SSD Drives
SSD means Solid-State Drives represent a new storage technology.
- They operate much faster than traditional drives.
- They employ a completely different way of storing information internally, which makes it much easier to destroy information and much more difficult to recover it.
The culprit in SSD is TRIM Command. According to a survey, TRIM enables SSD completely wiped all the deleted information in less than 3 minutes. This means that the TRIM command effectively zeros all the information as soon as it is marked as deleted by the operating system. Moreover, TRIM command effects can’t be prevented even by using Write-Blocking devices.
Traditional Methods are not useful when we try to recover deleted data from the SSD or even any information from the SSD formatted with either Full format or Quick format. This means the traditional methods can be used for data recovery in SSD only when the TRIM command is not issued or at least one of the components does not support TRIM. The components include:
- Version of Operating System: Windows Vista and Windows 7 support TRIM Command, on the other hand, Windows XP and earlier versions typically don’t support TRIM Command.
- Communication Interface: SATA and eSATA support TRIM, while external enclosures connected via USB, LAN or FireWire don’t.
- File System: Windows supports TRIM on NTFS volumes but not on FAT-formatted disks. Linux, on the other hand, supports TRIM on all types of volumes including those formatted with FAT.
Recovering Deleted Digital Evidence
According to a survey, 93% of all information never leaves the digital form. The majority of information these days is being created, modified, and consumed entirely in digital form. This means most spreadsheets and databases never make it on paper, and most digital snapshots never get printed. In this article, we will discuss methods and techniques to recover deleted digital evidence.
What is Digital Evidence?
Digital Evidence is any information that is stored or transmitted in the digital form that a party at court can use at the time of trial. Digital evidence can be Audio files, and voice recordings, Address books and contact lists, Backups to various programs, including backups to mobile devices, Browser history, Cookies, Database, Compressed archives (ZIP, RAR, etc.) including encrypted archives, etc.
Destroyed Evidence
In a criminal or cyber-criminal case, the attempts to destroy the evidence are very common. Such attempts can be more or less successful depending upon the following conditions:
- Action is taken to destroy the evidence.
- Time Available to destroy the evidence.
- Type of storage device like magnetic hard drive, flash memory card, or SSD drive.
In this section, we will be discussing some of the methods to destroy the evidence and ways to recover the destroyed evidence.