Why SSD Drives Destroy Court Evidence, and What Can Be Done About It

Yuri Gubanov, Oleg Afonin © Belkasoft Research

Note: our newer article on SSD forensics can be found at this link

Why SSD Drives Destroy Court Evidence, and What Can Be Done About It

Q3 2012: State of the art in SSD forensics

Published in DFI, October 2012
Published in ForensicFocus, October 2012


Solid State drives (SSD) introduced dramatic changes to the principles of computer forensics. Forensic acquisition of computers equipped with SSD storage is very different of how we used to acquire PCs using traditional magnetic media. Instead of predictable and highly possible recovery of information the suspect attempted to destroy, we are entering the muddy waters of stochastic forensics where nothing can be assumed as a given.

Stochastic Forensics

The way today's SSD drives operate allows little space for positive assumptions. With SSD drives, the only thing we can assume is that an investigator can access existing information stored on the disk. Deleted files and data the suspect attempted to destroy (by e.g. formatting the disk - even in "Quick Format" mode) may be lost forever in a matter of minutes [1]. And even if the computer is powered off immediately after a destructive command has been issued (e.g. in a few minutes after the Quick Format), there is no easy way to prevent the disk from destroying the data once the power is back on. The situation is somewhat of a paradox, reminding of Schrödinger's cat: one will never know if the cat is alive before opening the box [2].

Please register to access full versions of Belkasoft articles

Please provide real information, the access link will be sent to your email.

Yuri Gubanov, Oleg Afonin © Belkasoft Research