Part 1 of this article discussed some of the forensic challenges relating to SSD drives. Part 2 will continue this discussion and look at some of the forensic significance of this information.
Today’s SSDs self-destroy court evidence through a process that can be called “self corrosion”. Garbage collection running as a background process in most modern SSDs will permanently erase data marked for deletion, removing it forever in a matter of minutes after the data has been marked for deletion. It is not possible to prevent garbage collection by moving the disk to another PC or attaching it to a write blocking device. The only way to prevent self-corrosion is physically detaching the disk controller from flash memory chips storing the data, and then accessing the chips directly via custom hardware [see Hardware for SSD Forensics].
TRIM: Myths and Reality
A common misconception is that discarded blocks of an SSD drive are immediately erased. This is not usually the case. Instead, the way the TRIM command operates is considering the contents of discarded blocks as indeterminate (the "don't care" state) until the moment these blocks are physically erased by a separate background process, the garbage collector. In other words, the TRIM command does not erase the content of discarded blocks by itself. Instead, it adds them to a queue of pending blocks to be cleared by the garbage collector.
Figure 2: TRIM, image from http://www.corsair.com/us/blog/how-to-check-that-trim-is-active/
The “cannot recover” rule does not apply if the TRIM command has not been issued, or if TRIM is not supported by any link of the chain. If this is the case, information from SSD drives can be recovered in pretty much the same way as from a traditional hard drive.8,9
The TRIM protocol will be disabled, or is not supported altogether, if at least one of the following conditions is met:
- Old SSD drives
Older SSD drives do not support the TRIM command. For example, Intel started manufacturing TRIM-enabled SSD drives with drive lithography of 34nm (G2); their 50nm SSDs do not have TRIM support.10
- Old versions of Windows
In Windows Vista and earlier versions, the TRIM protocol is not supported, and the TRIM command is not issued. Possible exception: TRIM-like performance can be enabled via certain third-party solutions (e.g. Intel SSD Optimizer, a part of Intel SSD Toolbox, www.intel.com/support/go/ssdtoolbox/index.htm).
- Old versions of MacOS X
Mac OS X started supporting the TRIM command for Apple supplied SSD drives since version 10.6.8. Older builds of Mac OS X do not support TRIM. In addition, user-installed SSD drives not supplied by Apple itself are excluded from TRIM support.
- (Windows) File systems other than NTFS
At this time, only NTFS-formatted partitions receive full TRIM support in Windows. Volumes formatted with FAT, FAT32, or other file systems are excluded.
- External drives, USB enclosures, and Network Attached Storage
The TRIM command is fully supported over the SATA interface, including the eSATA extension, as well as SCSI via the UNMAP command. If an SSD drive is used in a USB enclosure or installed in certain types of NAS storage, the TRIM command will not be communicated via the unsupported interface.
- PCI-Express SSDs
Interestingly, the TRIM command is not natively supported by any version of Windows for high-performance SSD drives occupying the PCI Express slot. Possible exception: TRIM-like performance can be enabled via certain third-party solutions (e.g. Intel SSD Optimizer, a part of Intel SSD Toolbox).
As of this writing, the TRIM command is generally not supported over RAID configurations (with few very rare exceptions).10 SSD drives working as part of a RAID array can be analyzed.
- Logical corruption
Surprisingly, SSD drives with corrupted system areas (damaged partition tables, skewed file systems, etc.) are easier to recover than healthy ones. The TRIM command is not issued over corrupted areas.11 Because files are not properly deleted, they simply become invisible or inaccessible to the operating systems. Many commercially available data recovery tools (e.g. Intel Solid-State Drive Toolbox with Intel SSD Optimizer, OCZ SSD Toolbox) can reliably extract information from logically corrupted SSD drives.
- Encrypted volumes
Somewhat counter-intuitively, information deleted from certain types of encrypted volumes (some configurations of BitLocker, TrueCrypt, PGP, and other containers) may be easier to recover as they may not be affected by the TRIM command. Files deleted from such encrypted volumes stored on an SSD drive can be recovered (unless they were specifically wiped by the user) if the investigator knows either the original password or binary decryption keys for the volume.
Encrypted volumes and SSD drives don’t play well together due to the wear leveling and performance issues described above. In many configurations, the crypto containers will encrypt the entire space on the drive, including free space. This turns every write on that disk into a re-write, which significantly slows down write performance on SSDs. The manufacturers of crypto containers recognized the issue and introduced ways (such us various configurations and advanced options) to mitigate the issue by releasing unused space back to the SSD controller, which in turn weakens overall security (as free unencrypted sectors are easy to tell).
If an encrypted volume of a fixed size is created, the default behavior is also to encrypt the entire content of a file representing the encrypted volume, which disables the effect of the TRIM command for the contents of the encrypted volume.
Dedicated research is required to investigate these options. At this time one thing is clear: in many configurations, including default ones, files deleted from encrypted volumes will not be affected by the TRIM command. Which brings us to the question of the correct acquisition of PCs with encrypted volumes.
Forensic Acquisition: The Right Way
The right way to acquire a PC with a crypto container can be described by the following sentence: “If it’s running, don’t turn it off. If it’s off, don’t turn it on.” Indeed, the original decryption keys are cached in the computer’s memory, and can be extracted from a Live RAM dump obtained from a running computer by performing a FireWire attack. These keys can also be contained in page files and hibernation files. Tools such as Elcomsoft Forensic Disk Decryptor can extract decryption files from memory dumps and page/hibernation files, decrypting the content of encrypted volumes.
Hardware for SSD Forensics
At this time, most forensic searches involving the investigation of SSD drives are still performed on dedicated but ordinary computers. SSD drives are either attached directly to the computer’s SATA interface or connected via a write blocking device of the same type that is used to investigate magnetic hard drives. While write blockers do prevent user-induced modifications to the data stored on the SSD drive, they have nothing to do with the operation of the TRIM command and the disk’s internal garbage collector. It is essential to realize that an SSD drive connected via a write blocking device will continue performing background garbage collection, possibly destroying the last remnants of deleted information from the disk.
Preventing the operation of internal garbage collection is only possible by physically disconnecting the built-in controller from actual flash chips, and accessing information stored in the chips directly. At this time, this method is far from being popular as it requires special skills and custom hardware.
http://webscopia.com/2011/10/what-is-an-ssd-solid-state-disk-basics-and-... " width="400" height="308" />
Figure 3: SSD controller and flash memory blocks, image taken from http://webscopia.com/2011/10/what-is-an-ssd-solid-state-disk-basics-and-performance-measures/
Custom Hardware: The Future of SSD Forensics?
By physically detaching the controller and using custom hardware to read information directly from the flash ships, investigators could extract traces of destroyed information that could be stored in various areas of the flash chips.
Figure 4: Custom SSD recovery hardware4
A group of scientists from University of California4 designed an FPGA-based device providing direct access to flash chips of the SSD drive while bypassing the controller. The researchers estimated the cost of their prototype as $1000, while their estimate for building production units using microcontrollers instead of FPGA’s was as little as $200.
Is this the future of SSD forensics? While custom devices such as those built by Californian researchers may help forensic specialists extract some extra traces from certain SSD drives, other researchers suggest that most information is lost from an SSD drive in just a few counted minutes after the user deletes a file or issues a quick format command. The need to maintain custom hardware as well as the need for specially trained staff to use this method will only make it justified for very few select cases.
SSD forensics is different. SSDs self-destroy court evidence, making it difficult to extract deleted files and destroyed information (e.g. from formatted disks) close to impossible. However, the correct acquisition technique may result in acquiring the original binary decryption keys, allowing investigators to access information stored in encrypted volumes, which may provide access to more information than available in unencrypted areas of SSD drives. In addition, numerous exceptions exist that effectively prevent mechanisms causing evidence self-corruption on SSD drives. Currently, SSD drives used in NAS devices, participating in RAID configurations, and connected as external devices via USB and FireWire are excepted from evidence self-corruption. Old versions of Windows, Mac OS, and Linux do not support SSD’s garbage collection mechanisms, and are also exceptions.
The playfield is changing quickly. What’s true today may no longer apply tomorrow. We’ll keep an eye on what’s happening in the industry, releasing an updated report in a few months.
- Solid State Drives: The Beginning of the End for Current Practice in Digital Forensic Recovery? http://www.jdfsl.org/subscriptions/JDFSL-V5N3-Bell.pdf
- Wear Leveling http://en.wikipedia.org/wiki/Wear_leveling
- Reliably Erasing Data From Flash-Based Solid State Drives http://www.usenix.org/events/fast11/tech/full_papers/Wei.pdf
- SSD Data Wiping: Sanitize or Secure Erase SSDs? http://www.kingston.com/us/community/articletype/articleview/articleid/2...
- TRIM http://en.wikipedia.org/wiki/TRIM
- Modern SSDs self-destroy court evidence http://www.ssdfreaks.com/content/612/modern-ssds-self-destroy-court-evid...
- Retrieving Digital Evidence: Methods, Techniques, and Issues http://forensic.belkasoft.com/en/retrieving-digital-evidence-methods-tec...
- Belkasoft Evidence Center 2012 Help: Carving http://forensic.belkasoft.com/en/bec/en/Carving.asp
- Intel SSD, TRIM support http://www.intel.com/support/ssdc/hpssd/sb/CS-031846.htm
- Recovering Information from SSD Drives: Myths and Reality http://hetmanrecovery.com/recovery_news/vosstanovlenie-informacii-s-ssd-...
- Solid State Drives and Forensic Troubles http://tech.wiredpig.us/post/12292126487/solid-state-drives-and-forensic...
- Intel 320-series SSD and FDE (Full Disk Encryption) questions... http://communities.intel.com/thread/20537
Yuri Gubanov is a renowned computer forensics expert and a frequent speaker at industry conferences. Yuri is the Founder and CEO of Belkasoft and author of f-interviews.com, a blog where he takes interviews with key persons in digital forensics and security domain. He can be reached at firstname.lastname@example.org.
Oleg Afonin is an independent expert and consultant in computer forensics. He can be reached at email@example.com.