Solid State Drive Forensics: Where Do We Stand?

  • John Vieyra
  • Mark ScanlonEmail author
  • Nhien-An Le-Khac
Conference paper
Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST, volume 259)


With Solid State Drives (SSDs) becoming more and more prevalent in personal computers, some have suggested that the playing field has changed when it comes to a forensic analysis. Inside the SSD, data movement events occur without any user input. Recent research has suggested that SSDs can no longer be managed in the same manner when performing digital forensic examinations. In performing forensics analysis of SSDs, the events that take place in the background need to be understood and documented by the forensic investigator. These behind the scene processes cannot be stopped with traditional disk write blockers and have now become an acceptable consequence when performing forensic analysis. In this paper, we aim to provide some clear guidance as to what precisely is happening in the background of SSDs during their operation and investigation and also study forensic methods to extract artefacts from SSD under different conditions in terms of volume of data, powered effect, etc. In addition, we evaluate our approach with several experiments across various use-case scenarios.


SSD forensics Forensic experiments Data recovery TRIM 


  1. 1.
    Bell, B., Boddington, R.: Solid State Drives: The Beginning of the End for Current Practice in Digital Forensic Recovery? Perth (2010)Google Scholar
  2. 2.
    Guidelines on Mobile Device Forensics, from National Institute of Science and Technology. Accessed 8 July 2017
  3. 3.
    Sheremetov, S.: Chip–off digital forensics - data recovery after deletion in flash memory. In: Techno Security and Digital Forensics Conference, Myrtle Beach (2017)Google Scholar
  4. 4.
    Gubanov, Y., Afonin, O.: Recovering evidence from SSD drives: understanding TRIM, garbage collection and exclusions, Belkasoft, Menlo Park (2014)Google Scholar
  5. 5.
  6. 6.
    SLC, MLC or TLC NAND for Solid State Drives by Speed Accessed 6 June 2017
  7. 7.
    NAND Bad Columns analysis and removal by ruSolute. Accessed 5 July 2017
  8. 8.
    Nisbit, A.: A forensic analysis and comparison of solid state drive data retention with trim enabled file systems. In: Australian Digital Forensics Conference, Auckland (2013)Google Scholar
  9. 9.
    Bednar, P., Katos, V.: SSD: New Challenges for Digital ForensicsGoogle Scholar
  10. 10.
    Shah, Z., Mahmood, A.N., Slay, J.: Forensic potentials of solid state drives. In: Tian, J., Jing, J., Srivatsa, M. (eds.) SecureComm 2014. LNICST, vol. 153, pp. 113–126. Springer, Cham (2015). Scholar
  11. 11.
    King, C., Vidas, T.: Empirical analysis of solid state disk data retention when used with contemporary operating systems. In: The Digital Forensic Research Conference DFRWS 2011 USA, New Orleans (2011)Google Scholar
  12. 12.
    tn2919_nand_101 Nand Flash commands from Micron.…/tn2919_nand_101.pdf
  13. 13.
    Guidelines on Mobile Device Forensics, from National Institute of Science and Technology. Accessed 8 July 2014
  14. 14.
    Joshi, B.R., Hubbard, R.: Forensics analysis of solid state drive (SSD). In: Proceedings of 2016 Universal Technology Management Conference, Omaha (2016)Google Scholar
  15. 15.
    Geier, F.: The differences between SSD and HDD technology regarding forensic investigations, Sweden (2015)Google Scholar

Copyright information

© ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2019

Authors and Affiliations

  1. 1.Canada Border Services AgencyReginaCanada
  2. 2.Forensics and Security Research GroupUniversity College DublinDublinIreland

Personalised recommendations