The problems posed by SSDs, especially those with trim, have been discussed here before. Until there's a really good solution, though, I'm wondering about best practices for preservation?
For example, consider a case where one of the defendants is under a preservation order but the judge is, as of yet, unwilling to demand turnover of the machine. As we know with these SSDs, normal use itself can destroy potential evidence. So, short of turnover, what kinds of requests to the defendant could help preserve evidence? Specifically, are there certain kinds of activities that are especially likely to cause SSDs to lose data? Program installs? Video editing? Multiple restarts? If some activities are particularly damaging, perhaps one could at least request a preservation order than disallows them.
If he is under a preservation order, then could you not explain that turning the machine on will make changes and therefore the only way to preserve the data is not to turn it on?
Legal isn't my strong point though.
Well, sometimes it just doesn't fly.
Piyo, The legal field is one I am still trying to figure out, even after 20 years. However, If the preservation letter has been ordered by the judge/courts, than to who it was issued to "should" follow the judges order. If they fail to follow this order, they can be held in contempt. With this said and as an examiner, if you find they violated this order when you do your examination, and discovered they continued to use the computer, this should be reported to the lead prosecutor ASAP. This does not compensate the destruction of evidence they have done, since they continue and destroy potentially more damaging evidence.
As a suggestion, inform the prosecutor the dynamics of a SSD and the potential of the evidence being destroyed. This information can educate the prosecutor and judge who may be computer illiterate and may change the judges order. In any case you as the examiner did what you could to preserve the evidence.
In regards to the evidence in the SSD, they may have to do a lot of changes to the computer to write over the evidence. As you know, with regards to SSD's, and if I understand this correctly, they write to the entire drive before they overwrite a previously written sector. This is done due to the limited writes to the drive.
Hope this helps……