Solid-State Drives = Reduced Forensics Costs

Posted · Add Comment
Digital Forensics, Computer Forensics, Mobile Phone Forensics, Miami, Fort Lauderdale, e-Forensics

Newer desktops and laptops are coming standard with solid-state drives (SSD). Solid-state drives are computer storage devices that differ greatly from hard disk drives (HDD), which have moving mechanical parts. Solid-state drives contain integrated circuits, similar to the architecture of USB flash drives. Although SSDs are pricier than HDDs, the advantages are numerous: 1) speed (including very fast boot-ups), 2) reliability (due to no moving parts), 3) consumes less energy, 4) makes less noise and 5) improved privacy via the “background garbage collection” (BGC) feature built into the drive.

With traditional HDDs, forensics to recover double-deleted files (documents emptied from Recycle Bin/Trash) from “unallocated space” (free area of the drive partition where double-deleted files reside until used again) is done in part with a process known as “file carving.” A basic file carving scenario consists of a sequential read of the unallocated space, and search for the beginning (or header) of a file type, i.e., Microsoft Word document, and proceeds to the end of the file (or footer). If the footer is not found, the process will stop after a predetermined maximum file size. (Carving is both an automated and manual process, which can take upwards of 80% of the time spent on finding the smoking gun document.)

Now back to the garbage: the BCG functionality in SSDs is designed to improve write performance. Background garbage collection identifies areas that contain unneeded data and erases the blocks during idle times. The process is completely controlled by the solid-state drive itself, and runs unbeknownst to the operating system. The process effectively overwrites double-deleted documents from the unallocated space, which makes basic (even advanced) file carving nowhere near as fruitful as if done on a HDD.

We have file-carved the unallocated space of hard disk drives in many contentious cases, which resulted in a substantial portion of the forensics examination costs. Had those been solid-state drives – well, you get the picture.

For additional information contact e-forensics at our website or call (305) 667-4603.