Solid State Drives: The Beginning of the End for Current Practice in Digital Forensic Recovery?

Digital evidence is increasingly relied upon in computer forensic examinations and legal proceedings in the modern courtroom. The primary storage technology used for digital information has remained constant over the last two decades, in the form of the magnetic disc. Consequently, investigative, forensic, and judicial procedures are well-established for magnetic disc storage devices (Carrier, 2005). However, a paradigm shift has taken place in technology storage and complex, transistor-based devices for primary storage are now increasingly common. Most people are aware of the transition from portable magnetic floppy discs to portable USB transistor flash devices, yet the transition from magnetic hard drives to solid-state drives inside modern computers has so far attracted very little attention from the research community. Here we show that it is imprudent and potentially reckless to rely on existing evidence collection processes and procedures, and we demonstrate that conventional assumptions about the behaviour of storage media are no longer valid. In particular, we demonstrate that modern storage devices can operate under their own volition in the absence of computer instructions. Such operations are highly destructive of traditionally recoverable data. This can contaminate evidence; can obfuscate and make validation of digital evidence reports difficult; can complicate the process of live and dead analysis recovery; and can complicate and frustrate the post recovery forensic analysis. Our experimental findings demonstrate that solid-state drives (SSDs) have the capacity to destroy evidence catastrophically under their own volition, in the absence of specific instructions to do so from a computer.

[1]  Mark Pollitt,et al.  Computer Forensics Education , 2003, IEEE Secur. Priv..

[2]  Brian D. Carrier,et al.  File System Forensic Analysis , 2005 .

[3]  Gregory H. Carlton,et al.  An Evaluation of Agreement and Conflict Among Computer Forensics Experts , 2009, 2009 42nd Hawaii International Conference on System Sciences.

[4]  Valerie Hobbs,et al.  Validating digital evidence for legal argument , 2008 .

[5]  Eugene H. Spafford,et al.  Getting Physical with the Digital Investigation Process , 2003, Int. J. Digit. EVid..

[6]  Michael A. Caloyannides Computer Forensics and Privacy , 2001 .

[7]  Erik C. Berg,et al.  Legal Ramifications of Digital Imaging in Law Enforcement , 2000 .

[8]  Erin E. Kenneally,et al.  Risk sensitive digital evidence collection , 2005, Digit. Investig..

[9]  M. B. Mukasey,et al.  Electronic Crime Scene Investigation: A Guide for First Responders, Second Edition , 2008 .

[10]  Gary Drossel Solid-state drives meet military storage security requirements , 2007 .

[11]  Karl J. Flusche Computer Forensic Case Study: Espionage, Part 1 Just Finding the File is Not Enough! , 2001, Inf. Secur. J. A Glob. Perspect..

[12]  Xiaodong Zhang,et al.  Understanding intrinsic characteristics and system implications of flash memory based solid state drives , 2009, SIGMETRICS '09.

[13]  Akira Goto,et al.  Intellectual Property Rights, Development, and Catch Up: An International Comparative Study , 2012 .

[14]  Michael Losavio,et al.  Gap Analysis: Judicial Experience and Perception of Electronic Evidence , 2006, J. Digit. Forensic Pract..

[15]  Simon Janes The Role of Technology in Computer Forensic Investigations , 2000, Inf. Secur. Tech. Rep..