ABSTRACT
Digital evidence is increasingly relied upon in computer forensic examinations a nd legal proceedings in the
modern courtroom. The primary storage technology used for digital information has remained constant over the
last two decades, in the form of the magnetic disc. Consequently, investigative, forensic, and judicial
procedures are well-established for magnetic disc storage devices (Carrier, 2005). However, a paradigm shift
has taken place in technology storage and complex, transistor-based devices for primary storage are now
increasingly common. Most people are aware of the transition from portable magnetic floppy discs to portable
USB transistor flash devices, yet the transition from magnet ic hard drives to solid-state drives inside modern
computers has so far attracted very little attention from the research community.
Here we show that it is imprudent and potentially reckless to rely on existing evidence collection processes and
procedures, and we demonstrate that conventional assumptions about the behaviour of storage media are no
longer valid. In particular, we demonstrate that modern storage devices can operate under their own volition in
the absence of computer instructions. Such operations are highly destructive of traditionally recoverable data.
This can contaminate evidence; can obfuscate and make validation of digital eviden ce reports difficult; can
complicate the process of live and dead analysis recovery; and can complicate and frustrate the post recovery
forensic analysis.
Our experimental findings demonstrate that solid-state drives (SSDs) have the capacity to destroy evidence
catastrophically under their own volition, in the absence of specific in structions to do so from a computer.
Keywords: digital evidence, digital forensic analysis, self -contamination, solid-state drive, SSD, garbage
collection, write-blocker
Download your Reports for Solid State Drive
Advertisement