SSD Forensic

What is an impact of SSD on Computer Forensics?

Solid State Drive

Well, it turns out that quite different mechanisms to write and store information on the SSD disks causing a number of implications for computer forensics. There is an increasing amount of information on this issues in the press and publications, unfortunately, a large proportion of them are based on wrong information and outdated test results. Let’s try to present the analysis of the characteristics of Solid State Drive and then analyze their impact on efficient erasing and recover of data.

Characteristics of solid state media:

I will describe three main characteristics of SSD media which effects digital forensics.

Writing and storing data on SSD.

One group of issues is connected with characteristic of semiconductor memory cells which is you can make them change operation bits specified number of times followed by exhaustion leading to cell damage and loss of credibility of the data stored in it. The older generations of SSD, had strength not rarely only 10,000 cycles. This was often raised argument criticizing the SSD drives. In later generations, this value was improved to approximately 100,000 cycles, however, was still an order of less than the strength of magnetic media. In the latest SSD endurance of life cycles is from 1 to 10 million. This means that the latest Solid State Drives can even be sometimes considered more durable than magnetic media. In the other hand there are some research that new SSD with made in smaller gate technology are much sensitive to this issue.
It is worth to notice that the process of exhaustion is not a threat to the integrity of data stored on the media. The data read from memory cells are verified by the algorithms for detecting and correcting reading errors. When the controller determines that the cell does not reliably store bits of information, the data is transferred to another location in the media. The entire process is executed at the controller level.

More important issue is that data on SSD disks is physically write in pages (typically 4 KB) and erased in blocks (typically 64-256 pages)  and during this process multiple copies of data is generated.

Garbage Collector

Garbage Collector is a mechanism used in current SSD controllers, which is definitely improving a write speed of data by zeroing the unused pages earlier.

This is necessary because although the SSD  read or write takes very little time (about 0.01-0.1 microseconds) but before writing pages should be wiped and this takes around 10 milliseconds which slows down entire SSD. This is the reason why the Garbage Collector created a mechanism that are suppose to wipe unused part of the media in preparation for data write. The latest generation of controllers can take information on the unused disk sectors directly from the operating system and NTFS. This has, however, far-reaching implications for computer forensics. Garbage Collector runs independently of the operating system. About 150 seconds after plugging in disk it begins to erase the disk sectors marked by NTFS. So there is a danger that this mechanism will lead to even delete the content of the media during performing forensic copy, even in the lab.

SSD Encryption and Compression

New feature recently launched for SSD controllers are implemented compression and encryption of data by the controller before saving data on the disk.  Using compression increases the speed of writing data by an average of about 25% compared to the record without using compression. Of course, growth rate in this case is dependent on the type of data, for already compressed files rate increase will not occur. The second mechanism is to encrypt data before writing to cells. This has two uses, first it improves security because it becomes difficult to read data without a controller. The second application is a simplified way to erase entire SSD disk. Rather than wiping the entire media, deleting the encryption key should lead to the inability to recover the data.

Conclusions and current research papers

Two main papers on SSD forensic topic is:

1. Wei, Michael, i Laura Grupp. „Reliably Erasing Data from Flash-Based Solid State Drives.” 2011


2. Bell, Graeme B., i Richard Boddington. „Solid State Drives: The Beginning of the End for Current Practice in Digital Forensic Recovery?” Journal of Digital Forensics, Security and Law, 2011.

Both works are “must read” for computer investigators who deals with SSD. But it is good to say that both papers are a bit outdated because they don’t handle well encryption and packing issue. It is highly probable that the use of these two techniques will prevent any data recovery from SSD disks, because  attempting to read from the memory chips without the controller will be not successful .

Impact of SSD Forensics looks more and more interesting, and I believe it will change digital forensic approach and procedures in near future…