Why SSD Drives Destroy Court Evidence, and What Can Be Done About It
Note: our newer article on SSD forensics can be found at this link
Why SSD Drives Destroy Court Evidence, and What Can Be Done About It
Q3 2012: State of the art in SSD forensics
Published in DFI, October 2012
Published in ForensicFocus, October 2012
Abstract
Solid State drives (SSD) introduced dramatic changes to the principles of computer forensics. Forensic acquisition of computers equipped with SSD storage is very different of how we used to acquire PCs using traditional magnetic media. Instead of predictable and highly possible recovery of information the suspect attempted to destroy, we are entering the muddy waters of stochastic forensics where nothing can be assumed as a given.
Stochastic Forensics
The way today's SSD drives operate allows little space for positive assumptions. With SSD drives, the only thing we can assume is that an investigator can access existing information stored on the disk. Deleted files and data the suspect attempted to destroy (by e.g. formatting the disk - even in "Quick Format" mode) may be lost forever in a matter of minutes [1]. And even if the computer is powered off immediately after a destructive command has been issued (e.g. in a few minutes after the Quick Format), there is no easy way to prevent the disk from destroying the data once the power is back on. The situation is somewhat of a paradox, reminding of Schrödinger's cat: one will never know if the cat is alive before opening the box [2].