Solid state drives drives are fundamentally changing the landscape of the digital forensics industry, primarily due to the manner in which they respond to the deletion of files. Previous research has demonstrated that SSDs do not always behave in an equivalent manner to magnetic hard drives, however, the scope of these differences and the conditions that lead to this behavior are still not well understood. This basic, undeniable anomaly regarding file storage and recovery begs one simple, yet critical question: can the data being mined for evidence be trusted?
This talk presents research on the forensic implications of SSDs from one of the most comprehensive studies to date. The goal of this study was to demonstrate and quantify differences across a sample pool of drives in an array of tests conducted in a controlled environment. These tests explored the variations between drive firmware, controllers, interfaces, operating systems, and TRIM state.
Further observations revealed that some drives behaved nearly identical to the control drive, while others showed that the prospects of recovering deleted data was significantly reduced. This presentation will demonstrate these differences and provide a framework to allow forensics investigators to determine the likelihood of successful deleted file recovery from an evidence bearing solid state drive.