FALL 2014 www.DFInews.com 17
contains information about all files and directories listed in
the file system. In other words, each file or directory has at
least one record in MFT.
In terms of computer forensics, one particular feature of
MFT is of great interest. Unique to NTFS is the ability to
store small files directly in the file system. The entire content of a small file can be stored as an attribute inside an
MFT record, greatly improving reading performance and
decreasing wasted disk space (“slack” space).
As a result, small files being deleted are not going anywhere. Their entire content continues residing in the file
system. The MFT records are not emptied and are not affected by the TRIM command. This in turn allows investigators
to recover such resident files by carving the file system.
How small does a file have to be to fit inside an MFT
record? Very small. The maximum size of a resident file
cannot exceed 982 bytes. Obviously, this severely limits the
value of resident files for the purpose of digital forensics.
Why Real SSDs are Often Recoverable
In reality, things may look different from what was described above. In our lab we’ve seen hundreds of SSD drives
acquired from a variety of computers. Surprisingly, we were
able to successfully carve deleted data from the majority of
SSD drives taken from inexpensive laptops and sub-notebooks such as ASUS Eee or ASUS Zenbook. Why? There
are several reasons, mainly “cost savings” and “
miniaturization,” but sometimes it’s simply over-engineering.
1. Inexpensive laptops often use flash-based storage,
calling that an SSD in their marketing. In fact, in most
cases it’s just slow, inexpensive, and fairly small flash-based
storage having nothing to do with real SSD drives.
2. Ultrabooks and sub-notes have no space to fit a
full-size SSD drive. They used to use SSD drives in PCIe
form factor (as opposed to M. 2 or mSATA) which did
not support the SATA protocol. Even if these drives are
compatible with the TRIM protocol, Windows does not
support TRIM on non-ATA devices. As a result, TRIM is
not enabled on these drives.
3. SSD drives are complex devices requiring complex
firmware to operate. Many SSD drives were released with
buggy firmware effectively disabling the effects of TRIM
and garbage collection. If the user has not upgraded his or
her SSD firmware to a working version, the original data
may reside on an SSD drive for a long time.
4. The fairly small (and inexpensive) SSD drives used
in many entry-level notebooks lack support for DRAT/
DZAT. As a result, deleted (and trimmed) data remain
accessible for a long time, and can be successfully carved
from a promptly captured disk image.
5. On the other end of the spectrum are the very high-end, over-engineered devices. For example, Acer advertises
its Aspire S7-392 as having a RAID 0 SSD. According
to Acer marketing, “RAID 0 solid state drives are up to
2X faster than conventional SSDs. Access your files and
transfer photos and movies quicker than ever!” This looks
like over-engineering. As TRIM is not enabled on RAID
SSDs in any version of Windows, this ultra-fast non-con-ventional storage system may slow down drastically over
time (which is exactly why TRIM was invented in the first
place). For us, this means that any data deleted from these
storage systems could remain there for at least as long as it
would have remained on a traditional magnetic disk. Of
course, the use of the right chipset (such as Intel H67, Z77,
Z87, H87, Z68) accompanied with the correct drivers (the
latest RST driver from Intel allegedly works) can in turn
enable TRIM. However, we have yet to see how this works
in reality. ( http://www.anandtech.com/show/6477/trim-
SSD forensics remains different. SSDs self-destroy court
evidence, making it difficult to extract deleted files and
recover destroyed information. Numerous exceptions still
exist, allowing forensic specialists to access destroyed evidence on SSD drives used in certain configurations.
More SSD drives appear to follow the Deterministic
Read After Trim approach defined in the SATA standard
set a long time ago. This in turn means that a quick format
is likely to instantly render deleted evidence inaccessible to
standard read operations, even if the drive is acquired with
a forensic write-blocking imaging hardware immediately
SSD drives are getting more complex, using over-provisioning support for better performance and wear leveling. However, because of the increased complexity, even
seasoned manufacturers released SSD drives with buggy
firmware, causing improper operation of TRIM and garbage
collection functionality. Considering just how complex
today’s SSD drives have become, it’s surprising these things
do work, even occasionally.
The playing field is constantly changing, but what we
know now about SSD forensics gives hope.
Yuri Gubanov is a computer forensics expert and a frequent
speaker at industry conferences. Yuri is the Founder and CEO
of Belkasoft, the manufacturer of computer forensic software
empowering police departments in more than 60 countries.
Oleg Afonin is an expert in digital forensics, a researcher in
the area of digital security, and a specialist in data recovery.