Solid state drives drives are fundamentally changing the landscape of the digital forensics industry, primarily due to the manner in which they respond to the deletion of files. Previous research has demonstrated that SSDs do not always behave in an equivalent manner to magnetic hard drives, however, the scope of these differences and the conditions that lead to this behavior are still not well understood. This basic, undeniable anomaly regarding file storage and recovery begs one simple, yet critical question: can the data being mined for evidence be trusted?
This talk presents research on the forensic implications of SSDs from one of the most comprehensive studies to date. The goal of this study was to demonstrate and quantify differences across a sample pool of drives in an array of tests conducted in a controlled environment. These tests explored the variations between drive firmware, controllers, interfaces, operating systems, and TRIM state.
Tom Kopchak is the Director of Technical Operations at Hurricane Labs, where he pretends to manage a team of network and system engineers, but is still an engineer and technology geek at heart. While new to the DEF CON stage, Tom’s speaking experience includes numerous talks on breaking full disk encryption (including BSides LV) and numerous other talks at other conferences around the country. He holds a Master’s degree in Computing Security from the Rochester Institute of Technology. When he is not working with computers, Tom enjoys composing, music improvisation (Acts of Music), and playing both the piano and organ.