Summer 2019

Senior Project Report

Computer Science Department
California State University, Dominguez Hills

pg. 1
Solid State Drives: Digital Forensic
Biggest Challenge

Prepared by

Alejandra Jimenez
In
Fulfillment of the Requirements

For
Senior Project – CTC 492

Department of Computer Science

California State University Dominguez Hills
Summer 2019

pg. 2
 Abstract
Never in our history have we witnessed technology change at such rapid speeds. It

is as if something faster, smarter and sleeker is making its way to the market every month.

To the average consumer this is no problem, in fact most welcome the idea of something

that is out there to make their lives just a bit easier. Along with these revolutionary

advancements comes the potential loopholes that hackers are quick to cash in on. Because

of these constant threats digital forensic investigators not only have to keep up with these

fast advancing technologies, but they must also figure methods in which they can track

down perpetrators.

One of the rapid changes happening today is the use of Solid-State Drives. Hard

Disk Drives once reigned supreme, but now SSD’s are taking over and becoming more and

more common among devices. This has brought up a challenge for digital forensic

investigators. The process of retrieving deleted data from the drives is different because

they are not built the same. Hard Disk Drives were much more common and investigators

figured out methods that worked to retrieve data. This however has not been the case for

SSD’s. The purpose of this research is to understand why the SSD’s have been so difficult

for investigators to crack.

pg. 3
 TABLE OF CONTENTS

CHAPTER 2

CHAPTER 3

Index of Figures

FIGURE 1 DIGITAL FORENSICS FOUR STEP PROCESS...............................................................................................................7

FIGURE 2 COMPONENTS OF A HARD DISK DRIVE (WOODFORD, 2019).................................................................................12

FIGURE 3 COMPONENTS OF A SOLID-STATE DRIVE (HGO, 2013)..........................................................................................14

FIGURE 4 CONTENTS OF DOG FILE.........................................................................................................................................17

FIGURE 5 CONTENTS OF HOUSE FILE.....................................................................................................................................17

FIGURE 6 CONTENTS OF THEME PARK FILE...........................................................................................................................17

FIGURE 7 CONTENTS OF CAT FILE.........................................................................................................................................18

FIGURE 8 CONTENTS OF NATURE FILE..................................................................................................................................18

FIGURE 9 TRANSFERRING DATA ONTO HDD.............................................. FIGURE 10 DATA TRANSFERRING COMPLETE

18

FIGURE 11 TRANSFERRING DATA ONTO SSD FIGURE 12 DATA TRANSFERRING COMPLETE..............................................18

FIGURE 13 PERMANENTLY DELETING FILES FROM HDD......................................................................................................19

FIGURE 14 FORMATTING HDD..............................................................................................................................................19

FIGURE 15 PERMANENTLY DELETING FROM SSD.................................................................................................................20

FIGURE 16 FORMATTING SSD................................................................................................................................................20

FIGURE 17 LIST OF MODULES FROM AUTOPSY.....................................................................................................................21

FIGURE 18 AUTOPSY ANALYZING HDD................................................................................................................................22

pg. 4
 Chapter 1: Introduction

1.1 Introduction to Digital Forensics

Computers and various electronic devices have become such an integral part of our

lives. It is no wonder that they have also become an integral part of criminal’s lives. Digital

forensics is an extended branch of forensic science. Unlike forensic science which recovers

and analyzes physical crime scene evidence such as DNA, fingerprints, autopsies, etc.

Digital forensics does just that except focuses on digital devices found in the crime scene.

Digital forensics is not just limited to criminal investigation; civil litigations and corporate

investigations are also in the scope of the field. One needs to keep in mind that digital

forensic is not just limited to desktop and laptop computers; mobile devices, networks and

cloud systems are all devices that can help investigators get the data they need (Sammons,

The Basics of Digital Forensics: The Primer for Getting Started in Digital Forensics, 2012).

The goal of the digital forensic process is to preserve any evidence in its most original form

while performing a structured investigation by collecting, identifying and validating the

digital information for the purpose of reconstructing past events.

1.2 Investigators Process

Once digital evidence is collected investigators need to carefully handle the devices

pg. 5
as they can pertain crucial data. Analyzing digital evidence will largely depend on the

scope of the case and of course the expertise of the investigator, but the basis for the

process remains the same no matter the investigator. (Casey, 2009) In 2006 the National

Institute of Standards and Technology in SP 800-86 described a simple four step digital

forensic process which consisted of the following steps; collection, examination, analysis,

and reporting.

Figure 1 Digital Forensics Four Step Process

a. Collection: During the collection process it is important that the, “data are

identified, labeled, recorded and acquired from all of the possible sources of

relevant data, using procedures that preserve the integrity of the data”

(Sammons, Digital Forensics: Threatscape and Best Practices, 2016). Data

should be collected quickly and efficiently. Not doing soon can risk losing

important dynamic data.

b. Examination: Once data is collected investigators must carefully examine it

using forensic software kits and manual methods. In this stage of the process,

investigators isolate relevant data that is of interest to the particular

investigation.

c. Analysis: Once relevant data is set aside; it should be analyzed using various

methods and techniques. The analysis should be well organized and document

to help out in the next stage.

d. Reporting: Finally, forensic investigators must keep an accurate record of all

pg. 6
 activity related to the investigation, including all methods used for testing

system functionality and retrieving, copying, and storing data, as well as all

actions taken to acquire, examine and assess evidence.

No matter what device is being handled it is always important to have a clear

process with how the data will be handled. When digital forensic first started investigators

were mostly handling data found in computers and other storage devices. Now it is a

completely different story, the devices that investigators could potentially work on seems

endless. Mobile phones, tablets, laptops, smart watches, the cloud, and just about any

device that has network capabilities are all within the scope of digital forensics.

1.3 Why is it Important

As stated earlier, technology is an integral part of our daily lives. Many of the

devices we use each day are connected to a network; one way or another. Computers,

laptops, phones, tablets, smart watches, email, social media post or even something stored

in the cloud; can all be examined and taken into consideration by an investigator if it

becomes necessary. It is important that investigators keep up with the changes happening in

technology, to update their tools and methods for the evolving field of technology. As a

result of this evolution special branches of digital forensic has been created specifically for

mobile devices and cloud forensics.

1.3.a Mobile Forensics

Mobile Forensics is a branch of digital forensics that focuses on acquiring and

analyzing data from a mobile device. A mobile device is not only limited to a phone, but it

also includes tablets, and GPS. The evolution of mobile phones in the market is rapid, this

creates a problem for investigators. Investigators run into many obstacles when dealing

with mobile phones. There are so many different phones out there in the market; each with
pg. 7
a unique hardware and software. Mobiles phones today are just as smart as a computer,

they contain plenty of digital information. The evidence that can be found on a mobile

device is not just “limited to memory, SIM or SD card, but is also includes all the

smartphone evidence such as cloud storage, browser history and geo location” (Shaikh,

2019). The different amount of data that can be found is just one of the many obstacle’s

investigators run into when they want to do a proper acquisition. Phones are very unique;

each phone comes with a different set of hardware and software. With the market

constantly flushing out new technology; it has made it close to impossible for there to be a

software or manual method that can address all the phones out there. When an investigator

is dealing with a mobile device, they have to carefully identify the software and method

that would accurately obtain the evidence they need from the device.

1.3.b Cloud Forensics

Cloud computing is one of the most important technological advancements

happening today. It is a new and exciting phenomenon in which many people and

corporations are still experimenting with. Cloud computing can be a bit complex to

understand; but it simply means that your data is being stored in a remote server. The only

way to access your data would be over the internet. Cloud computing eliminates the need

of having to store information in your local computer or server (Griffith, 2016). Since this

is such a newly evolving technology, digital forensic investigators must keep a close eye on

the technology. This is where cloud forensics comes in. Since the mainstream introduction

to the technology, cloud forensics is here to help investigators find potential evidence and

help keep the technology safe from criminal activity.

Chapter 2: Background

2.1 Digital Forensics Biggest Challenge

pg. 8
 Digital forensics is an evolving field because technology is constantly evolving. It is

important that investigators keep a close eye on the evolution to be prepared when

something new comes their way. There has been an evolution within the field that has

branched out to different digital forensics. I have discussed mobile and cloud forensics. It is

necessary that these technologies have their own branch of forensics. Despite that the basis

for the digital forensic process is the same, each technology has its own uniqueness that

requires a different approach. As previously mentioned, mobile devices are unique in their

own way, which requires investigators to approach the devices differently. For years, Hard

Disk Drives was the most commonly used storage drive found in a computer, laptop and

server. But now, Solid State Drives are peeking their way into the mainstream market; even

becoming a standard storage device for Apple computers.

The commonality of solid-state drives has become an issue for digital forensic

investigators. Before the rise of SSDs, hard disk drives ruled the market. Investigators had

methods and software that was able to easily obtain data from the hard drive. However, the

same methods and software’s that are used for HDDs, cannot always be as reliable for

SSDs. To understand why this is happening we must take a look at each drive and dig deep

into the mechanics that makes them unique to one another. Before I go into the mechanics

and function of each drive, I will go into a brief history lesson.

2.2 Hard Disk Drive History

The first hard disk drive: IBM 350 Disk Storage Unit was invented by IBM in the

late 1950s. The drive was the size of two large refrigerators and inside housed 50 disks

which is where the data is stored. The total storage of the drive was only 5 megabytes;

that’s about the storage of one photograph today. Although much has improved since the

introduction of HDD, the 305 featured a moving head to record and retrieve data on a
pg. 9
magnetic medium. By 1980 IBM introduced the first HDD that held one gigabyte of

storage. That same year the company Seagate introduced the first 5.25-inch hard disk drive.

Since the introduction of the first hard drive, the price and size continued to go down while

to storage size continues to get larger.

2.2 Solid State Drive History

The first solid state drive first hit the market about 40 years ago. The first one was SSD

was introduced by Dataram, it consisted of eight individual memory boards that was

packed with 256KB of RAM chips, and measured 19 inches wide by 15 inches tall

(Edwards, 2012). Just like the hard drive; the technology improved and the cost went down

along with the size and the storage size went up. Unlike hard disk drives that having

moving parts a solid-state drive does not have any moving parts. A solid-state drive relies

on a semiconductor chip and not magnetic medium for storing data. It has taken a while for

solid state drives to be normalized in personal computers because they are still a lot more

expensive when compared to a hard disk drive.

2.3 Purpose for this Research Project

The main purpose of this research project is to understand why digital forensic

investigators are coming across issues when trying to extract data from a solid-state drive

as opposed to a hard disk drive. To understand this, I will discuss the various features and

components that makes each unique. As well as conduct a study that compares the two

drives.

Chapter 3: In Depth Look

3.1 Hard Disk Drive

So how exactly does a hard disk drive store information, you may ask? HDDs rely

on the science of magnetism; this science is quite complex to get into. But to understand
pg. 10
how hard drives work we must understand this science. I will use a nail and a magnet to

simply state what magnetism is. A nail is unmagnetized, but rubbing a magnet back and

forth above the nail it becomes magnetic and can stick to other nails. Sticking to the nail

analogy, let’s suppose your 20-gigabyte computer contains over 160,000 tiny nails; each of

these nails stores a small piece of information known as a bit. Computer stores information

in binary form. When it is in the process of storing information, it will either be a 1 or a 0.

When it stores a 1 it is magnetized, and demagnetizes when storing a 0. Of course, there

aren’t really nails in the hard drive. Instead, you can find a large magnetic platter that stores

your computers information. Magnetism is used in the hard drive because it will keep your

information stored even after the device is powered off. Just like a magnetize nail will stay

magnetize until you demagnetize it. (Woodford, 2019).

3.1.a Hard Disk Drive Components

There are various components to a hard drive that make it run the way it runs. I will

quickly discuss the mechanics of each component found in the drive.

Figure 2 Components
of a Hard Disk Drive
(Woodford, 2019)

pg. 11
 1. Actuator: This component is what moves the read-write arm (2). It does this by

using electromagnets that work like the moving coils that makes sound in loud

speakers. The component is much more reliable and is more reliable than the

stepper motors that were used before.

2. Read-write arm: Swings the read-write head back and forth across the platter.

3. Central Spindle: Rotates the platter

4. Magnetic platter: This is where your information is stored in binary form

5. Plug Connection: The connection that is responsible for connecting your drive to

your computer

6. Read-Write head: Attached to the arm, this part is responsible for reading data

from the platter and writing data to the platter.

7. Circuit board: Helps with the flow data; to and from the platter

8. Flexible Connector: Is responsible for carrying data from the circuit board, read-

write head and platter

9. Spindle: Allows the read-write arm to swing across the platter.

3.2 Solid State Drive

Unlike a hard disk drive, a solid-state drive has no moving parts and does not use

magnetism to store data. Instead, a solid-state drive (SSD) is a solid-state storage device

that uses an integrated circuit assembly as a memory to store data persistently. Solid state

drive uses a semiconductor chip, not magnetic media for storing data. For understanding

the SSD technology, we would need to understand the basic overview of computer

architecture. To make it simple, the computer's memory architecture is being divided into

three sections namely cache, memory, and hard disk. Cache is used for doing all calculation

and procedures as the computer operates. The data access is instantaneous, electrical
pg. 12
pathways to the cache are the shortest because the cache is mandatory. Memory is the

middle ground for computer known as RAM, Random Access Memory. Cache and

memory operate at a speed of nanoseconds. Solid state drives use memory known as "flash

memory" that is similar to a RAM. However, RAM clears whenever the computer is power

down but SSD memory would remain the same even there is a power loss. SSD's use a grid

of electrical cells for sending and receiving data. SSD can write to empty pages in a block,

in Hard disk data can be written to any location on the magnetic plate at any time, i.e., data

can be overwritten easily. SSD's cannot overwrite the data, SSD should first find an empty

page in the block and write data to that empty page. When enough pages in the block are

being marked as unused the SSD will take the content of the block, commit that to the

memory, and would erase the whole block.

Figure 3 Components of a Solid-State Drive (Hgo, 2013)

3.2.a Components of a Solid-State Drive

The figure above labels the components found on an SSD, two of the most important

parts are the controller and the NAND flash memory.

1. Controller: Is the SSD’s processor. The controller includes the electronics that
pg. 13
 bridge the Flash memory to the computer. It is up to the controller to decide what

features it offers and how well the SSD performs.

2. NAND Flash Memory: This is the technology that is used by the SSD to store

information. The majority of consumer based SSDs use multiple-layer-cell NAND.

The cells store data in an on (1) or off (0) state. There are three important aspects to

NAND flash memory cells.

a. The cells can be programmed for a limited time before the start to become

unreliable. This is known as write-endurance. There is a technique called

wear-leveling that is used by the controller to keep the memory alive. It

evenly distributes writing on all the cells so that they can wear off evenly.

b. Flash memory cannot overwrite existing data. Old data must be erased

before anything new can be written.

c. Flash memory does not do a good job at erasing your data. When you delete

something and empty the recycle bin, your information is still there.

Windows uses a command called TRIM that labels your “deleted” data as

invalid and will only get rid of the data when you write new data to the

drive. (Hgo, 2013)

We now have a better picture at what goes inside these drives. Particularly with how they

read and write data.

Chapter 4: Methodology

4.1 Design of the Study

This study will compare the results from both a hard disk drive and a solid-state

drive using a forensic toolkit. To begin the study, I have composed a file that contains

pictures, text documents, word documents, pdf files and other random files. The same exact
pg. 14
files will be passed through both the drives. Then the files will be deleted and the drives

will both be formatted. Finally, I will analyze the drives using the Autopsy forensic

software.

4.2 Features and Techniques

Before we get into the actual study, I will discuss some features and techniques that

digital forensic investigators use in order to analyze the files in a drive. One of the most

popular techniques among investigators is a method called which is referred to as

dechipping. This technique is done by removing the flash chips from inside the drive and

imaging the chips using hardware. Although this might sound like a good solution, it is not

always the best way to go. It is unknown where the data is stored, sometimes, certain piece

of data are scattered all through various other chips. This is not just the only problem with

dechipping. One of the features common within SSD is wear leveling. This feature helps

expand the life of an SSD by evenly distributing writing on all blocks in order for them to

wear out evenly. This of course can become a problem for the investigator because it

conceals potential information (Wiebe, 2013).

One of the most common features that is found on SSDs is the TRIM command.

This was designed to solve the problem of the drive slowing down overtime. When an SSD

deletes files, it marks the location as a deleted block. The drive acts like a chalk board. In

order for new information to be written, it must first be completely gone. TRIM commands

are the final step for the files to be completely gone. But in order for the drive to not wear

out over time; it is done when the system is in idle. Although it sounds like a good thing for

the average consumer. The command becomes a problem when the investigator is

extracting data from the drive, because it is possible that the potential information needed

have been deleted. If the drive activates the TRIM command before the investigator begins
pg. 15
analyzing it; then potential incriminating evidence can be gone forever.

4.3 Hardware & Software

In order to conduct the study, I will need various tool in order to get the job done. I

went out to buy two drives. I purchased an external Western Digital Hard Disk Drive; with

2 terabytes. I also purchased an external Samsung Solid State Drive; with only 500

gigabytes. I needed to find a software to analyze the data. After much research I decided to

go with Access Data’s FTK toolkit, but I didn’t take in too account that I would need to

purchase a license in order to use the software. I instead went with the Autopsy forensic

software. I also used my HP Envy x360 laptop running Windows 10.

Chapter 5: Data Presentation & Analysis

In order to get the study started, I began by organizing files into one folder. The

main folder I created was named the “evidence” folder. Within that one was various other

folders that contained different subjects and different types of files. Each contains files that

is related to the name of the folder. For example, I have a folder named “theme parks” and

within that folder are various images and a text file with information pertaining to theme

parks. Following are screenshots of the folders that were created.

Figure 4 Contents of Dog file

pg. 16
Figure 5 Contents of House file

Figure 6 Contents of Theme Park file

pg. 17
Figure 7 Contents of Cat file

Figure 8 Contents of Nature File

After creating the files, I passed them over onto both the drives.

Figure 9 Transferring Data onto HDD Figure 10 Data Transferring Complete

Figure 11 Transferring Data onto SSD Figure 12 Data Transferring Complete

Immediately after transferring the data onto both drives, I went ahead and deleted the files

and formatted the drives. Before I began to analyze it on the Autopsy software.

pg. 18
Figure 13 Permanently Deleting Files from HDD

Figure 14 Formatting HDD

pg. 19
Figure 15 Permanently Deleting from SSD

Figure 16 Formatting SSD

Once the drives had been passed the files then deleted and finally formatted. I began

the Autopsy forensic software to begin the analysis on the formatted drives. I started out by
pg. 20
analyzing the HDD first. When you start up Autopsy, you need to create a new case. Once

you start a new case the software needs you to fill out some information regarding the case

such as the name of it, name of the investigator and a quick description. After, you must

select the drive you want to analyze. And must select from a list of modules as seen on the

figure below.

Figure 17 List of Modules from Autopsy

The list of modules is up to you to select. This menu is just asking you what should

the software focus on when it is analyzing the drive. As mentioned, I began to analyze the

2TB Hard Disk Drive, and it took about 13 hours for Autopsy to fully analyze the hard

drive. The figure below shows the screen when Autopsy is analyzing the data. As it is

analyzing the drive, the left pane contains all the information that the software picks up.

pg. 21
Figure 18 Autopsy Analyzing HDD

After the process was done, I immediately began to analyze the Solid-State Drive.

As mentioned, I deleted the files from the drive as well as format the drive. Then the

analyze process on the SDD began. This process took about 6 hours to complete.

Once both drives were complete the only folder that contained information from the

analysis was a folder named unallocated. I pulled out a report from the analysis in an excel

format.

Chapter 6: Data Results

Once the software analyzed the drive, I was able to pick up the results. Autopsy

picked up the results from only one folder; and that was the unallocated folder. Upon doing

more research the unallocated folder is the folder that contains all the unrecovered deleted

files. Although, it did pick up something I was not able to make out what it picked up

exactly. The files did not keep their name, instead they were named something completely

different. Everything it picked up was named using numbers, so it is hard to make out

which files it was able to retrieve and how much of it, it was able to pick up.

pg. 22
 I set Autopsy to give me two separate reports. One from the results of the hard disk

drive and another from the solid-state drive. It was clear from the excel spreadsheet that

Autopsy was able to dig up more information from the HDD than the SDD. The number of

files it picked up from the HDD was over 1,800 files. That is an astronomical number as

compared to the 500 files it was able to pick up from the SDD.

Chapter 7: Conclusion

The state in which digital forensic is currently in must change. As much

advancement as we have seen in that past few years within the industry, it is clear it never

stops. With the advancement happening within the technology industry forensic

investigators must keep up with these updated devices in order to be prepared for any

challenge that comes their way. One of the challenges happening today is the rise of the

SSD.

We have discussed the methods and features that make the SDD a problem to

investigators. To investigate this further myself, I was conducted a small study in which I

passed files onto a hard drive and a solid-state drive. After passing the files, I deleted them

from the drives and formatted the drives. I then used a forensic software kit in which it

analyzed the folders in order to see if it picked up any of the deleted files. It was clear that

even by doing the same exact thing to each of the drives, I was able to dig up more deleted

files from the HDD than the SSD. This small study conducted proved once again that the

self-destruction features found in an SSD are what cause forensic investigators problems

when they want to extract data from the drive. It is clear that the SSDs self-destruction

features have contributed the lack of data obtained in the final report. This report helped

show that the methods used by forensic investigators on HDD do not hold good in the case

of the SSD. Forensic investigators need to come up with new methods to overcome the
pg. 23
self-destruction of solid-state drives.

pg. 24
Appendix

pg. 25
pg. 26
pg. 27
pg. 28
pg. 29
pg. 30
 References
Casey, E. (2009). Handbook of Digital Forensics and Investigation. Elsevier Academic Press.

Edwards, B. (2012, January 17). Evolution of the Solid-State Drive. Retrieved July 16, 2019, from
PCWorld: https://www.pcworld.com/article/246617/evolution-of-the-solid-state-drive.html

Griffith, E. (2016, May 3). What Is Cloud Computing? Retrieved from PCmag:
https://www.pcmag.com/article/256563/what-is-cloud-computing

Hgo, D. (2013, March 1). Digital storage basics, Part 4 SSD explained. Retrieved July 27, 2019,
from CNet: https://www.cnet.com/how-to/digital-storage-basics-part-4-ssd-explained/

Introduction to Mobile Forensics. (2015, May 19). Retrieved from eForensicsMagazine:

https://eforensicsmag.com/introduction-to-mobile-forensics/

Sammons, J. (2012). The Basics of Digital Forensics: The Primer for Getting Started in Digital
Forensics. Waltham: Elsevier. Retrieved July 25, 2019
Sammons, J. (2016). Digital Forensics: Threatscape and Best Practices. Waltham: Elsevier.

Shaikh, H. (2019, N/A N/A). Computer Forensics: Mobile Forensics. Retrieved July 26, 2019,
from INFOSEC: https://resources.infosecinstitute.com/category/computerforensics/
introduction/mobile-forensics/

Wiebe, J. (2013, May 28). Forensic Insight into Solid State Drives. Retrieved from Foresnic Mag:
https://www.forensicmag.com/article/2013/05/forensic-insight-solid-state-drives

Woodford, C. (2019, June 1). Hard drives. Retrieved July 27, 2019, from ExplainThatStuff!

pg. 31