SSD Forensics

Watch this video in its entirety….

http//youtu.be/vLoYduckmuo

I don't have 45 minutes. Is there a precis available?

@ Scottyxx - Can anyone give me some training resources / tips on what to do with SSDs?

I am imaging one right now, and not sure what to expect. Can anyone shine some light on the matter?

Am I likely to recover any deleted files? Will the auto-wearleveling feature mess up my evidence?

Isn't everything we do in CF based on time consumption?? In any case, this is a good video describing the operations of an SSD and how it relates to what we do. The question posed here is what to expect of an imaged SSD, and wearleveling - answers some of the questions posed.

Is there some governing body that says all SSD drives must behave the same?

I would think that there would be varying operations from manufacturer to manufacturer and even between different models from the same manufacturer.

From the few posts here form people that have tested already there are different results. I have an SSD drive which I can see deleted files on, I've not done any sort of testing beyond hooking it up and looking in Xways but the very fact that there are deleted files recoverable seems to fly in the face of some peoples assumptions that all unallocated clusters are zeroed out when the drive is powered up.

A SSD drive itself has no knowledge if a sector is unallocated space or not. It is upto the device driver on the host to send the drive the Trim message to say 'these sectors are now free'.

I would speculate that if you put an SSD drive on an old Windows 98 system and deleted the files no Trim command would be sent.

If the actual logic for an unallocated sector was part of the SSD logic, then it would need to know all past, and all future file systems.

And as adam10541 says, why should all systems work in the same way.

A SSD drive itself has no knowledge if a sector is unallocated space or not. It is upto the device driver on the host to send the drive the Trim message to say 'these sectors are now free'.

..

And as adam10541 says, why should all systems work in the same way.

I think you've answered your own question there. TRIM is an ATA command, and I think it would be hard to find an SSD which didn't support ATA commands )

I think that by the time most of us here see an SSD HDD (i.e, post-seizure) then what is there is there. If there has been some wiping before it came to you, well, so be it - but indicators are that if you merely switch it on (for example, via write-blocker) then you aren't activating garbage collection and you aren't removing evidence.

Is there some governing body that says all SSD drives must behave the same?

Yes and no, they should conform to standards (like ATA) but that doesn't mean that additional features cannot be added by single manufacturers.

I would think that there would be varying operations from manufacturer to manufacturer and even between different models from the same manufacturer.

Exactly )

The TRIM command is an ATA standard AND such command is intended to be issued by the OS (to remain in the MS/Windows world no OS before 7/Server 2008 R2 does implement it) BUT it can be initiated allright by the SSD firmware, as well as idle time Garbage Collection see (example)
http//www.oczenterprise.com/whitepapers/ssds-write-amplification-trim-and-gc.pdf
and I presume that most drive manufacturers have different algorithms to reduce write amplification while keeping wear leveling effective
http//en.wikipedia.org/wiki/Garbage_collection_(SSD)
(just for the record at least some Samsung SSD's can/could "understand" autonomously a NTFS filesystem and decide - without any "intervention" by the OS - what to do with sectors an initiate/operate TRIM like commands automtically)

Right now it seems like everything (and the contrary of everything) is possible. 😯

jaclaz

I've found that when the SSD is in a raid configuration nothing gets overwritten on Windows 7 Professional and files can be carved / recovered. Having a RAID setup appears to disable the TRIM 'overwriting' functionality.

However a separate stand alone non RAID drive will lose all the information contained in a deleted file within seconds of it being deleted. 10-20 seconds in my tests.

Of course this outcome will most likely be completely different with different drives. My test drives were 'Corsair Force' drives. I used 2 x 120 GB SSD for the Software RAID 1 pair and a single 60GB SSD drive for the stand alone test.

[quote="jaclaz"
(just for the record at least some Samsung SSD's can/could "understand" autonomously a NTFS filesystem and decide - without any "intervention" by the OS - what to do with sectors an initiate/operate TRIM like commands automtically)

jaclaz

I would be terrified to use such a drive. A drive should be dumb and do as told. Write a sector, read a sector, and told it can clear a sector down. How it handles these commands is entirely upto a drive, but if I write a sector xxx I want to beable to read that sector until I either overwrite it, or tell the drive to clear it down, with a TRIM like command.

A drive that thinks it knows the file system - including future releases is dangerous.

There must also be danger if an NTFS disk is (quick) reformatted with say Linux leaving many NTFS structures in place.

I would be terrified to use such a drive. A drive should be dumb and do as told. Write a sector, read a sector, and told it can clear a sector down. How it handles these commands is entirely upto a drive, but if I write a sector xxx I want to beable to read that sector until I either overwrite it, or tell the drive to clear it down, with a TRIM like command.

As a matter of fact I personally would like an even dumber kind of drive that doesn't have a (closed source/inaccessible) wear leveling algorithm or "transparent" (to the OS, thus completely "opaque") re-mapping of sectors.
Even on a "standard" modern hard disk the re-mapping of "bad" to "spare" or whatever, summed to on board large caches left "in the hands" of firmware of dubious validity/not tested properly is something I have difficulties in sleeping on with ease, and wait until you have a third stage, the so called hybrid drives, where you will have all mixed up cache (possibly on battery powered RAM), "real" sectors (on platter) and in the middle a SSD
http//en.wikipedia.org/wiki/Hybrid_drive
or, possibly even more complex, adding in it an additional software layer 😯
http//www.ocztechnology.com/synapse-faq
(which BTW "locks" on the machine hardware)
See also the Apple thingy Neddy posted about
http//www.forensicfocus.com/Forums/viewtopic/t=9852/
(cross linking)

jaclaz

Just as a further link about SSD

http//en.wikipedia.org/wiki/Solid-state_drive

..and an "in house" article )
http//articles.forensicfocus.com/2012/10/23/why-ssd-drives-destroy-court-evidence-and-what-can-be-done-about-it/

jaclaz