I have been a digital forensic examiner for several years and have found this work to be very rewarding, yet challenging. The constant innovations in this field present unique issues for us as practitioners. Rather than focus on theoretical issues, below I discuss the issue solid state drives.
Solid state drives are hard drives which have no moving components. Once cost-prohibitive, their rapidly declining price has made them much more prevalent. They are an improvement upon older hard drive technology and are more resistant to physical shock, have faster read/write speeds and run quieter. For example, if a particular block of memory was continually written to and erased, that block of memory would wear out quickly before other available memory blocks. This would be a reliability concern for users. Therefore, “wear leveling” was created to spread the process across all the available blocks of flash memory.
Wear leveling is a concern for forensic examiners for two reasons. First, examiners may get a different hash value each time they image a solid state drive. Hash values are a mathematical algorithm represented by a string of numbers and letters that are unique to a set of data, much like a digital fingerprint. Forensic examiners use hash values to verify they have an exact, bit for bit, copy of the original data prior to analysis. The original hash value of the data, and the copy, should be the same.
Secondly, an examiner will find it difficult to forensically recover data such as deleted files. The valuable data can appear at any location in the memory array instead of where it should be due to wear leveling and over provisioning (a topic beyond the scope of this blog).
Thankfully, research is currently underway to attempt to resolve these issues. The Department of Homeland Security’s Science and Technology Directorate, Cyber Security Division is funding researchers to address this. Several solutions have been found, but none with real world practicality yet.