deleted file on the computer hard drive and put them
together to reconstruct some or all of the original file.
The TRIM instruction set, however, eliminates the
ability to recover data on SSDs in this way. Instead of
merely flagging a spot on an SSD as allocated for new
data, it immediately purges the areas of the SSD where
the deleted data resided. The instruction is intended to
enhance computer performance by expediting access
to available space on a drive; TRIM purges the deleted
data before the operating system gets around to it. The
effect, though, is that no remnants of the deleted data
remain on the TRIM-enabled SSD for an expert to
dig out later. If a fraud perpetrator, for example, deletes
some incriminating files from his SSD, and the TRIM
command is enabled, that evidence will immediately
disappear, for now and forever. 3
Here are my recommendations for Forensic Investigators:
1. Logical data on a SSD storage device is still logical
data! It should be imaged like any other storage device.
2. Because of their makeup, SSDs use wear leveling and
overprovisioning. These techniques cause junk data to be
deleted, sometimes in milliseconds. Deleted files are also
treated as junk data, at least in modern operating systems
(Windows 7, OS X LION), by utilizing the Trim command.
Unfortunately for the forensic investigator, they may be
3. Due to the nature of flash memory devices in SSDs,
any command causing a format or secure erase of the disk
might cause a complete wipeout of all data within minutes (or even seconds, or even milli-seconds!). At this
time, there is no recovery from this. A possible defense is
disconnecting power from the SSD before the flash erasing
4. While write-blockers may stop the TRIM command
from reaching a hard drive, they do not stop a SSD drive
from executing internal wear-leveling algorithms.
5. Due to the nature of SSD controllers, it appears possible
for the hash of a source binary SSD drive image to change over
time, even though the logical image of that same storage device
does not change! This is due to the background clearing of
unused blocks which have been identified by the drive for
inclusion in the wear-leveling pool.
6. There is anecdotal evidence throughout the SSD
industry that implementation of commands such as operating system Format command and the AT Secure Erase
command are unevenly implemented among competing
7. Unlike rotating media, SSDs are all about remapping
logical blocks (those which the operating system can see)
into physical blocks (those which can only be seen within
the SSD). The court system is interested in the logical
block address structure (the disk image), not the physical block address structure. In order to be clear, you need
to be aware that you are presenting testimony about the
LBA structure (logical) of the disk in question—not the
physical structure. If you could see the physical structure of
the SSD, it might be hard to recognize. Ironically, rotating
media has been doing this remapping for decades—bad
sectors, phantom NTFS file structures, and HPAs all come
8. Dechipping is a technique of looking into physical
blocks within a SSD, but only provides a window into
what our forensic practice is really after—logical files.
SSDs are a game changer for forensic investigators.
Investigators with insight into their operation will have
certainty that the evidence has been properly and completely gathered.
(Etch-A-Sketch is a TradeMark of the Ohio Art Company)
For further reading on SSDs:
• http://download.intel.com/support/ssdc/hpssd/sb/intel_ssd_opti-mizer_white_paper_rev_ 2.pdf
James Wiebe is well known in the computer forensic profession. Along with his wife, Kathy, he started Wiebe Tech in 2000
and grew it into a leading hardware forensic company. After
selling Wiebe Tech to CRU in 2008, James has remained active
with the company through an active calendar of conference
speaking, product development, and customer engagement.