SSD Firmware Destroys Digital Evidence
Tuesday, 01 March 2011 21:23 | Written by TechWorld
A technology built into many new solid state drives (SSDs) to improve their storage efficiency could inadvertently be making forensic analysis at a later date by police forces and intelligence agencies almost impossible to carry out to legally safe standards, researchers have discovered.
The detailed findings contained in Solid State Drives: The Beginning of the End for Current Practice in Digital Forensic Discovery? by Graeme B. Bell and Richard Boddington of Murdoch University in Perth, Australia, will make unsettling reading for professionals in the digital forensics field and beyond.
After conducting a series of experiments comparing a sample Corsair 64GB SSD with a conventional Hitachi 80GB magnetic hard drive (HDD), the team found a layer cake of data recovery problems caused by the ‘garbage collection’ or purging algorithms used in SSDs to keep them at peak performance.
After examining an SSD for traces of data after it had been quick formatted, the team expected the purging routines to kick in around 30-60 minutes later, a process that must happen on SSDs before new data can be written to those blocks. To their surprise, this happened in only three minutes, after which only 1,064 out of 316,666 evidence files were recoverable from the drive.
Research: Robert Cazares