International Conference on Security and Privacy in Communication Networks. 10th International ICST Conference, SecureComm 2014, Beijing, China, September 24-26, 2014, Revised Selected Papers, Part II

Research Article

Forensic Potentials of Solid State Drives

Download
397 downloads
  • @INPROCEEDINGS{10.1007/978-3-319-23802-9_11,
        author={Zubair Shah and Abdun Mahmood and Jill Slay},
        title={Forensic Potentials of Solid State Drives},
        proceedings={International Conference on Security and Privacy in Communication Networks. 10th International ICST Conference, SecureComm 2014, Beijing, China, September 24-26, 2014, Revised Selected Papers, Part II},
        proceedings_a={SECURECOMM},
        year={2015},
        month={12},
        keywords={Forensics Solid state drives SSD},
        doi={10.1007/978-3-319-23802-9_11}
    }
    
  • Zubair Shah
    Abdun Mahmood
    Jill Slay
    Year: 2015
    Forensic Potentials of Solid State Drives
    SECURECOMM
    Springer
    DOI: 10.1007/978-3-319-23802-9_11
Zubair Shah1,*, Abdun Mahmood1,*, Jill Slay1,*
  • 1: University of New South Wales
*Contact email: Zubair.Shah@student.afda.edu.au, A.Mahmood@adfa.edu.au, J.Slay@adfa.edu.au

Abstract

Extracting useful information from Solid State Drives (SSD) is a challenging but important forensic task. However, there are opposing views [14, 15, 22] that (1) SSDs destroy the forensics evidences automatically and (2) even after sanitization of SSDs, data can be recovered. This paper investigates this issue and reports experimental findings that identify the reason why certain SSDs seem to destroy forensic evidences while other SSDs do not. The experiments provide insight and analyses of the behaviour of SSDs when certain software components, such as Background Garbage Collector (BGC) and Operating System functions, such as TRIM, are executed on the SSD.