Title: Forensics Analysis of Solid State Drive (SSD)

Year of Publication: May - 2016
Page Numbers: 1-12
Authors: Binaya Raj Joshi, Rick Hubbard
Conference Name: 2016 Universal Technology Management Conference (UTMC)
- United States


The need for advanced computer forensics techniques is because of the results of increasing criminal investigation which involves advanced to sophisticated digital misuse of systems. Digital forensics will always be the advanced field as a profession with the rise of laws that governs legal cases and computer technologies which are becoming more and more ubiquitous. This research paper will provide detailed studies of fundamental techniques used over traditional HDD’s and upgraded techniques utilized and required over SDD’s to perform the digital forensic investigation. Solid State Drives (SDD) rely on flash memory (in some cases uses SRAM or DRAM), which has overtaken traditional spinning platter hard drives to become the standard for secondary storage in laptop computers. Thus, SSD is now becoming more available to desktop computers, laptops, tablets, smartphones and even in memory sticks, memory cards than before. On the basis of previous papers, research and product information available it refers how SDD relies on flash storage, so it is more reliable and faster than the traditional hard drives. The Flash memory is divided into 2KiB, 4KiB or larger rather than into 512 bytes blocks in traditional hard drives. This paper will also describe how the limited lifespan and show self-corrosion for blocks of memory from unallocated space within modern SSD will generate complications during forensic investigations. The analysis performed to accomplish this project involves testing of allocated and unallocated space within SSD’s in laptops with TRIM functionality enabled/disabled while using write blocker to identify the differences and analyzing in a forensic investigation in multiple versions of operating system. The garbage collection of hard drive would contain data that was deleted and marks it as deleted making it recover later but with the modern SDD’ self-destroying techniques, those sectors are rewritten with new information at all time. This will make it complicated for forensics investigators to recover necessary evidence to prove crimes in front of the court to prosecute the criminals. This research paper will concentrate on exploring methods that could reduce the impact of all features describe at this moment so as to make forensic investigation easier and feasible for SDD in future.