Abstract
Solid-state drives operate on a combination of technologies that create a barrier between the physical data being written and the digital forensics investigator. This barrier prevents the application of evidence verification methods developed for magnetic disk drives because the barrier prevents the investigator from directly controlling and therefore verifying that the underlying physical data has not been manipulated. The purpose of this research is to identify a period of inactivity where the underlying physical data is not being manipulated by wear leveling or garbage collection routines such that evidence can be reliably verified with existing hashing algorithms. An experiment is conducted on Samsung drives. The limitation of this method is it does not enable the verification of deleted data and will be one size of solid-state drives. The results show that after an hour and a half, the solid-state drives examined will produce the same consistently until ten hours.
References
[1] Bell, G. B., & Boddington, R. (2010). Solid State Drives: The Beginning of the End for Current Practice in Digital Forensic Recovery? The Journal of Digital Forensics, Security and Law, 5(3), 1–20.
[2] Burd, S. (2011). Systems architecture (6th ed.). Boston, Massachusetts: Cengage Course Technology.
[3] Carrier, B. (2005). File System Forensic Analysis. Upper Saddle River, New Jersey: Pearson Education.
[4] Volonino, L., Anzaldua, R., & Godwin, J. (2007). Computer Forensics Principles and Practices. Upper Saddle River, New Jersey: Pearson Education.
Recommended Citation
Teague, Ryne and Black, Michael
(2017)
"Evidence Verification Complications with Solid-State Drives,"
Journal of Digital Forensics, Security and Law: Vol. 12
, Article 7.
DOI: https://doi.org/10.15394/jdfsl.2017.1445
Available at:
https://commons.erau.edu/jdfsl/vol12/iss4/7