Recovering Evidence from SSD
Drives: Understanding TRIM,
Garbage Collection, and Exclusions
Yuri Gubanov and Oleg Afonin
In 2012, DFI News published an article called “Why SSD Drives Destroy Court Evidence, and What Can
Be Done About It” ( www.dfinews.com/articles/2012/09/why-ssd-drives-destroy-court-evidence-and-what-
can-be-done-about-it-part-1). Back then SSD self-corrosion, TRIM, and garbage collection were little
known and poorly understood phenomena. In 2014, the situation looks different. Having handled numerous cases involving the use of SSD drives and gathered a lot of statistical data, we now know things about
SSD drives that allow forensic specialists to obtain information from them despite the obstacles.
The effect of SSD self-corrosion, as well as the root cause, is well documented. The evidence self-destruc-tion process is triggered by the TRIM command issued by the operating system to the SSD controller at
the time the user either deletes a file, formats a disk, or deletes a partition. The data destruction process is
only triggered by the TRIM command; the data destruction itself is carried out by the separtate process of
background garbage collection.
In many cases the TRIM command is not issued at all. This article discusses these exclusions to gain a
better understanding of the situations when deleted data can still be recovered from an SSD drive.
Deterministic Read After Trim
Experiences recovering information from SSD drives vary greatly among SSD users.
“I ran a test on my SSD drive, deleting 1,000 files and running a data recovery tool five minutes later.
The tool discovered several hundred files, but an attempt to recover them returned a bunch of empty files
filled with zeroes,” said one Belkasoft customer.
“We analyzed an SSD drive obtained from a suspect’s laptop and were able to recover 80% of deleted
files several hours after they’ve been deleted,” said another user.
Why such inconsistency in user experiences? The answer lies in the way the different SSD drives handle
trimmed data pages.
Some SSD drives implement what is called Deterministic Read After Trim (DRAT) and Deterministic
Zeroes After Trim (DZAT), returning all-zeroes immediately after the TRIM command releases a certain
data block, while others do not implement this protocol and will return the original data until it’s
physically erased with the garbage collection algorithm.
With non-deterministic TRIM, each read command after a Trim may return different data, while with
both DRAT and DZAT, all read commands after a TRIM return the same data.
As we can see, in some cases the SSD will return non-original data (all zeroes, all ones, or some other
non-original data) not because the physical blocks have been cleaned immediately following the TRIM
command, but because the SSD controller says that there is no valid data held at the trimmed address on a
logical level previously associated with the trimmed physical block.
Acquiring Evidence from SSD Drives
So far the only practical way of obtaining evidence from an SSD drive remains traditional imaging (with