Digital Forensics - Summer 2013

deleted file on the computer hard drive and put them together to reconstruct some or all of the original file.

The TRIM instruction set, however, eliminates the ability to recover data on SSDs in this way. Instead of merely flagging a spot on an SSD as allocated for new data, it immediately purges the areas of the SSD where the deleted data resided. The instruction is intended to enhance computer performance by expediting access to available space on a drive; TRIM purges the deleted data before the operating system gets around to it. The effect, though, is that no remnants of the deleted data remain on the TRIM-enabled SSD for an expert to dig out later. If a fraud perpetrator, for example, deletes some incriminating files from his SSD, and the TRIM command is enabled, that evidence will immediately disappear, for now and forever. 3

Here are my recommendations for Forensic Investigators:

1. Logical data on a SSD storage device is still logical data! It should be imaged like any other storage device.

2. Because of their makeup, SSDs use wear leveling and overprovisioning. These techniques cause junk data to be deleted, sometimes in milliseconds. Deleted files are also treated as junk data, at least in modern operating systems (Windows 7, OS X LION), by utilizing the Trim command. Unfortunately for the forensic investigator, they may be gone forever.

3. Due to the nature of flash memory devices in SSDs, any command causing a format or secure erase of the disk might cause a complete wipeout of all data within minutes (or even seconds, or even milli-seconds!). At this time, there is no recovery from this. A possible defense is disconnecting power from the SSD before the flash erasing begins.

4. While write-blockers may stop the TRIM command from reaching a hard drive, they do not stop a SSD drive from executing internal wear-leveling algorithms.

5. Due to the nature of SSD controllers, it appears possible for the hash of a source binary SSD drive image to change over time, even though the logical image of that same storage device does not change! This is due to the background clearing of unused blocks which have been identified by the drive for inclusion in the wear-leveling pool.

6. There is anecdotal evidence throughout the SSD industry that implementation of commands such as operating system Format command and the AT Secure Erase command are unevenly implemented among competing vendors. 4

7. Unlike rotating media, SSDs are all about remapping logical blocks (those which the operating system can see) into physical blocks (those which can only be seen within the SSD). The court system is interested in the logical block address structure (the disk image), not the physical block address structure. In order to be clear, you need

to be aware that you are presenting testimony about the LBA structure (logical) of the disk in question—not the physical structure. If you could see the physical structure of the SSD, it might be hard to recognize. Ironically, rotating media has been doing this remapping for decades—bad sectors, phantom NTFS file structures, and HPAs all come to mind.

8. Dechipping is a technique of looking into physical blocks within a SSD, but only provides a window into what our forensic practice is really after—logical files.

SSDs are a game changer for forensic investigators. Investigators with insight into their operation will have certainty that the evidence has been properly and completely gathered.

References (Etch-A-Sketch is a TradeMark of the Ohio Art Company)

1. http://www.snia.org/sites/default/files/SSSI_NAND_Reliabil- ity_White_Paper_0.pdf 2. https://www.snia.org/sites/default/education/tutorials/2009/ spring/solid/JonathanThatcher_NandFlash_SSS_PerformanceV10- nc.pdf 3. http://www.crowehorwath.com/folio-pdf/BIS12901_ExpertPosi- tioningArticle_lo.pdf 4. http://cseweb.ucsd.edu/users/swanson/papers/Fast2011Se- cErase.pdf For further reading on SSDs: • http://www.etch-a-sketch.com/index.html • http://www.imation.com/PageFiles/83/SSD-Reliability-Lifetime- White-Paper.pdf • http://download.intel.com/support/ssdc/hpssd/sb/intel_ssd_opti-mizer_white_paper_rev_ 2.pdf • http://www.myharddrivedied.com/blog/blog-tags/ssd-hard-drives-interview-cyberspeak-forensics-ovie-carroll • http://en.wikipedia.org/wiki/Write_amplification • http://nvsl.ucsd.edu/sanitize/ • http://cseweb.ucsd.edu/users/swanson/papers/TR-cs2011-0963- Safe.pdf • research.microsoft.com/en-us/projects/flashlight/winhec08-ssd. pptx • http://flashdoctor.salvationdata.com/ • http://www.acelaboratory.com/pc3000flash.php • http://www.gillware.com/docs/SSD_whitepaper.pdf • http://flash-extractor.com/ • http://www.centon.com/flash-products/chiptype • http://www.tomshardware.com/reviews/ssd-520-sandforce-re- view-benchmark, 3124-11.html • www.hardwaresecrets.com/ • http://www.crowehorwath.com/folio-pdf/BIS12901_ExpertPosi- tioningArticle_lo.pdf • http://en.wikipedia.org/wiki/Flash_memory • http://www.quora.com/Derek-Chew/answers

James Wiebe is well known in the computer forensic profession. Along with his wife, Kathy, he started Wiebe Tech in 2000 and grew it into a leading hardware forensic company. After selling Wiebe Tech to CRU in 2008, James has remained active with the company through an active calendar of conference speaking, product development, and customer engagement.