Hard DISK (HD) is an essential source in digital forensics for extracting the evidence of cybercrime, even if the attacker erases the evidence of a crime by deleting the malware for example, in fact, the malware wasn't deleted from the HD, simply OS unlinks any reference to the data block for the malware, this data block is not erased from the HD, it's remaining on the magnetic platters for the HD, at this time you can use forensic tools to retrieve the malware from the HD. Unlike (Solid-state Drive) SDD, which uses a TRIM Command to Clear Unlocated Block to prevent retrieving the data, the use of TRIM can improve the performance of writing and reading data to SSDs and contribute to longer SSD life.
So from a Digital Forensic perspective should Disable TRIM Command to be able to handle the incidents and make SSD retrievable.
How to disable and enable the TRIM command in SDD?
the TRIM command is enabled in SSD by default, but if you like to disable it, open CMD as administrator and enter this command "fsutil behavior set DisableDeleteNotify 1". As shown in the image. if you would like to enable TRIM again replace 1 with 0 .
Comments
Post a Comment