Solid State Drives in Digital Forensics

Susan Walsh

on 28 April 2015

Transcript of Solid State Drives in Digital Forensics

History of SSD
Future of SSD
Flash memory chips
wear out
data written in blocks not sectors
Digital Forensics methods are not designed for SSDs.
Modern SSDs:
Wear Leveling
Unallocated files are 100% unrecoverable if a quick format is performed
Some data recoverable, but no guarantee
Future of SSD
As time progresses SSD Nand chips will become faster and cheaper
SSDs will make their way into cheaper laptops
SSD firmware - Trim or no trim?
Digital forensics relies on being able to recover deleted data
Methods are designed for mechanical drives
Trim command means that once you "delete" files they are at risk of being zeroed within minutes.
SSDs are a serious problem for computer investigations today
Solid State Drives in Digital Forensics
Innovative storage architecture
block re-use
trim command
The 1st SSD
2 MB of storage
$9700 in 1977 (equivalent to >$36000)
HDD cost:
1TB - $53 ($.05/GB)
3TB - $101 ($.03/GB)
SSD cost:
120GB - $60 ($.50/GB)
240GB - $90 ($.38/GB)
SSDs are steadily dropping in price
In January 2012 120GB SSD was $235
1st Flash SSD (1988)
Flashdisk- first SSD to use flash memory
Plug in board for IBM PCs
16MB data
1st Modern SSD Flash Drives
Still thousands of dollars (1995)
aeronautical and military
1st Cheap SSD (2003)
1st commonly available SSD to consumers
as low as $50
Problem for forensics investigators
History of SSD
Example Case
Example Case
Two Australian computer forensics experts
Paper investigating how Trim affects the ability to collect data in SSDs
Example Case
