‘TRIM ‘Scare. There is a lot of talk that deleted artifacts cannot be reconstructed from TRIM-enabled SSD drives, due to garbage collection (GC) operation in the background even after the device is switched off. Exceptions are always there. TRIM does not affect most environments in RAID configuration, NAS configuration, older Windows (also does not work on file systems other than NTFS) or on external SSD drives attached as a USB enclosure or connected via a Fire-wire port.
Self Corrosion. Even switching off the affected device immediately after TRIM has been issued, does not stop the destruction. Once the power is back, wiping will continue, even if installed into a write-blocking imaging device. If a self-destruction process has already started, there is no practical way of stopping it. The TRIM command is issued to the SSD controller by the operating system as the user deletes a file or goes for formatting the storage medium. This background garbage collection procedure occurs at the hardware level within the SSD itself and is called as “Self Corrosion.”
Over Provisioning. Allocating a specific, permanent amount of free space on an SSD, is a widely- used method for improving both SSD Performance and Endurance and is termed as Over-Provisioning (OP). Providing free space to accomplish the NAND management tasks such as Garbage Collection, Wear-Leveling, Bad Block Management means the SSD does not have to waste time preparing space on demand, a process that requires more time as data is copied, erased, and recopied. NAND flash memory’s fundamental unit of is of 4 kilobyte (4KB) page, and there are 128 pages in a block. Write operation can happen one blank (or erased) page at a time. Pages have to be first erased and then written. Erasing take place block wise i.e entire blocks of pages must be erased at one time. The SSD actually writes to a different, blank page and then updates the logical block address (LBA) table (much like the MFT of an HDD).
Solid State Devices have of space for extra write operations, as well as for the controller firmware, failed block replacements, and other unique features that vary by SSD controller manufacturer. The minimum reserve is simply the difference between binary and decimal naming conventions. Performance of the SSD begins to decline after it reaches about 50% of its capacity. 28 GB space out of 128GB resulting configuration as a 100GB SSD with 28% over-provisioning.
Wear leveling. To extend the life of SSDs a process termed as Wear Leveling is used. Data is stored in blocks in SSDs and each block can tolerate a limited number of erase cycles before becoming unreliable. For example, SLC NAND flash is typically rated at about 100,000 program/erase cycles. In Wear leveling data is arranged so that the write/erase cycles are evenly distributed among all the blocks in the storage device. Wear leveling is controlled by the flash controller on the device, and uses a wear leveling algorithm to determine which physical block to use each time data is programmed.
Dynamic wear leveling and Static wear leveling are the two types of solid-state drive (SSD) wear leveling. Dynamic wear leveling pools erased blocks and selects the block with the lowest erase count for the next write. Static wear leveling, on the other hand, selects the target block with the lowest overall erase count, erases the block if necessary, writes new data to the block, and ensures that blocks of static data are moved when their block erase count is below a certain threshold. Static wear leveling is a robust method with most efficient use of memory array maximizes device life but requires high power consumption and can slow write operations. While Dynamic wear leveling is easier to implement and does not have impact on the device performance.
SSD Forensic Challenges
TRIM Impact on Forensics. Theses commands are executed by the micro-controller, once triggered cannot be stopped. TRIM commands will finish even if the SSD is powered cycled. A cyber investigator will not be able to read deleted data from a TRIM-enabled SSD, and users can effectively erase whole partitions just seconds before acquisition.
Wear Leveling Impact on Forensics. It concern forensic examiners for two more reasons. First examiners may get a different hash value each time they image solid state drive. Hash values are a mathematical algorithm represented. By a string of numbers and letters that are unique to a set of data, much like a digital fingerprint. Forensic examiners use hash values to verify they have an exact, bit for bit, copy of the original data prior to analysis. The original hash value of the data, and the copy, should be the same. Secondly, an examiner will find it difficult to forensically recover data such as deleted files. The valuable data can appear at any location in the memory array instead of where it should be due to wear leveling and over.
Compressing Controller Effect on Forensics. Compression algorithms are proprietary to the chipset manufacturer hence there is no way to decompress data through off-chip analysis. These SSDs have to be sent back to the manufacturer which is an expensive and time-consuming process and is subscribed to only in most critical investigations.
Secure Erase Effect on Forensics. By wiping data, a perpetuator can destroy digital evidence much faster than with a HDD. Secure erase takes just minutes rather than hours as in HDDs, so it’s feasible that a suspect can issue a secure erase command immediately before the acquisition of the device.
Other Challenges. Many other issues playa spoilsport during forensic investigation of SSDs.
- IDE interface allows logical data reads, but hides the internal data structures.
- Internals of SSDs are not well understood. There may be many places where forensic value data may be hidden.
- Since there are no accepted standards, every manufacturer does as per his will. They also protect their implementation details from being read.
- Due to NAND flash technology the same techniques which are used on HDD cannot be used.
- Carving and free space analysis if possible is a formidable task.
Hardware. SSD drive are either attached directly to the computer’s SATA interface or connected via a write blocking device of the same type that is also used to investigate magnetic hard drive. Write blockers prevent user-induced modification to the data stored on the SSD drive, not that of the TRIM command and the disk’s internal garbage collector. It is essential to realize that an SSD drive connected via a write blocking device will continue performing background garbage collection, possibly destroying the last remnants of deleted information from the disk. Preventing the operation of the internal garbage collection is only possible by physical disconnecting the build-in controller from actual flash chips, and accessing information stored in the chips directly. This method is not popular as it requires special skills and custom hardware.
PC-3000 Flash SSD Edition. Professional hardware-software solution for recovering data from all types of Flash memory based storage devices (USB Flash, SD, MS, XD, MMC, CF, Voice Recorder, iPhone, and SSD when standard interface of such drives can’t access data.
SSD Adaptors. Adapters are used to image SSQ’s SATA forensic bridges or duplicators.
Imaging M.2 and PCI-E SSDs. Imaging and M.2 or PCI-E SSD drive requires the use of a dedicated adapter. Considering that are at least three different types of M.2 SSDs (here we will not talk about the differences between B-Key and M-key connectors), you are looking for a solution to support M.2 SATA (AHCIL M.2 PCI-E (AHCI) and M.2 PCI-E (NVMe) devices. Atola Disk Sense is one of the
hardware imaging device that creates forensically sound disk images that can be analyzed with software forensic tools.
Software. Software analysis tools can take over once an image of the SSD is created. Tools such as Nuix, Encase, FTK, Cyber Check and Belk soft Evidence Center can be used for analysis. Belk soft Evidence Center is an integrated solution for forensic analysis of computer and mobile devices with support for 700 types of digital evidence: pictures and videos, documents, mobile apps, encrypted files and volumes, data from browsers, instant messengers, clouds and social media, system files, registries, SQLite databases, and more.
Future of SSD Forensics. By physically detaching the controller and using custom hardware to read information directly from the flash ships, investigators could extract traces of destroyed information that could be stored in various areas of the flash chips.
A group of scientists from University of California designed an FPGA-based device providing direct access to flash chips of the SSD drive while bypassing the controller. The researchers estimated the cost of their prototype as $1000, while their estimate for building production units using microcontrollers instead of FPGA’s was as little as $200.
Technology is evolving at a rapid pace around the globe and the Solid State Devices (SSDs) have spearheading the storage wars in the digital world. Faster speed, low power consumptions and absence of moving parts are the need of the hour and the SSDs have placed all these on the table for you. But are giving sleepless nights to the forensic investigators who are running against time when the SSDs arrive for cyber forensic investigation. Maintaining integrity because of garbage collection, recovery of deleted data due to secure delete, smart carving, data remapping, free space analysis, hardware and software for analysis tools and many other questions are left for the forensic investigator to answer. How will these questions be answered only time will tell.
- What Has Changed in 2016 in the Way SSD Drives Self-Destruct Evidence. Demystifying eMMC, M.2, NVMe, and PCI-E. by Yuri Gubanov, Oleg Afonin (Belk soft Research)
- Recovering Evidence from SSD Drives: Understanding TRIM, Garbage Collection and Exclusions Yuri Gubanov, Oleg Afonin (Belk soft Research)