SSD Evidence Issues

Fri, 06/27/2014 - 8:55am
Solid-state drives represent a new storage technology. They operate much faster compared to traditional hard drives. SSD drives employ a completely different way of storing information internally, which makes it much easier to destroy information and much more difficult to recover it.
The culprit here is the TRIM command. Used to release space advertised as available by the operating system, the TRIM command effectively zeroes information as soon as it’s marked as deleted by the operating system. Write-blocking devices do not prevent the effect of the TRIM command. An experiment conducted by American researches demonstrated that a TRIM-enabled SSD completely wiped all deleted information in less than three minutes. 
Traditional forensic methods fail when attempting to recover information deleted from SSD drives, or trying to recover anything from an SSD drive formatted with either a quick or full format. However, there are exceptions (and exceptions to exceptions).
Information may still be available if the TRIM command was not issued. This can happen if at least one of the many components does not support TRIM. The components include: version of the operating system (Windows Vista and Windows 7 support TRIM, while Windows XP and earlier versions typically don’t); communication interface (SATA and eSATA support TRIM, while external enclosures connected via USB, LAN, or FireWire don’t); the file system (Windows supports TRIM on NTFS volumes but not on FAT formatted disks; Linux, on the other hand, supports TRIM on all types of volumes including those formatted with FAT).

Share this Story

You may login with either your assigned username or your e-mail address.
The password field is case sensitive.