Digital forensics on an SSD

Recently I was able to listen to a guest lecturer by a chap working the digital forensics field. There were a few interesting things to come out of the lecture. They are, in no particular order:

• document and timestamp everything you do - it doesn't matter if it's written down, or you use software, but you have to show the steps you went through to reach the conclusions you're putting forward
• EnCase is an industry favourite software
• small cases can take you in surprising directions and you can go from a $40,000 fraud case and end up with a $250,000 + fraud case!
• recovering RAID arrays can be a trick - but you can image each disk and use EnCase to rebuild the array which is pretty neat!
• you can't carve an SSD to recover data like you would a HDD

That last point is the one I want to mention. On a magnetic hard disk drive (the regular type of drive people have been using) when a file is deleted, it's removed from the File Allocation Table and the computer recognises it as free space, ready to overwrite. It's relatively straightforward to then get that data back - a process I've performed dozens of times to save someone's bacon when they've deleted all their uni work (for example). But on an SSD the process is different. 

On a TRIM enabled SSD (and this is all modern SSD's) the data is removed immediately when you delete it. The OS clears the space for re-use and it's not recoverable. This applies to USB drives as well - any flash media in fact. Once a file is marked for deletion, the operating system erases it completely and then that space is available again. This keeps the SSD running fast. It makes it very hard, if not impossible to perform data carving (or recovery) on an SSD. Uh oh - that makes life harder for the digital forensic expert! 

It's amazing though - even with these kinds of hurdles to getting data out and processing it, people still make it easy to be caught. For example, using work email to talk about things people are doing wrong, or storing data on work computers that has evidence of wrong doing. There is no expectation of privacy when you use a work asset - the company owns all this stuff and all the data on it. And most companies will comply with search orders giving an investigator plenty of access to what they are looking for.

It's interesting stuff, but I don't think I'll make a career of it - getting into the business seems quite tricky and while it is a fascinating field, there is a lot of tedious combing through search hits for relevant results that, quite frankly, looks boring. Never say never though!