We’ve been working with a computer forensics team for the past 1.5 years, and we have a checklist of typical questions to ask our clients before each engagement to prepare the necessary equipment and develop a timeline for computer imaging and analysis. Some of these queries include “How many computers to image?”, “What type of computer (e.g., desktop, laptop, server)?”, and “What are the storage sizes for each computer?” We very recently added the question “Are you using SSD for storage?” or, for the less technically inclined, “What are the models of these computers?” Then we’ll simply Google the model to see if it uses SSD for storage. But why is it critical for forensic investigators to know whether or not a machine is employing SSD storage?
A solid-state drive, or SSD, functions similarly to the standard computer hard disk drive (HDD). Unlike spinning disk platters, SSDs store data on flash memory chips. In contrast to HDDs, which require the drive to wait for a platter to spin on the requested data location, all memory chips containing your data are accessible at the same time. This allows SSDs to access data significantly faster than HDDs while also being smaller and lighter.
One of the most difficult tasks for forensic investigators is to retrieve erased files from SSDs. Because of the way SSDs destroy files in most modern PCs, recovering deleted files has become more difficult and nearly impossible. As computer forensic investigators, we must disclose these details to control the client’s expectations.
The following sections will provide an overview of how SSDs process deleted objects and the likelihood that files can still be recovered.
TRIM and Garbage Collection
The implementation of the TRIM function and Garbage Collection makes it difficult to restore deleted files. The operating system sends TRIM commands to the SSD controller when the user deletes a file, formats the drive, or deletes a partition. This function was first introduced with the release of Windows 7. This function is not supported in older versions of Windows (such as XP and Vista). Garbage Collection, on the other hand, is a firmware function/module on SSDs that cleans or purges data blocks scheduled for deletion.
When a user deletes a file or formats a disk or partition, the operating system issues the TRIM command to the SSD. The SSD will then start the garbage collection operation. Garbage Collection is built into the disk itself, so even if the machine is turned off while the procedure is running, data cleaning will start once the computer is turned back on. The procedure continues even after the drive is extracted and connected to a write blocker. The image below shows how the TRIM and Garbage Collection processes function.
Garbage collection does not happen if the TRIM command is not provided. Though purging of data blocks is almost unavoidable after sending the TRIM command, there are reasons and scenarios in which this operation is not executed or functions properly. The following are some of TRIM’s limitations:
- TRIM is not supported/enabled in the OS.
- TRIM does not function in most RAID environments, external SSD and NAS.
- TRIM is only supported in SATA, eSATA, and SCSI (SSD connected through USB is unaffected).
- Many SSD drives were released with buggy firmware, effectively disabling the effects of TRIM and Garbage Collection
- The file is just corrupted and not deleted.
With the limits indicated above, it is possible to recover deleted files in certain scenarios. A file can also be retrieved if it is smaller in size than a data block. A data block is the smallest unit of storage that can be deleted. If DRAT (Deterministic TRIM) is employed, file carving is also an option for recovery. The SATA standard supports the following types of TRIM.
- Non-deterministic TRIM: each read command after a Trim may return different data
- Deterministic Read After TRIM (DRAT): all read commands after a TRIM shall return the same data, or become determinate
- Deterministic Zero After TRIM (DZAT): all read commands after a TRIM shall return zeroes until the page is written with new data.
Sending the TRIMmed SSD disk for recovery (on a physical level) to the manufacturer may be a viable proposition if some crucial evidence is concerned.
Conclusion
Now that we know that files are likely to be overwritten on machines with SSDs, we wonder if it is still important to restore them. That is dependent on the nature of the case and the duration of the involvement. File carving for overwritten files takes longer, and it will most likely result in a large number of “garbage files” or files with no value (often system files) to investigate. However, if the inquiry is urgent, you may want to recover as many data as possible to avoid missing any important evidence.
For a more detailed explanation of how SSD works, you may read the article published by Gubanovis and Afonin
https://articles.forensicfocus.com/2014/09/23/recovering-evidence-from-ssd-drives-in-2014-understanding-trim-garbage-collection-and-exclusions/
Post comments (0)