Question

Characteristics of the SSD forensics - Identification & Preservation. Explain in 800 words

Answer 1

Solid state Drives(SSD) is a technology to store the data. this technology is replacing the hard disc storage methods. SSD stores data using microchips and data can be retrieved instantly.

characteristicsof SSD:

1.wear leveling: It is a mechanism used to avoid physical wear out of data blocks by spreading the data eventually.

2. Read, Modify, Relocate+Write: When a partial page is required to modify, the firmware first reads the entire page into a cache built inside SSD, then it modifies blocks being written and writes the new page in a new location. The older page is marked for garbage collection

3. Garbage collector: SSD uses garbage collection mechanism to improve its write speed. Write performance is improved by eliminating the need of erasing before writing. The erasing operation is performed in background and during free time when controller is not busy. GC accumulates data blocks which are marked un-used by erasing it and reclaim blocks for reuse for later write operations However GC has implications on computer forensics. It operates independently without the need of intervention from the operating system. After about 150 seconds of power on, GC starts erasing the garbage blocks previously marked by the file system. Therefore, there is a risk that the GC may delete the content of the media even during performing forensic copy in lab.

4. TRIM: TRIM is a command in modern operating system to inform the SSDs controller that particular blocks of data are no longer required or not in used and should be wiped internally. In the absence of BGC, TRIM command is an alternate to improve write performance of SSDs. It enables the controller to handles the garbage collection overhead in advance, which could otherwise significantly slow down future writes. In order for the TRIM command to work, the SSDs firmware, operating system and associated software must be properly configured. Usually modern operating systems such as Windows 7 have built-in TRIM command utility that can be configured in BIOS settings. Since this command if configured properly completely purges the data, therefore, the data recovery will becomes impossible.

5. Encryption and Compression: Modern SSD controllers perform compression and encryption on data before saving them on the disk. Compression increases the speed of writing data on SSD and also allows more data to be stored on SSD. The encryption of data before writing to SSD‘s cells has two advantages. First it improves security and secondly this technique enables controller to erase entire SSD disk. Rather than wiping the entire media, deleting the encryption key leads to the inability to recover or read the data. So in the forensic analysis even Forensics of SSD 5 if the data is recovered without knowing or recovering its encryption key, it is usually impossible to read the recovered data and it may cause difficulty in the way of forensic analysis