Solid State, Spoliation, Stochastics, Shrodinger’s Cat & Wyatt Erp

MP900401975Last year, I was presenting at the Calbar Solo Summit and the issue of gleaning evidence from solid state drives (aka SSDs) came up.  From a technological standpoint, SSDs are highly efficient; from a forensics standpoint, they can be a nightmare.

The problem one faces with being queried about this issue is that it results in a very common answer I have to give when faced with a one-hour presentation and little time to explain; it depends.  Of course, on this blog, I’m not time-constrained.  Furthermore, I don’t re-invent the wheel when others have so elegantly explained the issue.

But, for a basic overview, let’s break down the data recording patterns into three possibilities:

  1. Random data is written to an open area.  When data is marked for deletion, it is not deleted immediately, but in the future, when a need arises to utilize that space.
  2. New data is written to an area containing existing data that is marked for deletion, thereby overwriting that data.
  3. Data marked for deletion is actually erased, then other data is written to the same area at a future time.

If you asked most people what happens when they record something on magnetic tape, most believe that there’s simply one ‘head’ that records onto the tape while simultaneously recording over anything that already exists on the tape.  Not so.

This is where “ERP”, comes in.  It’s just a simple mnemonic that stands for “Erase”, “Record” and “Playback”.  There are actually three separate heads, in that order, so when the tape passes over them, the first head erases any data, then the second head records new data.  In playback mode, obviously, the other two heads are bypassed and the playback head is used.

The reason I mention it is that most people also believe that deleting data on a drive is instantaneous, when normally, as illustrated from the examples above, it is not.  However, SSDs are closest to that process through an operation called ‘self-corrosion’.  Very soon after data is marked for deletion, that data may be gone; and I mean, really gone and unrecoverable.

Add that to the long list of challenges faced by data forensic investigators.

Share on FacebookTweet about this on TwitterShare on Google+Share on LinkedInPin on PinterestShare on RedditEmail this to someonePrint this page