Professional Documents
Culture Documents
pg. 1
Solid State Drives: Digital Forensic
Biggest Challenge
Prepared by
Alejandra Jimenez
In
Fulfillment of the Requirements
For
Senior Project – CTC 492
pg. 2
Abstract
Never in our history have we witnessed technology change at such rapid speeds. It
is as if something faster, smarter and sleeker is making its way to the market every month.
To the average consumer this is no problem, in fact most welcome the idea of something
that is out there to make their lives just a bit easier. Along with these revolutionary
advancements comes the potential loopholes that hackers are quick to cash in on. Because
of these constant threats digital forensic investigators not only have to keep up with these
fast advancing technologies, but they must also figure methods in which they can track
down perpetrators.
One of the rapid changes happening today is the use of Solid-State Drives. Hard
Disk Drives once reigned supreme, but now SSD’s are taking over and becoming more and
more common among devices. This has brought up a challenge for digital forensic
investigators. The process of retrieving deleted data from the drives is different because
they are not built the same. Hard Disk Drives were much more common and investigators
figured out methods that worked to retrieve data. This however has not been the case for
SSD’s. The purpose of this research is to understand why the SSD’s have been so difficult
pg. 3
TABLE OF CONTENTS
CHAPTER 2
CHAPTER 3
Index of Figures
18
pg. 4
Chapter 1: Introduction
Computers and various electronic devices have become such an integral part of our
lives. It is no wonder that they have also become an integral part of criminal’s lives. Digital
forensics is an extended branch of forensic science. Unlike forensic science which recovers
and analyzes physical crime scene evidence such as DNA, fingerprints, autopsies, etc.
Digital forensics does just that except focuses on digital devices found in the crime scene.
Digital forensics is not just limited to criminal investigation; civil litigations and corporate
investigations are also in the scope of the field. One needs to keep in mind that digital
forensic is not just limited to desktop and laptop computers; mobile devices, networks and
cloud systems are all devices that can help investigators get the data they need (Sammons,
The Basics of Digital Forensics: The Primer for Getting Started in Digital Forensics, 2012).
The goal of the digital forensic process is to preserve any evidence in its most original form
Once digital evidence is collected investigators need to carefully handle the devices
pg. 5
as they can pertain crucial data. Analyzing digital evidence will largely depend on the
scope of the case and of course the expertise of the investigator, but the basis for the
process remains the same no matter the investigator. (Casey, 2009) In 2006 the National
Institute of Standards and Technology in SP 800-86 described a simple four step digital
forensic process which consisted of the following steps; collection, examination, analysis,
and reporting.
a. Collection: During the collection process it is important that the, “data are
identified, labeled, recorded and acquired from all of the possible sources of
relevant data, using procedures that preserve the integrity of the data”
should be collected quickly and efficiently. Not doing soon can risk losing
using forensic software kits and manual methods. In this stage of the process,
investigation.
c. Analysis: Once relevant data is set aside; it should be analyzed using various
methods and techniques. The analysis should be well organized and document
pg. 6
activity related to the investigation, including all methods used for testing
system functionality and retrieving, copying, and storing data, as well as all
process with how the data will be handled. When digital forensic first started investigators
were mostly handling data found in computers and other storage devices. Now it is a
completely different story, the devices that investigators could potentially work on seems
endless. Mobile phones, tablets, laptops, smart watches, the cloud, and just about any
device that has network capabilities are all within the scope of digital forensics.
As stated earlier, technology is an integral part of our daily lives. Many of the
devices we use each day are connected to a network; one way or another. Computers,
laptops, phones, tablets, smart watches, email, social media post or even something stored
in the cloud; can all be examined and taken into consideration by an investigator if it
becomes necessary. It is important that investigators keep up with the changes happening in
technology, to update their tools and methods for the evolving field of technology. As a
result of this evolution special branches of digital forensic has been created specifically for
analyzing data from a mobile device. A mobile device is not only limited to a phone, but it
also includes tablets, and GPS. The evolution of mobile phones in the market is rapid, this
creates a problem for investigators. Investigators run into many obstacles when dealing
with mobile phones. There are so many different phones out there in the market; each with
pg. 7
a unique hardware and software. Mobiles phones today are just as smart as a computer,
they contain plenty of digital information. The evidence that can be found on a mobile
device is not just “limited to memory, SIM or SD card, but is also includes all the
smartphone evidence such as cloud storage, browser history and geo location” (Shaikh,
2019). The different amount of data that can be found is just one of the many obstacle’s
investigators run into when they want to do a proper acquisition. Phones are very unique;
each phone comes with a different set of hardware and software. With the market
constantly flushing out new technology; it has made it close to impossible for there to be a
software or manual method that can address all the phones out there. When an investigator
is dealing with a mobile device, they have to carefully identify the software and method
that would accurately obtain the evidence they need from the device.
happening today. It is a new and exciting phenomenon in which many people and
corporations are still experimenting with. Cloud computing can be a bit complex to
understand; but it simply means that your data is being stored in a remote server. The only
way to access your data would be over the internet. Cloud computing eliminates the need
of having to store information in your local computer or server (Griffith, 2016). Since this
is such a newly evolving technology, digital forensic investigators must keep a close eye on
the technology. This is where cloud forensics comes in. Since the mainstream introduction
to the technology, cloud forensics is here to help investigators find potential evidence and
Chapter 2: Background
important that investigators keep a close eye on the evolution to be prepared when
something new comes their way. There has been an evolution within the field that has
branched out to different digital forensics. I have discussed mobile and cloud forensics. It is
necessary that these technologies have their own branch of forensics. Despite that the basis
for the digital forensic process is the same, each technology has its own uniqueness that
requires a different approach. As previously mentioned, mobile devices are unique in their
own way, which requires investigators to approach the devices differently. For years, Hard
Disk Drives was the most commonly used storage drive found in a computer, laptop and
server. But now, Solid State Drives are peeking their way into the mainstream market; even
The commonality of solid-state drives has become an issue for digital forensic
investigators. Before the rise of SSDs, hard disk drives ruled the market. Investigators had
methods and software that was able to easily obtain data from the hard drive. However, the
same methods and software’s that are used for HDDs, cannot always be as reliable for
SSDs. To understand why this is happening we must take a look at each drive and dig deep
into the mechanics that makes them unique to one another. Before I go into the mechanics
The first hard disk drive: IBM 350 Disk Storage Unit was invented by IBM in the
late 1950s. The drive was the size of two large refrigerators and inside housed 50 disks
which is where the data is stored. The total storage of the drive was only 5 megabytes;
that’s about the storage of one photograph today. Although much has improved since the
introduction of HDD, the 305 featured a moving head to record and retrieve data on a
pg. 9
magnetic medium. By 1980 IBM introduced the first HDD that held one gigabyte of
storage. That same year the company Seagate introduced the first 5.25-inch hard disk drive.
Since the introduction of the first hard drive, the price and size continued to go down while
The first solid state drive first hit the market about 40 years ago. The first one was SSD
was introduced by Dataram, it consisted of eight individual memory boards that was
packed with 256KB of RAM chips, and measured 19 inches wide by 15 inches tall
(Edwards, 2012). Just like the hard drive; the technology improved and the cost went down
along with the size and the storage size went up. Unlike hard disk drives that having
moving parts a solid-state drive does not have any moving parts. A solid-state drive relies
on a semiconductor chip and not magnetic medium for storing data. It has taken a while for
solid state drives to be normalized in personal computers because they are still a lot more
The main purpose of this research project is to understand why digital forensic
investigators are coming across issues when trying to extract data from a solid-state drive
as opposed to a hard disk drive. To understand this, I will discuss the various features and
components that makes each unique. As well as conduct a study that compares the two
drives.
So how exactly does a hard disk drive store information, you may ask? HDDs rely
on the science of magnetism; this science is quite complex to get into. But to understand
pg. 10
how hard drives work we must understand this science. I will use a nail and a magnet to
simply state what magnetism is. A nail is unmagnetized, but rubbing a magnet back and
forth above the nail it becomes magnetic and can stick to other nails. Sticking to the nail
analogy, let’s suppose your 20-gigabyte computer contains over 160,000 tiny nails; each of
these nails stores a small piece of information known as a bit. Computer stores information
aren’t really nails in the hard drive. Instead, you can find a large magnetic platter that stores
your computers information. Magnetism is used in the hard drive because it will keep your
information stored even after the device is powered off. Just like a magnetize nail will stay
There are various components to a hard drive that make it run the way it runs. I will
Figure 2 Components
of a Hard Disk Drive
(Woodford, 2019)
pg. 11
1. Actuator: This component is what moves the read-write arm (2). It does this by
using electromagnets that work like the moving coils that makes sound in loud
speakers. The component is much more reliable and is more reliable than the
2. Read-write arm: Swings the read-write head back and forth across the platter.
5. Plug Connection: The connection that is responsible for connecting your drive to
your computer
6. Read-Write head: Attached to the arm, this part is responsible for reading data
7. Circuit board: Helps with the flow data; to and from the platter
8. Flexible Connector: Is responsible for carrying data from the circuit board, read-
Unlike a hard disk drive, a solid-state drive has no moving parts and does not use
magnetism to store data. Instead, a solid-state drive (SSD) is a solid-state storage device
that uses an integrated circuit assembly as a memory to store data persistently. Solid state
drive uses a semiconductor chip, not magnetic media for storing data. For understanding
the SSD technology, we would need to understand the basic overview of computer
architecture. To make it simple, the computer's memory architecture is being divided into
three sections namely cache, memory, and hard disk. Cache is used for doing all calculation
and procedures as the computer operates. The data access is instantaneous, electrical
pg. 12
pathways to the cache are the shortest because the cache is mandatory. Memory is the
middle ground for computer known as RAM, Random Access Memory. Cache and
memory operate at a speed of nanoseconds. Solid state drives use memory known as "flash
memory" that is similar to a RAM. However, RAM clears whenever the computer is power
down but SSD memory would remain the same even there is a power loss. SSD's use a grid
of electrical cells for sending and receiving data. SSD can write to empty pages in a block,
in Hard disk data can be written to any location on the magnetic plate at any time, i.e., data
can be overwritten easily. SSD's cannot overwrite the data, SSD should first find an empty
page in the block and write data to that empty page. When enough pages in the block are
being marked as unused the SSD will take the content of the block, commit that to the
The figure above labels the components found on an SSD, two of the most important
1. Controller: Is the SSD’s processor. The controller includes the electronics that
pg. 13
bridge the Flash memory to the computer. It is up to the controller to decide what
2. NAND Flash Memory: This is the technology that is used by the SSD to store
The cells store data in an on (1) or off (0) state. There are three important aspects to
a. The cells can be programmed for a limited time before the start to become
evenly distributes writing on all the cells so that they can wear off evenly.
b. Flash memory cannot overwrite existing data. Old data must be erased
c. Flash memory does not do a good job at erasing your data. When you delete
something and empty the recycle bin, your information is still there.
Windows uses a command called TRIM that labels your “deleted” data as
invalid and will only get rid of the data when you write new data to the
We now have a better picture at what goes inside these drives. Particularly with how they
Chapter 4: Methodology
This study will compare the results from both a hard disk drive and a solid-state
drive using a forensic toolkit. To begin the study, I have composed a file that contains
pictures, text documents, word documents, pdf files and other random files. The same exact
pg. 14
files will be passed through both the drives. Then the files will be deleted and the drives
will both be formatted. Finally, I will analyze the drives using the Autopsy forensic
software.
Before we get into the actual study, I will discuss some features and techniques that
digital forensic investigators use in order to analyze the files in a drive. One of the most
dechipping. This technique is done by removing the flash chips from inside the drive and
imaging the chips using hardware. Although this might sound like a good solution, it is not
always the best way to go. It is unknown where the data is stored, sometimes, certain piece
of data are scattered all through various other chips. This is not just the only problem with
dechipping. One of the features common within SSD is wear leveling. This feature helps
expand the life of an SSD by evenly distributing writing on all blocks in order for them to
wear out evenly. This of course can become a problem for the investigator because it
One of the most common features that is found on SSDs is the TRIM command.
This was designed to solve the problem of the drive slowing down overtime. When an SSD
deletes files, it marks the location as a deleted block. The drive acts like a chalk board. In
order for new information to be written, it must first be completely gone. TRIM commands
are the final step for the files to be completely gone. But in order for the drive to not wear
out over time; it is done when the system is in idle. Although it sounds like a good thing for
the average consumer. The command becomes a problem when the investigator is
extracting data from the drive, because it is possible that the potential information needed
have been deleted. If the drive activates the TRIM command before the investigator begins
pg. 15
analyzing it; then potential incriminating evidence can be gone forever.
In order to conduct the study, I will need various tool in order to get the job done. I
went out to buy two drives. I purchased an external Western Digital Hard Disk Drive; with
2 terabytes. I also purchased an external Samsung Solid State Drive; with only 500
gigabytes. I needed to find a software to analyze the data. After much research I decided to
go with Access Data’s FTK toolkit, but I didn’t take in too account that I would need to
purchase a license in order to use the software. I instead went with the Autopsy forensic
In order to get the study started, I began by organizing files into one folder. The
main folder I created was named the “evidence” folder. Within that one was various other
folders that contained different subjects and different types of files. Each contains files that
is related to the name of the folder. For example, I have a folder named “theme parks” and
within that folder are various images and a text file with information pertaining to theme
pg. 16
Figure 5 Contents of House file
pg. 17
Figure 7 Contents of Cat file
After creating the files, I passed them over onto both the drives.
Immediately after transferring the data onto both drives, I went ahead and deleted the files
and formatted the drives. Before I began to analyze it on the Autopsy software.
pg. 18
Figure 13 Permanently Deleting Files from HDD
pg. 19
Figure 15 Permanently Deleting from SSD
Once the drives had been passed the files then deleted and finally formatted. I began
the Autopsy forensic software to begin the analysis on the formatted drives. I started out by
pg. 20
analyzing the HDD first. When you start up Autopsy, you need to create a new case. Once
you start a new case the software needs you to fill out some information regarding the case
such as the name of it, name of the investigator and a quick description. After, you must
select the drive you want to analyze. And must select from a list of modules as seen on the
figure below.
The list of modules is up to you to select. This menu is just asking you what should
the software focus on when it is analyzing the drive. As mentioned, I began to analyze the
2TB Hard Disk Drive, and it took about 13 hours for Autopsy to fully analyze the hard
drive. The figure below shows the screen when Autopsy is analyzing the data. As it is
analyzing the drive, the left pane contains all the information that the software picks up.
pg. 21
Figure 18 Autopsy Analyzing HDD
After the process was done, I immediately began to analyze the Solid-State Drive.
As mentioned, I deleted the files from the drive as well as format the drive. Then the
analyze process on the SDD began. This process took about 6 hours to complete.
Once both drives were complete the only folder that contained information from the
analysis was a folder named unallocated. I pulled out a report from the analysis in an excel
format.
Once the software analyzed the drive, I was able to pick up the results. Autopsy
picked up the results from only one folder; and that was the unallocated folder. Upon doing
more research the unallocated folder is the folder that contains all the unrecovered deleted
files. Although, it did pick up something I was not able to make out what it picked up
exactly. The files did not keep their name, instead they were named something completely
different. Everything it picked up was named using numbers, so it is hard to make out
which files it was able to retrieve and how much of it, it was able to pick up.
pg. 22
I set Autopsy to give me two separate reports. One from the results of the hard disk
drive and another from the solid-state drive. It was clear from the excel spreadsheet that
Autopsy was able to dig up more information from the HDD than the SDD. The number of
files it picked up from the HDD was over 1,800 files. That is an astronomical number as
compared to the 500 files it was able to pick up from the SDD.
Chapter 7: Conclusion
advancement as we have seen in that past few years within the industry, it is clear it never
stops. With the advancement happening within the technology industry forensic
investigators must keep up with these updated devices in order to be prepared for any
challenge that comes their way. One of the challenges happening today is the rise of the
SSD.
We have discussed the methods and features that make the SDD a problem to
investigators. To investigate this further myself, I was conducted a small study in which I
passed files onto a hard drive and a solid-state drive. After passing the files, I deleted them
from the drives and formatted the drives. I then used a forensic software kit in which it
analyzed the folders in order to see if it picked up any of the deleted files. It was clear that
even by doing the same exact thing to each of the drives, I was able to dig up more deleted
files from the HDD than the SSD. This small study conducted proved once again that the
self-destruction features found in an SSD are what cause forensic investigators problems
when they want to extract data from the drive. It is clear that the SSDs self-destruction
features have contributed the lack of data obtained in the final report. This report helped
show that the methods used by forensic investigators on HDD do not hold good in the case
of the SSD. Forensic investigators need to come up with new methods to overcome the
pg. 23
self-destruction of solid-state drives.
pg. 24
Appendix
pg. 25
pg. 26
pg. 27
pg. 28
pg. 29
pg. 30
References
Casey, E. (2009). Handbook of Digital Forensics and Investigation. Elsevier Academic Press.
Edwards, B. (2012, January 17). Evolution of the Solid-State Drive. Retrieved July 16, 2019, from
PCWorld: https://www.pcworld.com/article/246617/evolution-of-the-solid-state-drive.html
Griffith, E. (2016, May 3). What Is Cloud Computing? Retrieved from PCmag:
https://www.pcmag.com/article/256563/what-is-cloud-computing
Hgo, D. (2013, March 1). Digital storage basics, Part 4 SSD explained. Retrieved July 27, 2019,
from CNet: https://www.cnet.com/how-to/digital-storage-basics-part-4-ssd-explained/
Sammons, J. (2012). The Basics of Digital Forensics: The Primer for Getting Started in Digital
Forensics. Waltham: Elsevier. Retrieved July 25, 2019
Sammons, J. (2016). Digital Forensics: Threatscape and Best Practices. Waltham: Elsevier.
Shaikh, H. (2019, N/A N/A). Computer Forensics: Mobile Forensics. Retrieved July 26, 2019,
from INFOSEC: https://resources.infosecinstitute.com/category/computerforensics/
introduction/mobile-forensics/
Wiebe, J. (2013, May 28). Forensic Insight into Solid State Drives. Retrieved from Foresnic Mag:
https://www.forensicmag.com/article/2013/05/forensic-insight-solid-state-drives
Woodford, C. (2019, June 1). Hard drives. Retrieved July 27, 2019, from ExplainThatStuff!
pg. 31