Solid State Drive Forensics: Where Do We Stand?
Vieyra, John
Publication Date: December 2019
Publication Name: Digital Forensics and Cyber Crime
Abstract: With Solid State Drives (SSDs) becoming more and more prevalent in personal computers, some have suggested that the playing field has changed when it comes to a forensic analysis. Inside the SSD, data movement events occur without any user input. Recent research has suggested that SSDs can no longer be managed in the same manner when performing digital forensic examinations. In performing forensics analysis of SSDs, the events that take place in the background need to be understood and documented by the forensic investigator. These behind the scene processes cannot be stopped with traditional disk write blockers and have now become an acceptable consequence when performing forensic analysis. In this paper, we aim to provide some clear guidance as to what precisely is happening in the background of SSDs during their operation and investigation and also study forensic methods to extract artefacts from SSD under different conditions in terms of volume of data, powered effect, etc. In addition, we evaluate our approach with several experiments across various use-case scenarios.
Download Paper:
BibTeX Entry:
@incollection{vieyra2019ssdforensics,
author="Vieyra, John
and Scanlon, Mark
and Le-Khac, Nhien-An",
editor="Breitinger, Frank
and Baggili, Ibrahim ",
title="Solid State Drive Forensics: Where Do We Stand?",
booktitle="Digital Forensics and Cyber Crime",
year=2019,
publisher="Springer International Publishing",
address="Cham",
pages="149--164",
abstract="With Solid State Drives (SSDs) becoming more and more prevalent in personal computers, some have suggested that the playing field has changed when it comes to a forensic analysis. Inside the SSD, data movement events occur without any user input. Recent research has suggested that SSDs can no longer be managed in the same manner when performing digital forensic examinations. In performing forensics analysis of SSDs, the events that take place in the background need to be understood and documented by the forensic investigator. These behind the scene processes cannot be stopped with traditional disk write blockers and have now become an acceptable consequence when performing forensic analysis. In this paper, we aim to provide some clear guidance as to what precisely is happening in the background of SSDs during their operation and investigation and also study forensic methods to extract artefacts from SSD under different conditions in terms of volume of data, powered effect, etc. In addition, we evaluate our approach with several experiments across various use-case scenarios.",
isbn="978-3-030-05487-8"
}