|
Solid State Drives: The Beginning of the End for Current
Practice in Digital Forensic Recovery?
Graeme B. Bell and
Richard Boddington
School of IT, Murdoch University, Perth, WA 6150, Australia.
{G.Bell, R.Boddington}@murdoch.edu.au.
Tel +61 89360 {6533,2801}. Fax +61 89360 2941
ABSTRACT
Digital evidence is increasingly
relied upon in computer forensic examinations and legal
proceedings in the modern courtroom. The primary storage
technology used for digital information has remained constant
over the last two decades, in the form of the magnetic disc.
Consequently, investigative, forensic, and judicial procedures
are well-established for magnetic disc storage devices (Carrier,
2005). However, a paradigm shift has taken place in technology
storage and complex, transistor-based devices for primary
storage are now increasingly common. Most people are aware of
the transition from portable magnetic floppy discs to portable
USB transistor flash devices, yet the transition from magnetic
hard drives to solid-state drives inside modern computers has so
far attracted very little attention from the research community.
Here we show that it is imprudent and potentially reckless to
rely on existing evidence collection processes and procedures,
and we demonstrate that conventional assumptions about the
behaviour of storage media are no longer valid. In particular,
we demonstrate that modern storage devices can operate under
their own volition in the absence of computer instructions. Such
operations are highly destructive of traditionally recoverable
data. This can contaminate evidence; can obfuscate and make
validation of digital evidence reports difficult; can complicate
the process of live and dead analysis recovery; and can
complicate and frustrate the post recovery forensic analysis.
Our experimental findings demonstrate that solid-state drives (SSDs)
have the capacity to destroy evidence catastrophically under
their own volition, in the absence of specific instructions to
do so from a computer.
Keywords: digital evidence, digital forensic analysis,
self-contamination, solid-state drive, SSD, garbage collection,
write-blocker.
To review the complete paper
click
here.
|
