What the examiner needs to know about SSDs.
This week I go over my survival tips for imaging solid state drives (SSDs).
Solid State Drives and Computer Forensics
Here are some knowledge points and tips to help you survive a computer forensic exam involving a solid state drive (SSDs).
SSDs may be an internal hard drive on s system (i.e. laptop) or a piece of loose external media. They have no moving parts unlike magnetic storage devices.
SSDs store data a bit differently from magnetic media at the physical level. SSDs have built in controllers that perform maintenance tasks which potentially affect the evidence contained on them. If a SSD device receives power in ANY way (i.e. even with a write block attached) you run the risk of the SSD controller running a maintenance routine which could destroy certain types of data on the device. The controller runs independently from the operating system.
There are differences between these maintenance tasks between manufacturers. However, the following tasks what to expect from a high level overview:
WEAR LEVELING maintenance attempts to evenly write data across the SSD.
GARBAGE COLLECTION. SSDs writes data as Pages. A certain number of pages equals a Block. The SSD controller will look to free up Blocks by rewriting Pages to other Blocks. The process wipes the data contained in the new area before completing the rewrite.
TRIM maintenance singles out areas of the SSD no longer being used and clears the data. This effectively means unallocated space can be deleted by the SSD controller.
Issue: Pre\ Post imaging hash values may not match.
Solution: Count sectors and compare. Hash logical files and compare.
Be prepared to explain.
FTK Imager. Choose option to create CSV listing all file names, paths and associated hashes.
Zimmerman Hasher. https://ericzimmerman.github.io The software allows the user to drag-n-drop a file or folder into the user interface and quickly computes the requested hash values.
Jacksum is a free platform independent checksum utility (written entirely in JAVA) for computing and verifying (integrity check) checksums, CRC and hashes (fingerprints). It supports 58 popular hash algorithms and a lot of unique features.
Smith, Kent, Garbage Collection and TRIM in SSDs Explained, 2012
iBell, Graeme and Boddington, Richard, Solid State Drives: The Beginning of the End for Current Practice in Digital Forensic Recovery, 2010