Forensic Analysis Challenges: Shifting from HDD to SDD Storage
Full text | |||
Source | Journal of Information Systems Security Volume 12, Number 3 (2016)
Pages 131–149
ISSN 1551-0123 (Print)ISSN 1551-0808 (Online) |
||
Authors | Allen Benusa — Ridgewater College, USA
Shajive Jeganathan — St. Cloud State University, USA
Mark Schmidt — St. Cloud State University, USA
|
||
Publisher | Information Institute Publishing, Washington DC, USA |
Abstract
The standard for built-in storage in personal computers (PCs) since the mid 1980’s has been the hard disk drive (HDD), also known as a “spindle drive”. HDDs have a hard disk controller that writes data to the surfaces only when the host device, typically a PC, sends specific write commands to the drive. Fast forward 30 years later to 2015 where there is now a rapid shift towards solid state drives (SSDs). Unlike spindle HHDs, SSDs have an intelligent microcontroller that performs read/write operations to the flash storage autonomously from the PC host device. Therefore even when a SSD is not receiving write commands from a PC, the flash memory controller may perform write operations. To complicate matters, the flash memory controller implements a wear leveling algorithm where data may be shuffled from memory block to memory block. The rapid change from spindle drives to SSDs pose new challenges to the forensic investigator in retrieving information. Traditional HDD forensic methods have limited use with SSDs. This paper and accompanying presentation will present the differences between HDD and SSD technologies, differences between HDD and SSD forensic methods, and where the future of mainstream storage technologies and forensic analysis are headed. We will also present results of an experiment of writing and deleting identical data to a spindle drive and a SSD and show the resulting forensic analysis.
Keywords
Digital Forensics, Solid State Drives, SSD, Hard Disk Drive, HHD, Forensic Analysis, Experiment
References
Alastair, N., Lawrence, S., & Ruff, M. (2013). A Forensic Analysis and Comparison Of Solid State Drive Data Retention With Trim Enabled File Systems. Proceedings of the 11th Australian Digital Forensics Conference. Perth, Western Australia: SRI Security Research Institute, Edith Cowan University.
Beebe, N. (2009). Digital Forensic Research: The Good, the Bad and the Unaddressed. In G. Peterson, & S. Shenoi, Advances in Digital Forensics V (pp. 17-36). IFIP.
Bell, G. B., & Boddington, R. (2010). Solid State Drives: The Beginning of the End for Current Practice in Digital Forensic Recovery? The Journal of Digital Forensics, Security and Law: JDFSL, 5-32.
Bonetti, G., Marco, M., Alessandro, V. F., Maggi, F., & Zanero, S. (2013). A Comprehensive Black-Box Methodology for Testing the Forensic Characteristics of Solid-State Drives. Proceedings of the 29th Annual Computer Security Applications Conference (pp. 269-278). ACM Digital Library.
Bonetti, G., Viglione, M., Frossi, A., Maggi, F., & Zanero, S. (2014). Black-Box Forensic and Antiforensic Characteristics of Solid-State Drives. Journal of Computer Virology and Hacking Techniques, 255-271.
Geier, F. (2015). The Differences between SSD and HDD Technology Regarding Forensic Investigations. Comptuer Science. Linnaeus University. Retrieved from http://lnu.diva-portal.org/smash/get/diva2:824922/FULLTEXT01.pdf
Jonathan Thatcher, T. C. (2009). NAND Flash Solid State Storage for the Enterprise. Solid State Storage Initiative. SNIA.
Mellor, C. (2013, May 9). Over ONE-THIRD of PCs will have SSDs in 2017. Retrieved April 28, 2016, from The Register: http://www.theregister.co.uk/2013/05/09/ihs_on_pc_hdd_ssd_units/
Michael Wei, L. M. (2009). Reliably Erasing Data From Flash-Based Solid State Drives. University of California, San Diego, Department of Computer Science and Engineering. University of California, San Diego.
Schmidt, M. B., & Condon, M. J. (2011). Computer Forensics: Examining the Effectiveness of File Deletion. Journal of Information Systems Security, 33-49.
Yuri Gubanov, O. A. (2012, October 12). Belkasoft Research. Retrieved April 13, 2015, from Why SSD Drives Destroy Court Evidence, and What Can Be Done About It: http://forensic.belkasoft.com/en/why-ssd-destroy-court-evidence