Solid State drives (SSD) introduced dramatic changes to the principles of computer forensics. Forensic acquisition of computers equipped with SSD storage is very different from how we used to acquire PCs using traditional magnetic media. Instead of predictable and highly possible recovery of information the suspect attempted to destroy, we are entering the muddy waters of stochastic forensics where nothing can be assumed as a given.

Stochastic Forensics
The way today’s SSD drives operate allows little space for positive assumptions. With SSD drives, the only thing we can assume is that an investigator can access existing information stored on the disk. Deleted files and data the suspect attempted to destroy (for example by formatting the disk—even in “Quick Format” mode) may be lost forever in a matter of minutes.¹ And even if the computer is powered off immediately after a destructive command has been issued (e.g. a few minutes after the Quick Format), there is no easy way to prevent the disk from destroying the data once the power is back on. The situation is somewhat of a paradox, remeniscent of Schrödinger's cat: one will never know if the cat is alive before opening the box.²

The golden age of forensics is going to end. “Given the pace of development in SSD memory and controller technology, and the increasing proliferation of manufacturers, drives, and firmware versions, it will probably never be possible to remove or narrow this new grey area within the forensic and legal domain,” scientists from Australia's Murdoch University wrote. “It seems possible that the golden age for forensic recovery and analysis of deleted data and deleted metadata may now be ending.”¹

Cannot Delete
The way SSD drives are constructed imposes several design limitations. Existing types of flash memory allow for a limited number of write operations before wearing off. Modern SSD drives employ smart wear leveling techniques³ that, instead of re-using existing blocks of memory, will write to a different block when data stored in a certain block is being modified. This in turn will leave blocks containing potentially sensitive information scattered all over the memory chip.

To further increase effective lifespan and improve wear leveling on SSD drives, many manufacturers install chips that can hold up to 25% more data than their advertised capacities.⁴ This extra capacity is not addressable by means of the operating system, or by any other reasonable means (e.g. without using custom hardware to access the flash chips directly). This also makes the content on SSD drives impossible to wipe as securely as required by some government and military standards via traditional means.

To mitigate this issue, some SSD manufacturers implemented an extension to the ATA ANSI specification to enable secure destruction of information stored on all flash chips.⁵ The ATA Secure Erase (SE) command, when implemented correctly,⁴wipes the entire contents of the drive at a hardware level.

In general, software secure wipe tools overwrite information stored on a hard drive with cryptographically secure random data in several passes. The problem with these software tools is their inability to address, and therefore access, the entire storage capacity of the SSD drive (including system, reserved, and remapped areas).

As opposed to software-based tools, the ATA Secure Erase command instructs the built-in SSD controller supporting the command to electronically erase all blocks on all flash chips of the drive. Effectively, erased SSD drives are cleaned completely, with all blocks being completely empty and available for immediate write (additional erase cycles will not be required before writing information to wiped blocks). Effectively, the SE command restores the SSD to factory defaults and write performance. When properly implemented,^4,13 the SE command will result in complete wipe of all storage regions of the SSD drive including any reserved, system, and service areas.

An example of properly implemented secure erase is found in Intel self-encrypting SSD drives. According to Intel,¹³ "Executing a SECURE ERASE function, such as that found in the Intel SSD Toolbox, will cause the Intel SSD 320 Series drives to generate a new internal encryption key." This will instantly render unusable all the encrypted user data stored on an Intel 320 Series SSD (and other devices supporting hardware-level full-disk encryption).

Cannot Recover
The inability to reliably recover erased information is another side of the same coin. The use of wear leveling will cause extensive use of the drive’s storage capacity, making use of previously unoccupied blocks of data at the time each write operation commences. Even repeat writes to the same file (e.g. the page file) will cause the entire content of the SSD drive to become “dirty”, leading to severe decrease in performance with write speeds being much slower than usual. This occurs because flash technology used in SSD drives requires blocks to be erased before the controller can perform a write operation on them. This property is unique to storage devices based on flash technology and is very different from how traditional magnetic types of media handle write requests.

As the process of erasing previously occupied blocks tends to be much slower compared to reading and writing, SSD drives full of “dirty” blocks will require significant time to write even a single block of data as no empty (erased) blocks exist. This lead SSD manufacturers to design a process performing garbage collection, erasing “dirty” blocks in the background and making them available for fast write operations again.

The issue with garbage collection is that neither the drives nor their controllers know exactly which blocks are actually occupied by files or operating system structures and which blocks are no longer used and are just “dirty”. While the controller could mark blocks that were remapped to other blocks as a part of a wear leveling process, this information would only slow down the process of the drive being filled up with “dirty” blocks during normal use of the drive that typically involves creating, writing, modifying, and deleting files.

In order to mitigate this issue, SSD designers developed an interface allowing the operating system (e.g. Windows, Linux, Mac OS X, etc.) to inform the controller that certain blocks are no longer in use via the TRIM command.⁶ This allows the internal garbage collector to electronically erase the content of these blocks, preparing them for future write operations.

Blocks of data processed by garbage collector are physically erased. Information from such blocks cannot be recovered even with the use of expensive custom hardware. Forensic researchers named this process “self-corrosion”.^7,12

Learn about SSD Self-Corrosion and Encrypted Volumes next week in Part 2 of this article.

References

1. Solid State Drives: The Beginning of the End for Current Practice in Digital Forensic Recovery? http://www.jdfsl.org/subscriptions/JDFSL-V5N3-Bell.pdf
2. http://en.wikipedia.org/wiki/Schr%C3%B6dinger's_cat
3. Wear Leveling http://en.wikipedia.org/wiki/Wear_leveling
4. Reliably Erasing Data From Flash-Based Solid State Drives http://www.usenix.org/events/fast11/tech/full_papers/Wei.pdf
5. SSD Data Wiping: Sanitize or Secure Erase SSDs? http://www.kingston.com/us/community/articletype/articleview/articleid/2...
6. TRIM http://en.wikipedia.org/wiki/TRIM
7. Modern SSDs self-destroy court evidence http://www.ssdfreaks.com/content/612/modern-ssds-self-destroy-court-evid...
8. Retrieving Digital Evidence: Methods, Techniques, and Issues http://forensic.belkasoft.com/en/retrieving-digital-evidence-methods-tec...
9. Belkasoft Evidence Center 2012 Help: Carving http://forensic.belkasoft.com/en/bec/en/Carving.asp
10. Intel SSD, TRIM support http://www.intel.com/support/ssdc/hpssd/sb/CS-031846.htm
11. Recovering Information from SSD Drives: Myths and Reality http://hetmanrecovery.com/recovery_news/vosstanovlenie-informacii-s-ssd-...
12. Solid State Drives and Forensic Troubles http://tech.wiredpig.us/post/12292126487/solid-state-drives-and-forensic...
13. Intel 320-series SSD and FDE (Full Disk Encryption) questions... http://communities.intel.com/thread/20537

Yuri Gubanov is a renowned computer forensics expert and a frequent speaker at industry conferences. Yuri is the Founder and CEO of Belkasoft and author of f-interviews.com, a blog where he takes interviews with key persons in digital forensics and security domain. He can be reached at yug@belkasoft.com.

Oleg Afonin is an independent expert and consultant in computer forensics. He can be reached at aoleg@voicecallcentral.com.