Solid State Drive Forensics: Where Do We Stand?,

Vieyra, John; Scanlon, Mark,; Le-Khac, Nhien-An

Publication Date:  December 2019

Publication Name:  Digital Forensics and Cyber Crime. ICDF2C 2018,

Abstract:   With Solid State Drives (SSDs) becoming more and more prevalent in personal computers, some have suggested that the playing field has changed when it comes to a forensic analysis. Inside the SSD, data movement events occur without any user input. Recent research has suggested that SSDs can no longer be managed in the same manner when performing digital forensic examinations. In performing forensics analysis of SSDs, the events that take place in the background need to be understood and documented by the fo-rensic investigator. These behind the scene processes cannot be stopped with traditional disk write blockers and have now become an acceptable consequence when performing forensic analysis. In this paper, we aim to provide some clear guidance as to what precisely is happening in the back-ground of SSDs during their operation and investigation and also study fo-rensic methods to extract artefacts from SSD under different conditions in terms of volume of data, powered effect, etc. In addition, we evaluate our approach with several experiments across various use-case scenarios.,

BibTeX Entry:


      @incollection{vieyra2019ssdforensics,
author = {Vieyra, John and Scanlon, Mark, and Le-Khac, Nhien-An},
editor = {Scanlon, Mark and Breitinger, Frank},
title = {{Solid State Drive Forensics: Where Do We Stand?}},
booktitle = {Digital Forensics and Cyber Crime. ICDF2C 2018},
year = "2019",
publisher = {Springer},
isbn = {978-3-319-73697-6},
series = {Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering},
abstract = {With Solid State Drives (SSDs) becoming more and more prevalent in personal computers, some have suggested that the playing field has changed when it comes to a forensic analysis. Inside the SSD, data movement events occur without any user input. Recent research has suggested that SSDs can no longer be managed in the same manner when performing digital forensic examinations. In performing forensics analysis of SSDs, the events that take place in the background need to be understood and documented by the fo-rensic investigator. These behind the scene processes cannot be stopped with traditional disk write blockers and have now become an acceptable consequence when performing forensic analysis. In this paper, we aim to provide some clear guidance as to what precisely is happening in the back-ground of SSDs during their operation and investigation and also study fo-rensic methods to extract artefacts from SSD under different conditions in terms of volume of data, powered effect, etc. In addition, we evaluate our approach with several experiments across various use-case scenarios.},
}