Digital forensics is basically the process of collecting and analysing data from different digital devices for the purpose of obtaining evidence. It plays a very crucial role while establishing facts during an investigation. One of the biggest challenges faced by digital investigators these days is SSDs.
SSD stands for Solid-State Drives and it is one of the alternatives to the traditional hard disk drives. As we all are seeing that these SSDs are becoming popular day by day and they are predominantly being used as storage devices. Now, these drives use flash memory to store data and today most digital devices like laptops and phones use SSDs. The mechanism and architecture of the solid-state drives are very different from that of traditional hard drives. The architecture of the hard drive involved platters that are coated with a layer of magnetic material. It also consists of reading and writing heads which are used to access the data stored in the hard drive. The solid-state drive does not consist of any such moving read or write head. In SSDs the data is stored with the floating gate transistors. This is the reason why solid-state drives are faster than traditional hard drives.
The problem with these drives is that it is very difficult to recover data from an SSD and this fact adversely affects digital investigations. It becomes really hard for the digital fornicators to accumulate evidence from the SSDs while maintaining the integrity of the device.
Unlike the traditional hard drives which are used to keep the deleted data in an unused sector, the solid-state drives completely wipe off the data which makes it impossible to recover the deleted data. This is because of the three major key features of solid-state drives. These are the TRIM functionality, the garbage collection and wear levelling.
The TRIM functionality basically deletes the data which is invalid and ensures that the new data is written in a very easy and fast manner. With the help of the TRIM command, the operating system tells the solid-state drive about the data blocks which are no longer required and shall be deleted. Whenever the user gives a delete command, the TRIM command instantly marks the blocks where those deleted files were stored as unrequired.
Another feature called garbage collection is interrelated to the TRIM functionality feature. It is a process that focuses on space optimization and better efficiency. The objective is to maintain as many empty blocks as possible so that when there is a need to write data, it could be done without waiting for the previous data to be deleted. The blocks which the TRIM marks as deleted and no longer required are then instantly wiped off. Consequently, whenever the operating system tries writing new data in that block, the process becomes faster and smoother as now there is no need for the operating system to wait and first delete the previous data.
Wear levelling is another very important feature of solid-state drives. It evenly distributes the data onto the whole memory. It basically keeps a check on how many times the flash memory chips have been used for writing data and accordingly it stores the new data on those blocks which have been less used. In this way by virtue of the wear levelling technique, all the cells in the SSD receive an equal number of writes ultimately resulting in an increased lifetime of the solid-state drive. This process involves the internal moving of data among several areas of the memory in the drive itself. This results in a change of the hash value. This acts as a big challenge for digital investigators. Therefore there is a need to develop such a digital forensic technique that is able to deal with this issue and is able to extract the evidence without tampering with it.
To know more, stay connected with us: www.worldcybersecurities.com
Insightful. These techniques needs to develope so that the investigators would be able to extract evidences without tampering it.
ReplyDelete