On day five we view information about Solid State Drives. We focus on what happens over time to data on solid state drives, and how the solid state drives function. We will cover the lower level functions that are different than a physical hard drive and why that is important to data recovery and forensics. You'll learn about research I have done capturing dd images of solid state drives at different times and what has happened to the data, and you'll be amazed to find out the effect on unallocated and file slack space and defragmentation. This will lead us to discussions about the impact solid state will have on the future of forensics and data recovery and possible issues we may have getting recovered content admitted into court. This will also include a discussion about a newer FAT file system, FAT64, and the purpose that it was developed to solve.

You'll learn new information about the future of storage and changes to hard drives, as well as flash media and introductory information about new technology called Domain Walls or RaceTrack Memory under development by the same designer of the current head technology on the hard drive. The lifespan of current media and shelf life of flash media as a long term storage will be reviewed, and we will discuss alternative methods of keeping data safe and how to refresh the content so it will remain intact if you have to store forensic data for years to come.

During a recovery, there are some issues with security on drives that does not involve encryption such as GUID/SID folder protection. These items will keep you from knowing the data is on the drive, and since it is "invisible" it is possible you might miss extracting important content during data recovery. In this class, you'll learn how to get around this "file protection" in the different operating systems.

We'll wind down by covering a few of the unique functions of the drive that may affect your ability to get an image such as TPM, hard drive passwords, flash updates to the drive, translator tables, and secure erase wiping tools built into the motherboard and drive for high speed wiping. We'll also cover how the HPA can be used for many other functions such as Lo-Jack for laptops, or resizing a drive to limit software recovery. You will also get to see a demo of other tools such as MHDD and Victoria and look at how you can recondition a drive and purge or kill bad or slow sectors, making the drive faster and more useful. Finally, we will cover some software items such as zone tables and tools for testing the speed of drives or RAID arrays.