A technology built into many new solid state drives (SSDs) to improve their storage efficiency could inadvertently be making forensic analysis at a later date by police forces and intelligence agencies almost impossible to carry out to legally safe standards, researchers have discovered.
The detailed findings contained in Solid State Drives: The Beginning of the End for Current Practice in Digital Forensic Discovery? by Graeme B. Bell and Richard Boddington of Murdoch University in Perth, Australia, will make unsettling reading for professionals in the digital forensics field and beyond.
After conducting a series of experiments comparing a sample Corsair 64GB SSD with a conventional Hitachi 80GB magnetic hard drive (HDD), the team found a layer cake of data recovery problems caused by the ‘garbage collection’ or purging algorithms used in SSDs to keep them at peak performance.
Going a stage further, they removed the drive from the PC and connected a ‘write blocker’, a piece of hardware designed to isolate the drive and stop any purging of its contents. Incredibly, after leaving this attached for only 20 minutes, almost 19 percent of its files had been wiped for good, a process the researchers put down the ability of SSDs to initiate certain routines independent of a computer.
For comparison, on the equivalent hard drive all data was recoverable, regardless of the time elapsed, as a forensic examiner would expect.
“Even in the absence of computer instructions, a modern solid-state storage device can permanently destroy evidence to a quite remarkable degree, during a short space of time, in a manner that a magnetic hard drive would not,” the team concludes.
The results are concerning on a number of levels, forensic, legal and technical.