As we discussed in our last article, the science of digital forensics is always on the move. As time progresses, so does the technology that drives our digital world. As a result, digital forensics professionals are continually upgrading their skills to keep pace with a constantly evolving digital landscape.
One component that has changed significantly over the past decade is computer storage. Whereas traditional hard drives (HDs) were once the standard, today’s computers will likely ship with solid-state drives (SSDs).
Traditional hard drives rely on rotating magnetic platters in which bits of data are read and written by physically repositioning a read/write head. Solid-state drives have no moving parts; they are silicon-based chips that use electrons for storage. The technology that enables SSDs is nearly identical to the technology found in flash memory cards and USB drives. SSDs offers the advantages of a reduced footprint, lightning-fast response times, and lower power consumption.
As digital forensics investigations shift to include more and more SSDs devices, it is clear that recovering data from SSDs can be a bit more challenging. Let’s discuss why.
On a traditional hard drive, files remain in place even after being “deleted.” In fact, the act of deleting a file only results in the removal of an index pointer that keeps track of the file location. The underlying data will remain in place indefinitely, only destroyed when it is overwritten as space is needed.
SSDs operate similarly, with files being “deleted” when their index pointer is removed. The big difference between HDs and SSDs is that SSDs can only store new data in write-ready blocks that are cleared of all data.
Let’s use this analogy: writing to a hard drive is like painting—new data can simply be painted over the old, an SSD operates more like a chalkboard—old data must be erased before new data can be written.
On solid-state drives, this clean-up will happen periodically with processes known as “garbage collection” and “TRIM.” If this data clearing occurs soon after a file is marked deleted, investigators can be prevented from recovering data.
There are additional challenges—SSDs have a limited number of times that memory cells can be written and read. To help distribute the load better, SSDs have sophisticated “wear leveling” algorithms that optimize space utilization. This results in memory management that distributes data seemingly randomly on the chips. Even high-tech “dechipping,” a forensic technique that reads information directly from a memory chip, is rarely successful due to the aforementioned wear leveling algorithms that scatters data in different memory blocks. (We are not going even get into the encryption that protects the data on SSD chips!)
At this point, you might be wondering: do all these challenges prevent the collection of data from SSDs? Absolutely not!
Digital forensics professionals have an ever-evolving arsenal of sophisticated recovery tools and processes that help them secure data from a variety of sources. Sure, there are some limitations inherent in recovering deleted data from an SSD, but are still a multitude of methods that can be used.
However, we do urge you to call your digital forensics professional as soon as you suspect you need to recover data from any digital device. The sooner you can start a forensic examination, the better the chance for data recovery! (But even if you delay, you might be amazed what can still be recovered—See this article on file carving!)
As always, please contact Data Narro if you have any questions of digital forensics, e-discovery, or data recovery!
Note: The basis of this article was taken from our latest e-book, “The 2019 Attorney’s Guide to Digital Forensics.” To learn more about the latest advances digital forensics, download this complimentary field guide.