6.3 Writing data to an SSD

“In order to prevent the ‘leaky’ memory cells from occurring, the software that controls where files are saved tries to prevent the same block in semiconductor memory from being used repeatedly. It does so by ensuring that, every time a file is modified, it is written to different physical locations across the whole of the SSD, selected at random. This technique is called wear levelling,” explained Gloria.

“So, SSDs are designed to be fragmented?” asked Rupert, slightly incredulously.

“Yes! So the good news for a user is that there is no need to ever defrag an SSD – in fact, even if it could be done, it would be counterproductive because an SSD is designed to take a scattergun approach to storing data across the whole drive. However, the bad news for private detectives is that it is much more likely that a previously ‘deleted’ file will be partially overwritten and that it is much harder to piece together a file if the locations of the constituent clusters are lost.

“And as if this is not bad enough, a memory cell can only be written to when it is empty. So before a file is written to a cluster, the entire contents of that cluster are erased so that the write operation can then be carried out. This slows down write operations considerably. So, to counteract this, many manufacturers provide SSD control software, called TRIM, which uses any quiet time to ‘garbage collect’ any unreferenced file fragments caused by wear levelling and proactively initialise these, and other unallocated blocks of the SSD memory, ready for writing. That really is a disaster for digital forensics because, once these areas of memory have been initialised, the data they once contained is lost forever.

“That is terrible!” cried Rupert. “And it gets even worse,” said Gloria. “Unlike a traditional hard drive, just powering up an SSD, even one that has been removed from the computer, can allow the garbage collection routines on the SSD to continue. This means that the data on an SSD drive is continuously altered, making it difficult to use as evidence.”

“Can’t the garbage collector routines be disabled?” asked Rupert.

“Unfortunately not; there is even secrecy around the algorithms for rewriting files and wear levelling, which makes it even more difficult for us to know how to find deleted files. There are standards emerging to try to ensure that access to the flash memory is tenable but, as yet, there is no requirement for manufacturers to follow them.

“All of this has led to some people saying that SSD is ‘the beginning of the end’ for current practice in digital forensic recovery,” continued Gloria.

“That sounds a bit melodramatic!”

“Yes, but they may be right,” replied Gloria. “We understand a lot about the forensic analysis of hard drives but, more importantly, we also know how to present the evidence so that it is legally acceptable. Now it is like starting again for solid-state drives.”