Saturday 1 September 2012

Solid State Drive (SSD) Forensics: Is it a myth?

I spent two weeks doing solid state drive forensic analysis and found something that I could share with the digital forensics community. Before that I read a couple of papers on this topic, e.g.,

i) Solid State Drives: The Beginning of the End for Current Practice in Digital Forensic Recovery? By Graeme B. Bell and Richard Boddington.
ii) Empirical Analysis of Solid State Disk Data Retention when used with Contemporary Operating Systems by Christopher King (CERT) and Tim Vidas (CMU ECE).

Both papers gave me quick info so that I could design my own SSD forensic analysis. This is quite important for my research too.

I’ve included EnCase, WinHex, external SSD, videos and pictures for the analysis.
After deleting all video files, I used EnCase to view the SSD contents (see below).


No problem with the pictures but videos, there was an issue. To be precise, 7 video files were copied to the SSD and as you can see in the above snapshot, only 1 video file was discovered by EnCase (it should be 7 because there shouldn’t be overwritten; totally disappeared).

So, what happened here? I’m perplexed! Not for a HD but SSD…? TRIM…garbage collection…wear levelling…? FTL? We got a serious problem here!

All these technologies are making forensic analysis complicated! Why (I’ve written/presented so many times on the difficulties faced by the digital forensics practitioners)?

So, I decided to use my WinHex to ‘peep’ into the SSD image (DD file) and surprisingly I found a few video files.




It wasn’t a nice experience though! Looking at bits and bytes (My vision is getting worse by the day! No more computers after this!).

EnCase?; I’m not trying to condemn EnCase here, in fact I’m using it regularly.
SSD?; the death of digital forensics, then I need to change my profession. Not at this age!

But the best outcome was the retrieval of my favourite videos not seen by EnCase.