Flash Disk Opportunity for Server Applications
Queue - Enterprise Flash Storage
Write amplification analysis in flash-based solid state drives
SYSTOR '09 Proceedings of SYSTOR 2009: The Israeli Experimental Systems Conference
Improving Flash Wear-Leveling by Proactively Moving Static Data
IEEE Transactions on Computers
Making sense of unstructured flash-memory dumps
Proceedings of the 2010 ACM Symposium on Applied Computing
Reliably erasing data from flash-based solid state drives
FAST'11 Proceedings of the 9th USENIX conference on File and stroage technologies
Data remanence in flash memory devices
CHES'05 Proceedings of the 7th international conference on Cryptographic hardware and embedded systems
Empirical analysis of solid state disk data retention when used with contemporary operating systems
Digital Investigation: The International Journal of Digital Forensics & Incident Response
GANGRENE: exploring the mortality of flash memory
HotSec'12 Proceedings of the 7th USENIX conference on Hot Topics in Security
Hi-index | 0.00 |
Solid-state drives (SSDs) are inherently different from traditional drives, as they incorporate data-optimization mechanisms to overcome their limitations (such as a limited number of program-erase cycles, or the need of blanking a block before writing). The most common optimizations are wear leveling, trimming, compression, and garbage collection, which operate transparently to the host OS and, in certain cases, even when the disks are disconnected from a computer (but still powered up). In simple words, SSD controllers are designed to hide these internals completely, rendering them inaccessible if not through direct acquisition of the memory cells. These optimizations have a significant impact on the forensic analysis of SSDs. The main cause is that memory cells could be pre-emptively blanked, whereas a traditional drive sector would need to be explicitly rewritten to physically wipe off the data. Unfortunately, the existing literature on this subject is sparse and the conclusions are seemingly contradictory. In this paper we propose a generic, practical, test-driven methodology that guides researchers and forensics analysts through a series of steps that assess the "forensic friendliness" of a SSD. Given a drive of the same brand and model of the one under analysis, our methodology produces a decision that helps an analyst to determine whether or not an expensive direct acquisition of the memory cells is worth the effort, because the extreme optimizations may have rendered the data unreadable or useless. We apply our methodology to three SSDs produced by top vendors (Samsung, Corsair, and Crucial), and provide a detailed description of how each step should be conducted.