Hi everyone,
I would like to ask you, how do you deal with SSD acquisition?
We all know the issue with TRIM and garbage collection (Hash verification).
Is there any magic step to comply with forensic rules whilst acquire such drives or you just insert the information about this "functionality" into the acquisition protocol?
Best regards,
Karol
it is what it is and it has changed things from the 'old way' for sure. you have to be able to articulate why something has changed when things do not match. its not a problem for active stuff and most cases rely on active vs only recoverable anyways, so not a HUGE issue IMO
I've never had an SSD fail to verify hashes after acquisition, so not sure how much of an issue that is in the wild really.
As I understand it, TRIM etc will have settled down after maybe 30 mins idle time. If a device is then read with a write blocker, it should have stable hash values on imaging.
If caught in the first 30 mins (or what ever time interval it is depending on recent activity) the data may not be stable
Depends whether TRIM active on the SSD you are examining. An example
http//
Pretty much every operating system in use these days supports TRIM—a special ATA command that the OS sends along to an SSD when deleting files on that SSD. The lone exception to that list has been Apple’s OS X, which—at least until today—only supported TRIM on its OEM SSDs. If you took a Mac that originally came with a spinning disk and installed an aftermarket SSD in it yourself, the operating system wouldn’t use TRIM on the disk—at least, not unless you resorted to third-party tools.
With today’s OS X 10.10.4 update, however, Apple has added a command line utility that can be used to enable TRIM on third-party SSDs without having to download and install anything. Called trimforce, the utility can be executed from the OS X terminal, and it requires a reboot to start working.
As I understand it, TRIM etc will have settled down after maybe 30 mins idle time. If a device is then read with a write blocker, it should have stable hash values on imaging.
If caught in the first 30 mins (or what ever time interval it is depending on recent activity) the data may not be stable
Is the 30 minutes from your own personal observations/experience or is there a study that defines "inactive", "settled" or "idle state" in time (..tDuration)?
I've never had an SSD fail to verify hashes after acquisition, so not sure how much of an issue that is in the wild really.
Tools like FTK Imager don't re-read a source drive for verification after acquisition, so you will not notice that a sector was changed after you copied it to a destination drive.
Depends whether TRIM active on the SSD you are examining.
Trim should not be confused with garbage collection. Forensic issues with SSDs are triggered by garbage collection in most cases. See also http//
30 mins is just a figure I pulled out of the air. I went to a F3 presentation a few years ago and seem to remember reports of getting 'deleted' data for about 10 mins.
30 mins is just a figure I pulled out of the air. I went to a F3 presentation a few years ago and seem to remember reports of getting 'deleted' data for about 10 mins.
mscotgrove..ok…thanks for that, good advice … and you may find yourself being referenced for safe working practice…
Hi everyone,
I would like to ask you, how do you deal with SSD acquisition?
We all know the issue with TRIM and garbage collection (Hash verification).
Is there any magic step to comply with forensic rules whilst acquire such drives or you just insert the information about this "functionality" into the acquisition protocol?
Best regards,
Karol
There is no silver bullet or magic. Please refer to the Belkasoft article at