Do SSD's present a forensic challenge
Page 1 of 1
Do SSD's present a forensic challenge
Forensics investigators and hard drives have developed something of a mutual understanding over the past couple of decades. That is, if we connect them to a write blocker, they’ll tell us everything they know and there is zero chance of them changing their contents and invalidating our evidence. When a file or data is "deleted" on a HDD it still remains even if overwritten, and can be detected and restored as it still exists in the sector and can be addressed. But what of the SSD?
Unlike the magnetic hard disk, which tries to keep blocks of a file as close to each other as possible; an SSD spreads the load across all the unused transistors in the drive randomly. This technique, known as wear-leveling, avoids consistently storing charge in the same group of transistors, which would make them wear out faster. The computer’s operating system is not aware of this process thanks to the SSD’s onboard controller card.
Today’s SSDs self-destroy court evidence through a process that can be called “self corrosion”. Garbage collection running as a background process in most modern SSDs will permanently erase data marked for deletion, removing it forever in a matter of minutes after the data has been marked for deletion. It is not possible to prevent garbage collection by moving the disk to another PC or attaching it to a write blocking device. The only way to prevent self-corrosion is physically detaching the disk controller from flash memory chips storing the data, and then accessing the chips directly via custom hardware.
Unlike the magnetic hard disk, which tries to keep blocks of a file as close to each other as possible; an SSD spreads the load across all the unused transistors in the drive randomly. This technique, known as wear-leveling, avoids consistently storing charge in the same group of transistors, which would make them wear out faster. The computer’s operating system is not aware of this process thanks to the SSD’s onboard controller card.
Today’s SSDs self-destroy court evidence through a process that can be called “self corrosion”. Garbage collection running as a background process in most modern SSDs will permanently erase data marked for deletion, removing it forever in a matter of minutes after the data has been marked for deletion. It is not possible to prevent garbage collection by moving the disk to another PC or attaching it to a write blocking device. The only way to prevent self-corrosion is physically detaching the disk controller from flash memory chips storing the data, and then accessing the chips directly via custom hardware.
Re: Do SSD's present a forensic challenge
A common misconception is that discarded blocks of an SSD drive are immediately erased. This is not usually the case. Instead, the way the TRIM command operates is considering the contents of discarded blocks as indeterminate (the "don't care" state) until the moment these blocks are physically erased by a separate background process, the garbage collector. In other words, the TRIM command does not erase the content of discarded blocks by itself. Instead, it adds them to a queue of pending blocks to be cleared by the garbage collector.
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum
|
|
Wed Mar 09, 2016 1:42 am by Admin
» The 2015 Insurance Fraud Hall of Fame
Thu Feb 18, 2016 2:25 am by Admin
» Keyless entry opens commercial vehicle doors to thieves
Thu Jan 07, 2016 4:16 am by Admin
» Locate subjects tools and techniques
Wed Feb 11, 2015 7:10 am by Admin
» It just takes one bad apple
Wed Feb 11, 2015 7:00 am by Admin
» Know when you're being lied to
Tue Jan 13, 2015 2:46 am by Admin
» Become the human lie detector
Tue Jan 13, 2015 2:46 am by Admin
» The online investigation and the fatal errors NOT to make
Tue Jan 13, 2015 2:40 am by Admin
» 21 dumbest criminals of the 21st century (so far)
Mon Jan 05, 2015 2:09 am by Admin