The market share for Solid State Drives (SSD’s) are ever increasing as the cost of storage per GB has drastically been lowered. This has made Solid State Drives not only very appealing for large corporations, but also for consumers who enjoy an increase in performance, due to the higher read and write cycles of an SSD over a traditional hard drive with mechanical parts. There, of course, are many other benefits such as a reduced failure rate as Solid State Drives no longer have any rotating platters, spindle motor, and other read-write heads that can fail. This, of course, does not mean in any way that SSD’s are excluded from failures, as damaged electronics or faulty nand chips are a common issue.
With the increased market share there is naturally also an increase in digital forensic investigative cases where SSD’s contain the evidence and need to be examined. This, for the most part, is relatively straightforward, as you are still examining the same (NTFS, HFS+, EXT4, etc…) file systems. However, there are a few curve balls.
When analyzing a live system, it is easy to check a TRIM status for a particular SSD device by issuing the following command in a terminal window:
fsutil behavior query disabledeletenotify
You’ll get one of the following results:
DisableDeleteNotify = 1 meaning that Windows TRIM commands are disabled
DisableDeleteNotify = 0 meaning that Windows TRIM commands are enabled
fsutil is a standard tool in Windows 7, 8, and 8.1.
Damage to the SSD:
When an SSD fails, acquiring its data can be difficult. In some cases, it may just be a simple issue such as a blown fuse which can be replaced relatively quickly. However, when encountering more complex failures the recoverability becomes questionable as well as the integrity of the content of the data as often the data needs to be extracted from the NAND chips directly and can frequently produce input/output errors.