“If there is anyone has challenged the Locard’s principle of exchange from digital forensics point of view, it is the Solid State Devices (SSDs)”
Maintaining integrity of SSDs due to garbage collection, secure delete, wear leveling and data remapping is an issue and makes it difficult for the forensic investigator to make the digital evidence tenable in the court of law as the hash value of the evidence changes with time. Firstly, it is recommended that along with the hash of the digital evidence individual file hashes be taken and secondly after due permission from the court the SSD controller chip be disassociated with the memory storage to prevent the TRIM command from execution. The changes to be endorsed in the ‘Chain of Custody’ form.
Gone are the days when a cyber forensic investigator could claim that if something was ever present in the digital evidence he will reproduce it. Erasing of one’s tracks in, the digital world has become much easier as the perpetrator needs no technical acumen but just some common sense to replace the existing storage media of this weapon (laptop/mobile phone /computing device) with SSDs. When the D-day arrives the perpetrator has to press the trigger of this weapon by issuing ‘delete’ command. That’s all.
One of the best definition of digital forensics was given at Digital Forensics research Conference (DFRWS) in 2001.lt stated “Digital Forensics is use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations”.
Solid State Devices
To begin with solid-state refers to electronic components, devices, and systems based on the semiconductor in which the electrons or other carriers of charge are confined entirely within the solid material. In a solid-state component, the current is confined to solid elements and compounds meant specifically to switch and amplify it. Shifting the focus to the storage drives in the various state of art gadgets in which the SSDs are gaining foothold at a very fast pace. The Hard Disk Drives (HDD) are being replaced by the new entrant in all the computing devices to mention a few are laptops, desktops, mobile phones, etc. The other storage medium such as flash drives and secondary storage media have also shifted to this new technology. Some advantages of having a SSD in place of a HDD is no moving parts, less access time, reliability and energy savings
SSDs have introduced dramatic changes to the principles of digital forensics. Identification of SSD as digital evidence is also turning out to be a challenge to begin with. You find SSDs being used everywhere be it mobile phone, digital cameras, laptop /desktop storage media, USB drives, etc. Once digital evidence comes for cyber forensic investigation, the investigator should be able to identify the same or he may lose out on the integrity part as due to various technical issues the hash value of the evidence changes. The court of law has to be explained various technical hurdles faced during SSD forensics and the reasons of change in hash values.
M.2 Evolution of Sleek and Lighter SATA SSDs. First Generation SSD drives were available as 2.5″ disks which was a limitation when making ultra-portable devices. The solution to this problem was M.2 form factor. Devices conforming to the M.2 form factor can use Serial Advanced Technology Attachment (SATA), Peripheral Component Interconnect – Express (PCI-E) or USB3.0 connectivity. M.2 devices require a standard PCI-E connector. While most M.2 SSD drives conform to the AHCI specification, supporting all the features of their full-size counterparts and being recognized by the OS as a standard SATA SSD, some models conform to the newer Non Volatile Memory Express (NVMe) specification that requires a different driver stack.M.2 SSD drive can be Legacy SATA, PCI-E using Advance Host Controller Interface (AHCI) or PCI-E using NVMe
PCI Express (PCI-E) SSDs. PCI-E, or PCI Express, is a physical connectivity standard. PCI-E SSD drives are available in a wide range of form factors including full-size desktop expansion boards, M.2, proprietary and soldered portable storage solutions. PCI-E SSDs can use AHCI or NVMe for interfacing.
On a logical level, PCI-E SSD drives can work via the AHCI or NVMe interface. In general, the following compatibility matrix applies to PCI-E:
- Mac OS X: Trim command ‘is supported on all Apple devices with factory installed PCI-E SSD drives.
- Mac book with Windows: Proprietary PCI-E SSD drives are used Apple Mac books. Windows is installed as double-boot or independent Operating System. In these configurations, trim pass-through is supported where applicable.
- Windows: Trim support for PCI-E drives depends on Windows version and the presence of the correct driver. In Win 7 trim not supported on PCI-E drives regardless of the drivers, even if the PCI-E SSD would accept the command. Win 8, 8.1 and Win 10: trim is supported with native Microsoft drivers. Trimming in NVMe-based PCI-E SSDs is also supported
NVM Express (NVMe) SSDs. NVMe is a modern logical interface specification that replaces the old AHCI. NVMe is employed in certain high-end PCI-E SSD models in various form factors. Apple Mac Book 2015 uses NVMe interface on a proprietary SSD drive soldered to the motherboard. NVMe is still fairly new, with some motherboards failing to recognize NVMe storage as bootable devices. Similar to SATA SSD drives that exist as 2.5″ drives and as slim M.2 boards, NVM Express devices are also available as full-size PCI Express expansion cards, laptop-size boards and 2.5″ drives that look similar to SATA SSD drives, only utilizing a PCI Express interface through the U.2 connector instead of a SATA port.
Exploring SSDs Picture speaks better than words. NOR flash and NAND flash are the components of SSD. SSDs have limited erase-write cycles and the read accuracy decreases after a certain number of reads.