Where the world discovers multidisciplinary cyber forensics


Aims and Scope
Open Access
Call for Papers
Author Instructions
Issues 2013
Issues 2012
Issues 2011
Issues 2010
Issues 2009
Issues 2008
Issues 2007
Issues 2006



Solid State Drives: The Beginning of the End for Current Practice in Digital Forensic Recovery?


Graeme B. Bell and Richard Boddington
School of IT, Murdoch University, Perth, WA 6150, Australia.
{G.Bell, R.Boddington}@murdoch.edu.au.
Tel +61 89360 {6533,2801}. Fax +61 89360 2941



Digital evidence is increasingly relied upon in computer forensic examinations and legal proceedings in the modern courtroom. The primary storage technology used for digital information has remained constant over the last two decades, in the form of the magnetic disc. Consequently, investigative, forensic, and judicial procedures are well-established for magnetic disc storage devices (Carrier, 2005). However, a paradigm shift has taken place in technology storage and complex, transistor-based devices for primary storage are now increasingly common. Most people are aware of the transition from portable magnetic floppy discs to portable USB transistor flash devices, yet the transition from magnetic hard drives to solid-state drives inside modern computers has so far attracted very little attention from the research community.

Here we show that it is imprudent and potentially reckless to rely on existing evidence collection processes and procedures, and we demonstrate that conventional assumptions about the behaviour of storage media are no longer valid. In particular, we demonstrate that modern storage devices can operate under their own volition in the absence of computer instructions. Such operations are highly destructive of traditionally recoverable data. This can contaminate evidence; can obfuscate and make validation of digital evidence reports difficult; can complicate the process of live and dead analysis recovery; and can complicate and frustrate the post recovery forensic analysis.

Our experimental findings demonstrate that solid-state drives (SSDs) have the capacity to destroy evidence catastrophically under their own volition, in the absence of specific instructions to do so from a computer.

Keywords: digital evidence, digital forensic analysis, self-contamination, solid-state drive, SSD, garbage collection, write-blocker.

To review the complete paper click here.



Copyright 2006-2014 Association of Digital Forensics, Security and Law (ADFSL)