Solid-State Disk Behavior Underlying Digital Forensics
“.. SSDs are different. Writing a virgin cell merely requires a write cycle. Rewriting a cell requires two cycles: an erase cycle and a write cycle. The erase cycle is governed by the physics, and takes time. Performance is improved by “pre-clearing” no longer needed cells (e.g., free space on the disk) during otherwise unused device cycles.
– snip –
A recent paper from Graeme Bell and Richard Boddington of Murdoch University in Perth, Solid State Drives: The Beginning of the End for Current Practices of Digital Forensic Recovery, documented several consequences of this implementation approach with respect to standard best practices for digital forensic acquisitions. In short, the autonomous pre-clearing function rendered free space unrecoverable on short order from the time that the drive was powered-on.
– snip –
As noted by Bell and Boddington, the automatic nature of the resetting function on space determined by the controller to be unallocated has several implications for standard forensics procedures:
data in unallocated space will quickly disappear on such a device (Quick format will actually cause the drive contents to be erased on short order)
the data recorded by a forensic acquisition with a write-blocker will be inconsistent with a subsequent acquisition until the reset process has completed. The cryptographic checksums (e.g., MD-5, SHA-1) generated on successive acquisitions will thus be inconsistent ..”
“Solid-State Disk Behavior Underlying Digital Forensics”
Robert Gezelter, InfoSecIsland.com , 7 March 2011
https://www.infosecisland.com/blogview/12375-Solid-State-Disk-Behavior-Underlying-Digital-Forensics.html – last access 1 April 2011 – ( Full Article )
“Solid State Drives: The Beginning of the End for Current Practice in Digital Forensic Recovery?”
Graeme B. Bell and Richard Boddington, 2010
Journal of Digital Forensics, Security and Law, Vol. 5(3)