Solid state drives (SSDs) are a type of computer storage device that stores data electronically in integrated circuits rather than magnetically like traditional hard disk drives (HDDs). SSDs have no moving mechanical components, making them more resistant to physical shock, operate silently, and have faster access times and better reliability compared to HDDs. However, the same characteristics that provide SSDs benefits also pose significant challenges for forensic investigators when performing analysis.
Unlike HDDs, SSDs use wear leveling algorithms to distribute writes across all cells in order to maximize lifespan. This results in data being constantly moved around. SSDs also utilize TRIM, garbage collection, and encryption that can make data recovery and analysis difficult. The proprietary nature of SSD technology also limits available tools and skills required to extract forensic data. Overcoming these challenges requires specialized expertise and advancements in analysis techniques.
Wear Leveling
Wear leveling is a technique used in solid state drives (SSDs) to distribute writes evenly across all the flash blocks in the drive and maximize the lifespan of the drive[1]. Because flash memory can only withstand a limited number of write/erase cycles before wearing out, wear leveling aims to avoid repeatedly writing to one block while other blocks are unused. The SSD controller transparently remaps logical block addresses to different physical locations on the drive so that writes are spread evenly across all blocks[2].
This process makes data recovery challenging in SSDs. Since logical addresses are constantly remapped to new physical locations, flash blocks no longer correspond to the expected file system layout. Locating and recovering deleted data becomes difficult as files can be fragmented and scattered across the drive. Wear leveling destroys the mapping between logical and physical addresses which are relied upon in traditional forensic tools and procedures. Advanced techniques that can work at the flash translation layer are required to overcome these challenges and successfully recover data from SSDs[3].
TRIM
The TRIM command was introduced for SSDs to help maintain performance over time. When a file is deleted on an SSD, the operating system informs the SSD which blocks of data are no longer needed via the TRIM command (Nimmala, 2020). This allows the SSD to wipe those blocks internally, making them available for future writes. Without TRIM, deleted data would still be readable on the SSD until it gets overwritten by new data, which decreases write performance over time as the SSD looks for available blocks.
TRIM poses significant challenges for forensic analysis because it actively wipes deleted data that would otherwise be recoverable (Kandala, 2019). Investigators are unable to retrieve trimmed data, even if deletion was recent. Attempts have been made to intercept the TRIM command and analyze trimmed blocks, but this is inconsistent across SSD models due to proprietary firmware differences (Acels, 2023). TRIM fundamentally changes the artifact footprint, as data that would normally be recoverable via carving signatures and block analysis is permanently wiped by the SSD controller itself.
Garbage Collection
Garbage collection is a process that SSDs use to clear out invalid pages and consolidate data. When data is deleted on an SSD, the pages that data were stored on are marked as invalid, but the data itself remains until it gets overwritten by new data. Garbage collection will periodically identify these invalid pages, wipe them, and make them available again for writing new data.
This garbage collection process poses a major challenge for recovering deleted data from SSDs. Unlike with traditional hard drives, when data is deleted from an SSD, the original data may be wiped out completely during garbage collection before it can be recovered. This means data recovery from SSDs needs to happen much more quickly than with HDDs, before garbage collection can occur, as highlighted by Data Recovery Ireland (https://datarecoveryireland.ie/garbage-collection-the-silent-enemy-of-data-recovery/). Once the original deleted data has been overwritten or garbage collected, it is generally unrecoverable.
Encryption
SSDs often utilize encryption technologies like AES, TCG Opal and IEEE-1667 to encrypt data at rest (Security, 2021). This makes accessing the raw encrypted data very challenging without the encryption keys. According to Wiley Online (Filippo et al., 2021), hardware-based AES 256-bit encryption is commonly used in SSDs, meaning the encryption keys are stored in hardware and protected from access. Some SSDs even encrypt all data by default before writing to disk. This creates significant hurdles for forensic investigators attempting to extract readable data from encrypted SSDs without the keys.
Since the SSD controller manages encryption, investigators typically can’t bypass it or directly access the NAND flash chips to read raw data (Songchai). Attempting brute force attacks on strong encryption like AES-256 would be infeasible. So without being able to decrypt data, forensic analysis of encrypted SSDs is severely limited. Critical evidence could reside in protected areas investigators simply can’t access. Advanced tactics may be needed, like exploiting firmware vulnerabilities to extract keys from the SSD controller. But overall, built-in SSD encryption poses one of the biggest roadblocks for forensic SSD analysis.
Firmware
SSD firmware is complex proprietary code that manages all of the SSD’s core functionality like wear leveling, garbage collection, encryption, error correction, and more. This firmware is not standardized across SSD manufacturers and models, which creates challenges for forensic analysis tools and examiners (Songchai). Each firmware release can alter how data is managed on the drive in undocumented ways. The lack of visibility into SSD firmware internals means examiners can miss important artifacts or fail to account for data modification caused by background processes.
Proprietary Technology
SSD manufacturers often use proprietary technologies in their devices that can pose challenges for forensic analysis
(SSD and eMMC Forensics 2016). The lack of publicly available technical details on these proprietary technologies limits the tools and techniques that forensic investigators can use. Manufacturers may use proprietary controller architectures, firmware, algorithms, or hardware components that are not well understood outside the company.
For example, SandForce controllers were previously popular in SSDs but their exact functionality was not publicly disclosed. This made it difficult to develop forensic tools to interface with those SSDs at a low level (Forensic Research on Solid State Drives using Trim Analysis). When critical components are proprietary black boxes, investigators lose insight into how data is actually stored and manipulated within the SSD.
Overall, the use of undisclosed proprietary technologies by SSD manufacturers results in fewer options for forensic examiners. They are unable to take full advantage of lower-level techniques that require intimate knowledge of how the SSD hardware and firmware operate.
Limited Tools
Most digital forensic tools have traditionally been designed for hard disk drives (HDDs) rather than solid state drives (SSDs) (Forensic HDD SSD Drive Imagers). As SSDs operate differently than HDDs technologically, analysis tools optimized for HDDs may not work as effectively for SSDs. Specialized tools designed specifically for SSD forensics are needed (How to perform SSD Forensics | Part — I).
Many existing forensic software products can image and analyze HDDs but lack SSD-specific features. Dedicated SSD forensic tools are required to properly recover deleted data from SSDs. Otherwise, critical digital evidence may be overlooked or corrupted during analysis. Investing in advanced SSD forensic technologies can improve investigations involving modern storage devices.
Skills Gap
SSD forensics requires specialized expertise that most digital forensic investigators lack. As solid state drives become more prevalent, there is a shortage of qualified professionals with the proper training to conduct forensic analyses on these devices (https://www.enisa.europa.eu/events/cti-eu-event/cti-eu-event-presentations/current-skills-gap-for-capable-cti-analysts/). The skills gap for SSD forensics mirrors the larger cybersecurity skills shortage, as noted by CSO Online (https://www.csoonline.com/article/566755/why-you-need-a-digital-forensics-team-and-the-skills-to-look-for.html). Many existing digital forensics experts are trained on magnetic hard drives rather than SSDs. Performing forensic investigations on SSDs requires an advanced skillset that combines both software and hardware knowledge.
According to one expert, there is a significant shortage of trained cyber forensics professionals in some countries, especially those with rapidly growing technology sectors (https://www.linkedin.com/pulse/skill-gaps-cyber-forensics-industry-india-prof-r-s-nehra). Bridging this skills gap will require specialized training programs and certification courses focused on solid state drive forensics.
Conclusions
SSD forensic analysis faces several key challenges that make it more difficult than traditional hard drive forensics. Wear leveling, TRIM, garbage collection, encryption, proprietary firmware, and limited available tools all pose obstacles for investigators.
However, solutions are emerging to help address these problems. Better tools are being developed that understand SSD technology at a deeper level. Training opportunities can help investigators skill up on SSD forensics. And breakthrough techniques like chip-off analysis provide ways to bypass some of the onboard SSD technology protections.
While SSD forensics will likely remain more challenging than traditional hard drives, the outlook is improving. As SSDs continue to gain market share, there will be greater demand for solutions. With proper investment in research and training, investigators can develop the capabilities to handle forensic cases involving these devices.
