Modern SSDs self-destroy court evidence


Just recently that we mentioned just how difficult it is to fully erase all data from an SSD.  It turns out that the very opposite is also true where Australian scientists found that SSDs permanently erase or contaminate data marked for deletion, making it unsuitable for use as evidence.

When data is deleted from a traditional magnetic-based hard disk, forensic investigators can usually recover everything that has been deleted.  As long as a write blocker is used, this evidence still remains safe on the hard disk, since hard disks do not physically delete data marked for deletion.  Instead, these sectors are simply marked as available as free space, which means that the unwanted data remains present until these sectors are overwritten by new files.

Unlike hard disks, SSDs cannot directly overwrite cells with new data.  On older SSDs, overwriting a cell meant reading all the data from that cell that needs to be kept, erasing the cell and finally writing the original data along with the new sectors to that cell.  This process is quite time consuming and also one of the main reasons early SSDs use to have sluggish write performance.

Modern SSDs have a feature called garbage collection, where cells containing data marked for deletion are permanently erased in the background, usually within several minutes of the data being deleted.  This means that new data can be written immediately, leaving to “like new” write performance.  The problem is that if forensic investigators try recovering data from an SSD, this data will either be permanently deleted before they manage to recover it or even during the recovery process, causing the evidence to appear as if it was tampered with, since it would no longer be possible to provide that the recovered data came from the SSD.

This background garbage collection procedure occurs at the hardware level within the SSD itself, so even simply leaving the SSD powered up with nothing attached to it will result in it gradually wiping evidence, a process which the scientists call “self-corrosion.”  This also means that the use of so-called write blockers and other methods of isolating the drive from write activity offer no protection.

So unless any files to be used as evidence have not been deleted, the “Golden age” of forensics is going to end.  For example, if a person knows in advance that its computer or laptop may be seized; deleting the files that got this person into trouble may be enough to destroy the evidence, unlike hard disks where most or all deleted files can be recovered later.