Digital Forensics on Solid State Drive (SSD) with TRIM Feature Enabled and Deep Freeze Configuration Using Static Forensic Methods and ACPO Framework

Abstract— For digital forensic examiners, data files are important because it can be used as digital evidence. The integrity of digital evidence must be accessible, displayed, and guaranteed its integrity so that it can be accounted for in court. One of the places to store data files is Solid State Drive (SSD). Facts and problems were found on the SSD because there are three technology updates including TRIM feature, garbage background collection and wear leveling which can eliminate data files that have been deleted automatically. Several tools can be installed on SSD such as deep freeze. Deep freeze function is to protect the computer from unwanted changes. If the data files is saved after the deep freeze is activated, then the computer is shut down and turned on again, the data files on the SSD will be lost (not saved). The purpose of this research was to determine the probability of success in recovering data and extracting data based on number of files and the percentage on the SSD with deep freeze configuration. In this research will use static forensic methods and the research stage, scenario testing will be performed 3 times by following the ACPO framework. Of the examination and analysis already performed, only 2 of 4 tools have succeeded for recovering and extracting for partial data, namely Autopsy and Photorec. The percentage of success rate for recovery and extract of data has decreased from the first test until third test. If the computer already deep freeze configured is shutdown or restarted more than once, the less likely files that can be recovered. That is still an obstacle for forensic examiners, where the results of digital evidence cannot be recovered and extract as a whole.
Keywords- digital forensics; ssd; trim; deep freeze; acpo framework; examination; analysis; recovery; extract; digital Evidence