SSD’s should come with a warning label.

We’ve been working with more and more SSD’s lately, solid state disks, also referred to as m.2 disks, although m.2 is actually the standardized shape of the circuit board and not the drive, with most older SSD’s being strange custom layouts with USB3 and SATA connectors.

Enough about layout and names, let’s get to the important parts.

SSD’s, nearly all current generation, are internally encrypted.  This has great relevance for forensics, because if the drive is not fully operational, you might not be able to retrieve any data from it.  We recently had a case where the controller chip on the disk was damaged and even though the storage chips were intact, no data could be retrieved.  A total loss in a big legal case is no bueno.  Hard drives didn’t have that problem, because they weren’t internally encrypted.  What we mean by that, is the keys are stored in the circuits, they are not input by the user, so there is no optional way to turn it off, and why would you?  You have backups, right?

So here’s three drives, all physically damaged by the same wrong belief, that SATA drives are hot swappable.  SATA drives are only hot swappable if they are explicitly designed that way.  These disks were all hot swapped by the user, with the inevitable *poof* when the magic smoke gets released from the board.

burned board 1
board 1 visibly burned
board 1 burn closeup
board 1 burn closeup

Both of these drives displayed visibly burned components and are POTENTIALLY recoverable, because it does not appear that the controller or storage chips are damaged.  Plus they are old enough they likely are not encrypted anyway.  So we’ll need to physically destroy the chips before disposing of them.

This third drive displays no physical burns, but is also not functional.

drive 3 no visible damage

It will also need to be physically destroyed, to ensure confidentiality of client information.  It’s also a terrible picture.  Sorry about that.

Note that unlike hard disks, working with the guts of an SSD is best left to qualified electronic technicians, as one tiny spark across those teeny-tiny components, which is an incredibly easy mistake to make, can destroy the entire drive.

One bit of humor to all this destruction, the tamper evident label on one of the drives accomplishes nothing other than determining if you peeled off the label.

tamper proof nothing?

We check for screws under labels using a different strategy, so we thought this was funny.  Lab geeks humor is very dry.  We have to add humidity to prevent static discharge in the break room.

Based on other cases involving damaged disks we STRONGLY recommend clients always use a qualified technical forensic lab to handle evidence.  We’ve had 3 cases in recent memory where the client sent it to their local IT support company first before sending it to us, and we have no way of knowing where the fatal damage occurred.  Which can be problematic when discussing spoliation of evidence.  Please call us instead of your local techs.