16 www.DFInews.com FALL 2014
ocz-experience). A particular SSD drive may or may not be
recoverable depending on which bugs were present in its
SSD over-provisioning is one of the many wear-leveling
mechanisms intended to increase SSD life span. Some
areas on the disk are reserved on the controller level,
meaning that a 120 GB SSD drive carries more than 120
GB of physical memory. These extra data blocks are called
the over-provisioning (OP) area and can be used by SSD
controllers when a fresh block is required for a write operation. A dirty block will then enter the OP pool and will
be erased by the garbage collection mechanism during the
drive’s idle time.
In regard to SSD over-provisioning, firmware bugs can
affect TRIM behavior in other ways. For example, revealing trimmed data after a reboot/power off. Solid-state
drives remap constantly after TRIM to reallocate addresses
in the OP pool. As a result, the SSD reports a trimmed
data block as writeable (already erased) immediately after
TRIM. Obviously, the drive did not have the time to actually clean old data from that block. Instead, it simply maps
a physical block from the OP pool to the address referred
to by the trimmed logical block.
What happens to the data stored in the old block? For a
while, it contains the original data (in many cases it’s compressed data, depending on the SSD controller). However,
as that data block is mapped out of the addressable logical
space, the original data is no longer accessible or addressable.
Sounds complex? You bet. That’s why even seasoned
SSD manufacturers may not get it right the first time
(as discussed on OCZ Technology Forum at http://
php?96382-Deterministic-Read-After-Trim). This creates
issues when, after deleting data and rebooting the PC,
some users would see the old data back as if it was never
deleted. Apparently, because of the mapping issue, the new
pointers would not work as they should due to a bug in the
drive’s firmware. OCZ released a firmware fix to correct this
behavior, but similar bugs may still affect other drives.
SSD Shadiness: Manufacturers Bait-and-Switch
When choosing an SSD drive, customers tend to read online reviews. Normally, when a new drive gets released, it is
reviewed by various sources soon after it becomes available.
And customers often base their choices on them.
But what if a manufacturer silently changes the drive’s
specs without changing the model number? In this case,
an SSD drive that used to have great reviews suddenly be-
comes much less attractive. This is exactly what happened
with some manufacturers. According to ExtremeTech
well-known SSD manufacturers, Kingston and PNY, were
caught pulling a bait-and-switch with cheaper components
after getting good reviews. In this case, the two manufac-
turers launched their SSDs with one hardware specifica-
tion, and then changed the hardware configuration after
reviews went out.
So what does this mean for us? Well, the forensic-friendly SandForce controller was found in the second
revision of PNY Optima drives. Instead of the original
Silicon Motion controller, the new batch of PNY Optima
drives had a different, SandForce-based controller known
for its less-than-perfect implementation of garbage
collection, which left data on disks for a long time after it
Small Files: Slack Space
Remnants of deleted evidence can be acquired from so-called slack space as well as from MFT attributes.
In the world of SSD, the term “slack space” receives a
new meaning. Rather than being a matter of file and cluster size alignment, “slack space” in SSD drives deals with
the different sizes of minimum writeable and minimum
erasable blocks on a physical level.
In SSD terms, “page” is the smallest unit of storage that
can be written to. The typical page size of today’s SSD is 4
KB or 8 KB.
“Block,” on the other hand, is the smallest unit of
storage that can be erased. Depending on the design of a
particular SSD drive, a single block may contain 128 to
As a result, if a file is deleted and its size is less than
the size of a single SSD data block, or if a particular SSD
data block contains pages that still remain allocated, that
particular block is not erased by the garbage collection
algorithm. In practical terms, this means that files or file
fragments (chunks) smaller than 512 KB or 2 MB depending on SSD model, may not be affected by the TRIM
command, and may still be forensically recoverable.
However, the implementation of the DRAT protocol
by many recent SSD drives makes trimmed pages inaccessible via standard SATA commands. If a particular SSD
drive implements DRAT or DZAT, the actual data may
physically reside on the drive for a long time, yet it will be
unavailable to forensic specialists via standard acquisition
techniques. Sending the SSD drive to the manufacturer
might be the only way of obtaining this information on a
Small Files: MFT Attributes
Most hard drives used in Windows systems use NTFS as
their file system. NTFS stores information about the files
and directories in the Master File Table (MFT). MFT