Similarity Report ID: oid:30110:17652743

PAPER NAME

CSEIT1726289.pdf

WORD COUNT CHARACTER COUNT

2874 Words 15500 Characters

PAGE COUNT FILE SIZE

5 Pages 707.7KB

SUBMISSION DATE REPORT DATE

May 26, 2022 11:10 AM GMT+5:30 May 26, 2022 11:11 AM GMT+5:30

62% Overall Similarity

The combined total of all matches, including overlapping sources, for each database.
62% Internet database 4% Publications database
Crossref database Crossref Posted Content database
8% Submitted Works database

Excluded from Similarity Report

Manually excluded sources

Summary
 International Journal of Scientific Research in Computer Science, Engineering and Information Technology
© 2017 IJSRCSEIT | Volume 2 | Issue 6 | ISSN : 2456-3307

Solid State Drive (SSD) Forensics Analysis : A New Challenge

Ravi Kant Chaurasia*1, Dr. Priyanka Sharma2
*1
M.Tech Cyber Security, Raksha Shakti University, Ahmedabad, Gujarat, India
2
Professor & Head (IT & Telecommunication), Raksha Shakti University, Ahmedabad, Gujarat, India

ABSTRACT

There is a need of digital forensics approach to solve the cases of crime investigation based on the computer and
1
mobile phones, which involves advanced to sophisticated digital misuse of systems. Digital forensics is always a
advanced field as a career in forensics with the rise of laws that can take control on legal cases and computer
1
technology that is becoming ubiquitous. This paper tells the studies of important techniques used over traditional
Hard Drive Disk and upgraded technique needed over Solid State Drives to perform digital forensics investigation.
Solid States Drives introduces a new challenge into the field of digital forensics specialists. The use of SSD is
enough easy accessible and for many purposes it is used as a normal hard disk but many times faster and with the
HDD’s and needs very low power utilization. But, Solid state drive is not a change of hard disk technology; it is a
technology that imitates the behavior of a hard disk. Obtaining effective information from Solid State Drives (SSD)
is a challenging forensic assignment. SSD’s may be deleting the evidences usually and even after sanitization of
SSDs, information may be recovered.
1
Keywords: Computer Forensics, Digital Forensics, Flash memory, Solid State Drive

1
I. INTRODUCTION collection self-corrosion in SDD's which also
1
permanently eliminates the deleted data in the
background from that sector within few minutes or
Solid State Drives SSD are dependent on non-volatile
immediately of the data being removed. Based on the
memory flash memory have overtaken the conventional
spindle platter hard disks to become a major storage data gathered it declares that decompose the of proof
1
issue in non-volatile memory and refined use TRIM
device used in computers and laptops present in the
command causes the hardening of a forensics
market. Nowadays tablet smartphone and notebook
investigation. The efficiency of TRIM mechanisms
devices wouldn't stay without the flash memory for the
could have a main distinction once enable for file
hard disk drives.Solid state drives don't have any
1
movable parts such as magnetic disks are movable read system whereas collecting the deleted data that
sometimes gets stores even when deletion. “The
and write heads which used to be existing in 1
technology of the SSD devices leads to vital impacts on
conventional hard drives like HDD's or floppy drives.
the capability of forensic investigators and analysts to
1
In the conventional magnetic hard disk covered in a search out and perceive the information hold on SSD
devices” [1].This may additionally justify to an explicit
magnetic material contains data in the patterns of 0' and
extend however coming flash memory used in SSD are
1' so having the inability to write in the same texts at
1 difficult for forensic analyses.
every location anytime. [1] [2] When data is been
deleted it would marked as erased but will be available
on an unused sector where these deleted files will be II. COMPONENTS OF SSD'S
1
recoverable at any time. The TRIM performs a deletion 1
of invalid data from the memory of SSD's pages to 1. Flash memory:
assure that the rewrite operation can be well performed The flash memory that deletes data at block level are
regularly. That feature is commonly called as garbage referred to as non-volatile storage. Data stored in a

CSEIT1726289| Received:25Nov2017 | Accepted:28Dec2017 | November-December-2017 [(2)6: 1081-1085] 1081

1 1
flash memory should be erased initially and most kind of wear leveling techniques: Dynamic and Static.
largely to be rewritten again into those memories that Also, manufacturer would have data and techniques on
exist usually in modern SSD. how to access and utilize those additional storages by
exchanging with live storage which might improve the
2. Partition alignment: wear leveling.
1
Partition alignment refers to the physical sector size of
1
a hard disk that is utilising by the operating systems. 5. TRIM Function:
The most important difference in HDD and SSD will It is a procedure by which the flash memory controller
1
be the partition of sector whichiscontained by the hard deletes the information present on the block sector
1 1
drive. It is referred in papers that “ HDDs uses 4096 which has been erased by the users and is marked as
1
byte physical sector size which is translated by deleted. It is referred in SSD’s implement deterministic
1
firmware to 512 byte sector while the SSD utilizes 16 Zeroes after TRIM (DZAT) or deterministic read after
1
KB and 8 KB pages almost like that of sectors of HDD” TRIM (DRAT) returning all zeroes directly when
[5]. The partition alignment turns essential at the time TRIM query is fired on a certain block of data.
1
when we are copying content from a regular hard drive SoSSD’s will return original data which is based on the
to SDD as a result of sometime clusters from HDD garbage collection formula applied in the different
1
writes to multiple pages of SDD. The partition operating systems. There are specific concerns for
1
alignments are necessary for achieving maximum encrypted volumes on SSD’s, as various crypto
1 1
performance and durability of a hard drive [3] [4]. containers implement vastly totally different methods
of handling SSD TRIM commands.” [7]
3. Embedded controller:
1
It exists among SSD to performs the read and write 6. Self-corrosion:
operation all over the microchip, so that it also The process within which recoverable components
1
manages the wear leveling of a hard drive. within hard drives erased files are removed over time
1
that are essentials for performing arts forensic
examinations known as as self-corrosion. In mordern’s
SSD's Deleted data making it complicated for the
forensic examiner to recover it [7].

7. Garbage collection:
The non-volatile memory which is using NAND
1
control, SSD’s uses the garbage collection for deleting
and rewriting of data into blocks. It is found that
1
Garbage collectionswill delete all the data instantly that
is deleted by users and marked as invalid by the
operating systems [7] [4]. The garbage collection isn't
Figure 1. SSD Controller [8] considered as the replacement for the TRIM
1
functionality with SSD’s, but TRIM would facilitate
4. Wear leveling: the garbage collection be additional efficient and
It refers to a memory management ways developed to improve performance [8]. The garbage collection and
increase the life of flash memory [7]. The supplier the wear leveling are the main reason for the data to be
frequently provides additional storage when designing written on the same blocks in SSD’s.
hard drives that are inaccessible by traditional ways
could improve the wear leveling a lot better. Usually in 8. Encryption:
SSD’s, data are keep in blocks which may be wipe Encryption of drives could be a may be a of applying
away and rewritten number of times. The wear leveling secret key or password to acquire data security to
would handle and ensure that the deletion and rewritten improve computer hard disks security from intrusion. It
cycles (based upon TRIM command uses) area unit in safeguards the disk drive by the implementation of
an evenly distributed order to perform efficiently and protection to every sector that also challenges the
also extend the lifespan of a hard drive. There'stwo forensic investigation. SSD’s performs marking the

Volume 2, Issue 6, November-December-2017| www.ijsrcseit.com | UGC Approved Journal [ Journal No : 64718 ] 1082
 1
data which is erased data as invalid but not necessary strong evidence to the court through forensic
erase from the page in the flash storage. So, if data is investigation. The current SSD have a garbage
not well encrypted at all time during the complete collection which would hold the data that are marked as
process of managing and deleting of data then it may deleted, but can be permanently deleted by overwriting
be recovered in the conventional hard drives [1] [9] [8]. mechanism to have that sector as new at the time [4]
1
Skilled peoplesuses encryption methods and third party [6]. These would make the forensic investigator tough
tools like TrueCrypt, PGP, BitLocker and another for recovering evidence from an SDD causing the
normal tool to achieve the highest level of data security evidence to be tampered during a court case [1].
in SSD’s. These are new factors which would bring
more complications and challengesduring forensics Overall, the research approves how flash technology in
examination of data analysis of SSD’s. SSDs differs from the traditional HDDs and makes it
complicated for recovering evidence during a forensic
1
Thus, data collected will show however non-volatile investigation [9]. Researches accepts how immoral
1
storage, controller, TRIM flash memory, self-corrosion, people with advance expertise level can completely
wear leveling garbage collection, encryption and other wipe off the HDD so that the deleted content couldn’t
new features by which,SSD operates creates a tough be recover under any circumstances later [3] [4]. It is
challenges for forensic examiner throughout an identified that manufacturers of SSD’s eliminate away
investigation. their implementation methods of the hard drives
making it difficult for forensics examiners to extract
III. RELATED WORK recoverable data from it [4] [6].

1
Solid state hard drives concerning with the forensics IV. ANALYSIS
investigation for recovering the deleted files in the past.
1
The steps taking place during the collection of evidence This review paper will provide detail analysis and
require acquisition, authentication, and analysis of study of results as listed below:
1
hard drives also needs an update with the rising use of i. Primarily, explanation the use and live
hybrid drive such as SSD’s in the new coming laptops response of enabling/disabling of TRIM
1
and computers. There have been numerous functionality, garbage collection, self-
investigations involving digital examinations of hard corrosion.
disks for evidence of crime to prove in the court to ii. To identify a kind of hard drive that is newly
1
punish the culprit. Most of researches have shown hybrid, traditional HDD or SSD to improve the
toward getting the most advancement of the forensics performance of analysis.
1
analysis of the regular hard drives. Research studies iii. Recommendations to overcome the challenges
have led the forensic investigation to require carving with TRIM on modern SSD’s forensics.
techniques or mechanisms to acquire essential content iv. Difference between traditional HDD
of the SSD drives which could help simplify task overSSD’sabout forensics investigation.
during forensics examinations [7]. While research v. To provide challenges for SSD forensics which
studies have shown that TRIM would require the is needed in the investigation w.r.t its multiple
1
supporting operating systems, specific disk format and storage, firmware, embedded controller and
cable connections, storage controller configuration to other factors.
be configured in IDE or ACHI mode and also 1
supporting firmware to perform it tasks [10] [12]. V. SOLID STATE DRIVE Vs. TRADITIONAL
HARD DISK DRIVE
1
It is find by the research that SSD supports data
retention with TRIM enabled file systems to ease any The traditional disk drive would work on a magnetic
1
digital investigation of hard drives. How enable TRIM disk platter where the platters are coated each side thus
causes the operating systems to delete file every time, as to store data in a magnetic form. So, all data are
which the sector remains empty at all time to re-write stored on both upper and lower surface of the platters
1
contains in those sectors. Modern SDD are capable of as tracks that is further divided into individual sectors.
self-corrosion which makes difficult for a providing When an operating machine is power on the disk comes

Volume 2, Issue 6, November-December-2017| www.ijsrcseit.com | UGC Approved Journal [ Journal No : 64718 ] 1083
in use, and the OS needs to be able to scan the correct VI. FORENSICS FOR TRADITIONAL HARD
sector by spinning as fast as it can. DRIVES

The main goal of a forensics investigation is toapply

extensive methods that could recover the deleted files
to prosecute criminals in the court. As the amount of
data that needs to be analysed, examined and processed
could be massive amount, and the variety of data types
could be huge, forensic investigation team always need
to stay ahead of the game which is played by the
criminals. The forensic examination of hard drives by
1
examiner has followed strictly based on performing the
authentication, acquisition and analysis followed by a
Figure 2. Magnetic Disk Vs. Flash Memory [10] chain of custody with complete documentation in place,
that is considered as a standard [7] [4]. The easy way of
In the case ofsolid state drive, it works on flash storage obtaining evidence from a suspected HDD would
which would not have any moving parts or spindle involve imaging of that hard drive followed by detailed
platter like in traditional hard drives. The problems analysis with standard evidence discovery tool such as
which were arise from the movements of plates while EnCase, Belkasoft.
reading in the disk of HDD is solved by SSD’s. The
1 1
key elements of an SSD are significantly the controller Figure 4, 5 shows how to enable and disable TRIM in
and the memory to store the data. Windows 7 machine

Figure 3 shows a detail view of SSD device

architecture and the way modern SDD would have its
feature like flash memory, wear leveling, controller, Figure 4.Enabling/Disabling TRIM in windows 7
1
garbage collector referred to as block manager are machine
separate and not compact under identical magnetic disk
like in traditional HDD.

Figure 5.Enabling/Disabling TRIM in windows 7

machine
1
VII. CHALLENGES OF SSD FORENSICS AND
POSSIBLE SOLUTIONS

The execution of NAND non-volatile memory with

pages to store and reuse blocks in SSD’s would make it
tough to apply forensics techniques and methodologies
compared to a traditional hard drive. More, it gets
Figure 3. SSD Device Architecture [10] complicated encryption methods and sophisticated third
party tools are making it tougher to obtain complete
memory analysis from a regular hard drive now a days.

Volume 2, Issue 6, November-December-2017| www.ijsrcseit.com | UGC Approved Journal [ Journal No : 64718 ] 1084
 1
Although, the IDE allows the forensic examiner to [2]. "SSD vs HDD: Difference. Advantages. What to
perform logical data read which is present on the of Choose for Hosting a Website?" Web Hosting
1
SSD for acquiring of data but also can hide internal Reviews Discount Coupons RSS.
1
data structures, which could make the investigation [3]. Gubanov, Yuri, and Oleg Afonin "Why SSD
difficult. As, some generators of SSD’s makes the SSD Drive Destroy Court Evidence and What can Be
1
in a form that it is almost impossible to retrieve the data Done About it." Belkasoft: Evidence Search and
reads to protect their implementation details it makes Analysis Software for Digital Forensic
tougher for forensics examiners [11]. With the rapid Investigations. Belkasoft, 1 Oct. 2012.
1
use of SSD with newer operating systems such as [4]. Wei, Michael, Laura Grupp, Steven Swanson.
1
Windows and linux, which are supporting enable, "Reliably Erasing Data from Flash-Based Solid
TRIM by default allows the deleted data to be fully State Drives." University of California, San
wiped making it a dead end to examiners. Diego.
1
[5]. "Partition Alignment of Intel SSDs for Achieving
1
The manufacturer additionally would need to Maximum Performance and Endurance." Intel,
implement a way to disable self-corrosion by default Intel, 1Feb. 2014.
1 1
therefore suspected criminals should be prosecuted for [6]. "Recovering Evidence from SSD Drive in 2014:
evidence being store and retrieved by the police. Also, Understanding TRIM, Garbage Collection and
the over provisioning provided by the manufacturer Exclusions." Forensic Focus Articles. Belkasoft,
should be in a very efficient manner so forensic 23 Sept. 2014.
1
examiners able to retrieve the implementation and [7]. Martin, Nick, and Jeff Zimmerman. "Analysis of
storage access when needed throughout a criminal the forensic challenges posed by flash devices."
investigation. University of Nebraska.
1
[8]. Rent, Thomas M. "SSD Controller." SSD
VIII. CONCLUSION Controller. Storage Review.
1
[9]. Nisbet, Alastair, Scott Lawrence, and Matthew
The improvement of the hard drive from old-fashioned Ruff "A Forensic Analysis And Comparison of
to most recent SSD have increased drastically that the Solid State Drive Data Retention With Trim
method is applied to preserve, identify and to extract Enabled File Systems" Site. Edith Cowan
the recoverable deleted data from modern hard University.
1
drivesare almost impossible or none to today’s date. As [10]. "SSD vs HDD – Why Solid State Drive." SSD vs
we have seen that TRIM functionality usage over disk HDD. A Toshiba Group Company.
1 1
formats isto identify the challenges toward forensic [11]. "Anatomy of Linux Flash File Systems."
investigation of modern SSD’s. Anatomy of Linux Flash File Systems. IBM
DeveloperWorks.
1
From the analysis it is shown how to use [12]. "SSD vs HDD: Difference. Advantages. What to
enabling/disabling TRIM command for reduce and Choose for Hosting a Website?" Web Hosting
improve the read and write achievements in SSD’s with Reviews Discount Coupons RSS.
1
the use of different operating Systems. [13]. Mao, Chau-yuan "SDD TRIM Operations:
Evaluation and Analysis" Site. Natinal Chiao
It is also seen that new SSD’s which are coming in the Tung University, July 2013.
1
market would be all right without TRIM functions
enable as long as the controller performs a fully delete
and rewrite operations to the pages working as similar
to garbage collections.

IX. REFERENCES
1
[1]. Fulton, John William "Solid State Disk
Forensics: Is there a Path Forward?" Utica
College, May 2014.

Volume 2, Issue 6, November-December-2017| www.ijsrcseit.com | UGC Approved Journal [ Journal No : 64718 ] 1085
 Similarity Report ID: oid:30110:17652743

62% Overall Similarity

Top sources found in the following databases:
62% Internet database 4% Publications database
Crossref database Crossref Posted Content database
8% Submitted Works database

TOP SOURCES
The sources with the highest number of matches within the submission. Overlapping sources will not be
displayed.

d.researchbib.com
1 62%
Internet

Sources overview
 Similarity Report ID: oid:30110:17652743

Excluded from Similarity Report

Manually excluded sources

EXCLUDED SOURCES

ijsrcseit.com
98%
Internet

1library.net
89%
Internet

mafiadoc.com
64%
Internet

ijps.in
30%
Internet

researchgate.net
16%
Internet

Arab Open University on 2021-05-28

12%
Submitted works

"Development of Algorithm to Enhance the Security Feature of SATA on Solid ...

4%
Crossref

ijeat.org
4%
Internet

Noroff University College on 2019-12-12

4%
Submitted works

Middlesex University on 2020-08-14

4%
Submitted works

Excluded from Similarity Report

 Similarity Report ID: oid:30110:17652743

Middlesex University on 2017-11-16

4%
Submitted works

ijsrcseit.com
3%
Internet

Arab Open University on 2021-05-28

3%
Submitted works

Osmania University, Hyderabad on 2018-08-21

2%
Submitted works

University of Limerick on 2020-05-10

2%
Submitted works

Unizin, LLC on 2019-11-18

2%
Submitted works

AUT University on 2018-03-26

2%
Submitted works

Shinas College of Technology on 2021-04-12

2%
Submitted works

Shinas College of Technology on 2020-12-21

2%
Submitted works

Bundelkhand University on 2018-12-10

2%
Submitted works

University of Northumbria at Newcastle on 2015-05-01

2%
Submitted works

kinetik.umm.ac.id
2%
Internet

Excluded from Similarity Report

 Similarity Report ID: oid:30110:17652743

cersi.it
2%
Internet

University of Maryland, University College on 2018-11-19

2%
Submitted works

humanities-digital-library.org
1%
Internet

"Proceedings of International Conference on Communication and Networks", ...

<1%
Crossref

"Information Systems Design and Intelligent Applications", Springer Science a...

<1%
Crossref

PSB Academy (ACP eSolutions) on 2020-05-29

<1%
Submitted works

Rutvi Shah, Priyanka Sharma. "Chapter 84 Bone Segmentation from X-Ray Im...
<1%
Crossref

"To Distinguishing the Infirmity by using Palmistry Algorithm in Image Proces...

<1%
Crossref

General Sir John Kotelawala Defence University on 2018-07-11

<1%
Submitted works

Melbourne Institute of Technology on 2018-06-02

<1%
Submitted works

Melbourne Institute of Technology on 2018-05-20

<1%
Submitted works

Gitam University on 2022-03-31

<1%
Submitted works

Excluded from Similarity Report

 Similarity Report ID: oid:30110:17652743

Gitam University on 2022-03-31

<1%
Submitted works

Gitam University on 2022-03-31

<1%
Submitted works

University of South Florida on 2020-05-03

<1%
Submitted works

technodocbox.com
<1%
Internet

coursehero.com
<1%
Internet

ijsrst.com
<1%
Internet

Sahera A. S. Almola. "Find Edge Map for Medical Images Based on Texture Ch...
<1%
Crossref

Mr.B.Prabhu Shankar*, Dr.R. Jayavadivel. "Agricultural Water Irrigation using ...

<1%
Crossref

autodocbox.com
<1%
Internet

Hawaii Pacific University on 2014-05-07

<1%
Submitted works

rebe.rau.ro
<1%
Internet

ijarcs.info
<1%
Internet

Excluded from Similarity Report

 Similarity Report ID: oid:30110:17652743

Tanweer Alam. "IoT-Fog A Communication Framework using Blockchain in th...

<1%
Crossref posted content

Tanweer Alam. "Blockchain and its Role in the Internet of Things (IoT)", Institu...
<1%
Crossref posted content

Tanweer Alam, Mohamed Benaida. "The Role of Cloud-MANET Framework in t...

<1%
Crossref posted content

Jignesh Joshi, Chandresh Parekh. "Android smartphone vulnerabilities: A surv...

<1%
Crossref

Mital Parekh, Snehal Jani. "MEMORY FORENSIC: ACQUISITION AND ANALYSI...

<1%
Crossref

Ravi K Sheth, V. V. Nath. "Secured digital image watermarking with discrete c...
<1%
Crossref

Tanweer Alam. "Blockchain-based Big Data Analytics Approach for Smart Citi...
<1%
Crossref posted content

Rupal Sharma, Ravi Sheth. "Secure ASP.NET Web Application by Discovering ...
<1%
Crossref

Kalpesh A. Popat, Priyanka Sharma, Hardik Molia. "Chapter 38 A Study of Ro...

<1%
Crossref

Baha Rababah, Tanweer Alam, Rasit Eskicioglu. "The Next Generation Internet...
<1%
Crossref posted content

Chandresh D. Parekha, Jayesh M. Patel. "OFDM Synchronization Techniques f...

<1%
Crossref

University of Wales Swansea on 2020-01-08

<1%
Submitted works

Excluded from Similarity Report

 Similarity Report ID: oid:30110:17652743

University of Melbourne on 2018-06-03

<1%
Submitted works

tutorialslink.com
<1%
Internet

searchstorage.techtarget.com
<1%
Internet

rajhacksoft.blogspot.com
<1%
Internet

blog.udemy.com
<1%
Internet

jurnalnasional.ump.ac.id
<1%
Internet

"Smart Systems and IoT: Innovations in Computing", Springer Science and Bu...
<1%
Crossref

Buffalo State College on 2012-12-02

<1%
Submitted works

zenodo.org
<1%
Internet

flexiblesolutions.com.au
<1%
Internet

Excluded from Similarity Report