides an in-depth analysis of the current state of solid-state drive (SSD) forensics, highlighting the challenges posed by SSDs' background data movement and garbage collection processes. The authors investigate the impact of TRIM, data volume, and powered-on time on data recovery and provide guidance on extracting artefacts from SSDs under various conditions. The study aims to provide clear guidance on what happens in the background of SSDs during operation and investigation, and to demonstrate that most forensic hard disk drive (HDD) procedures still stand when it comes to their analysis. The authors evaluate their approach with several experiments across various use-case scenarios, including the effects of TRIM, data volume, and powered-on time on data recovery. The study also discusses the limitations of SSDs, including their limited number of writes per cell, page-level writes, and block-level erasures, and how these limitations affect data storage and recovery. The authors conclude that SSDs require a different approach to forensic analysis, and that traditional HDD procedures may not be sufficient for SSDs. The study provides valuable insights for digital forensic examiners and researchers working with SSDs.
Keywords: SSD Forensics; Forensic Experiments; Data Recovery; TRIM; Solid-State Drive; Digital Forensics; Garbage Collection; Wear Levelling
Abstract
With Solid State Drives (SSDs) becoming more and more prevalent in personal computers, some have suggested that the playing field has changed when it comes to a forensic analysis. Inside the SSD, data movement events occur without any user input. Recent research has suggested that SSDs can no longer be managed in the same manner when performing digital forensic examinations. In performing forensics analysis of SSDs, the events that take place in the background need to be understood and documented by the forensic investigator. These behind the scene processes cannot be stopped with traditional disk write blockers and have now become an acceptable consequence when performing forensic analysis. In this paper, we aim to provide some clear guidance as to what precisely is happening in the background of SSDs during their operation and investigation and also study forensic methods to extract artefacts from SSD under different conditions in terms of volume of data, powered effect, etc. In addition, we evaluate our approach with several experiments across various use-case scenarios.
BibTeX
@incollection{vieyra2019ssdforensics,
author="Vieyra, John
and Scanlon, Mark
and Le-Khac, Nhien-An",
editor="Breitinger, Frank
and Baggili, Ibrahim ",
title="Solid State Drive Forensics: Where Do We Stand?",
booktitle="Digital Forensics and Cyber Crime",
year=2019,
publisher="Springer International Publishing",
address="Cham",
pages="149--164",
abstract="With Solid State Drives (SSDs) becoming more and more prevalent in personal computers, some have suggested that the playing field has changed when it comes to a forensic analysis. Inside the SSD, data movement events occur without any user input. Recent research has suggested that SSDs can no longer be managed in the same manner when performing digital forensic examinations. In performing forensics analysis of SSDs, the events that take place in the background need to be understood and documented by the forensic investigator. These behind the scene processes cannot be stopped with traditional disk write blockers and have now become an acceptable consequence when performing forensic analysis. In this paper, we aim to provide some clear guidance as to what precisely is happening in the background of SSDs during their operation and investigation and also study forensic methods to extract artefacts from SSD under different conditions in terms of volume of data, powered effect, etc. In addition, we evaluate our approach with several experiments across various use-case scenarios.",
isbn="978-3-030-05487-8",
doi={10.1007/978-3-030-05487-8_8},
}