Solid State Drive Forensics

The market share for Solid State Drives (SSD’s) are ever increasing as the cost of storage per GB has drastically been lowered. This has made Solid State Drives not only very appealing for large corporations, but also for consumers who enjoy an increase in performance, due to the higher read and write cycles of an SSD over a traditional hard drive with mechanical parts. There of course are many other benefits such as a reduced failure rate as Solid Sate Drives no longer have any rotating platters, spindle motor and other read write heads that can fail. This of course does not mean in any way that SSD’s are excluded from failures, as damaged electronics or faulty nand chips are a common issue.

With the increased market share there is naturally also an increase in digital forensic investigative cases where SSD’s contain the evidence and need to be examined. This for the most part is relatively straight forward, as you are still examining the same (NTFS, HFS+, EXT4, etc…) file systems. However, there are a few curve balls.



A Trim command (commonly typeset as TRIM) allows an operating system to inform a solid-state drive (SSD) which blocks of data are no longer considered in use and can be wiped internal

When analyzing a live system, it is easy to check a TRIM status for a particular SSD device by issuing the following command in a terminal window:

fsutil behavior query disabledeletenotify

You’ll get one of the following results:

DisableDeleteNotify = 1 meaning that Windows TRIM commands are disabled

DisableDeleteNotify = 0 meaning that Windows TRIM commands are enabled

fsutil is a standard tool in Windows 7, 8, and 8.1.

Damage to the SSD:

When an SSD fails, acquiring its data can be difficult. In some cases it may just be a simple issue such as a blown fuse which can be replaced relatively quickly. However, when encountering more complex failures the recoverability becomes questionable as well as the integrity of the content of the data as often the data needs to be extracted from the NAND chips directly and can frequently produce input / output errors.