ready to go. If we were using our Etch-A-Sketch illustration, we would have a small pile of blank toys, ready to
go. In the world of flash memory, we accomplish a similar
thing, by having extra blocks, always available to use. In
SSD terminology, these extra blocks are referred to as overprovision space. They are an absolute requirement for long
term, reliable operations of SSD devices:
1. They provide a steady pool of empty blocks, ready for
the next write operations. This saves the time of reading,
clearing, and rewriting an existing block for a write operation.
2. They allow the SSD to always select the least used
block from the available pool of empty blocks! This allows
us to understand another key design element of SSD storage devices: wear leveling.
3. When a SSD is aware that a particular block will no
longer be used, it can move it into the available pool of
wear leveling blocks. Using free time, it can clear the block
so that it is ready to be re-written at some future point in
Another key in understanding SSDs is how to tie these
facts together: The constantly changing pool of empty
blocks, along with the desire to always pick the least used
block, requires the SSD to maintain a pointer table of
where each block currently resides. This pointer table is
called the Logical to Physical Block Address Translation
Table, or LBA–PBA translation table.
The bottom line is that the physical location of any
block within the SSD device will almost certainly not
match the external Logical Block Address.
The final key in this puzzle, especially from a forensic
basis, is to grasp the fact that the operating system can
speed operation of the SSD by alerting it to potentially
re-usable blocks through the use of the “TRIM” command.
This command is a recent innovation in storage architecture, and it lets the OS tell the SSD storage device that a
particular area of that storage device is available for clear-
ing and re-use. For instance, after a file has been deleted
by the user, the OS will tell the SSD drive to “TRIM” that
area encompassing the deleted file. After receiving the
“TRIM” command, the SSD will usually take the blocks
in question, move them out of logical file space, and into
overprovision space, where they will be eventually cleared
of data and marked for re-use.
The operation of “TRIM” would seem to be a huge problem for the forensic investigator, and indeed, it usually is.
Forensic Response to SSDs
It is possible to remove flash chips from a SSD and image
these chips using hardware products from various vendors,
a process which is referred to as dechipping. This represents a brute-force forensic imaging solution, but is fraught
with problems, the least of which is that internal (
physical) sectors of the SSD have been effectively randomized
through the LBA–PBA table. As a result, any data removed from the flash chips may be unusable, as the block
order appears in a random manner.
The TRIM instruction set eliminates
the ability to recover deleted data on
SSDs. Instead of merely flagging a spot
on an SSD as allocated for new data, it
immediately purges the areas of the SSD
where the deleted data resided.
Another problem with dechipping is that SSD devices
often compress their internal information using proprietary
compression schemes. This produces better wear-leveling
characteristics (because, over time, less data is written internally to the SSD), but this obscures potential information
for the forensic investigator.
The “TRIM” command is also a real problem for digital
The recovery of “deleted” information on a hard
drive is a significant component of many digital forensics assignments. On most computers today, a digital
forensics expert can often recover information that a
user believes he or she has deleted. This information is
available because rather than immediately deleting the
associated data, the operating system merely marks the
data as “unallocated,” meaning the space the deleted
file takes up on the hard drive can be overwritten with
new data at some point in the future but remains untouched until then. As a result, unless a user has purposefully used software or another method to overwrite
unallocated space, an expert may find fragments of a