SSD Forensic Analysis

Jun 21, 2016

Flash storage has been around for quite some time now and it is in most of the devices we use on a daily basis. There is no doubt that your smartphone and your tablet are packing flash storage. And, it’s very likely that your laptop and even you desktop computer has flash storage as well in the form of a solid state drive (SSD). If you’re interested in the field of computer forensics, I’m sure you’ve wondered how an examiner conducts SSD forensic analysis. I know there are challenges, and we will get into that. But first, let’s find out more about the SSD.

SSD vs. HDD

The solid state drive (SSD) has been a great advancement in non-volatile storage technology. Unlike the hard disk drive (HDD), the SSD has no moving parts, no spinning disks, and no read/write heads. Rather, the SSD utilizes silicon-based memory chips, which many refer to as flash memory, in order to store data. The result is a high-performance storage solution that pretty much runs laps around an HDD. In addition, its architecture makes it less susceptible to vibration and shock than the HDD. One more thing; prices for this technology continue to drop, so more and more of them are going to be out there. Okay, so the bottom line is that the SSD is a better drive.

There are plenty of pros when it comes to the SSD. However, there are some cons and Forensic Magazine covered them well. One of the problems is that SSD’s will eventually fail. No… really?! Yes… really. Specifically, the longevity of flash memory is rated around 100K cycles per block. Also, existing data on an SSD cannot be overwritten with new data. In other words, an SSD must have empty blocks available so that new data can be stored.

SSD Forensic Analysis Challenges

As I’m sure you already suspected, there are plenty of challenges. Probably the most prevalent of these challenges is that, unlike the HDD, the SSD completely obliterates data from existence when the command of delete is given. As I mentioned earlier, an SSD drive has to write data on empty blocks. So, it has at its disposal the TRIM function that erases deleted blocks in order to free up space for writing.

Another challenge, which is related to the SSD lifespan conversation that took place earlier, is something called wear-leveling. Considering that each block is good for about 100K cycles each, an SSD utilizes wear-leveling algorithms to distribute the load across all of the blocks. The problem this presents in SSD forensic analysis is that the data is extremely fragmented. To make matters worse, there is no storage pattern; data is basically stored to the block that has the fewest writes on it.

Right now, SSD forensic analysis remains a huge challenge for examiners. However, the LECC pointed out that the Cyber Security Division at the Department of Homeland Security is working on the development of solutions for the challenges that exist in SSD forensic analysis. I’ll keep you posted on the progress.

Pin It on Pinterest

Share This