Advertisement

SSDs are a game changer for forensic investigators, but insight into their operation can make your case.

Tablet, notebook, and desktop computers are expected to have sales of about 600 million units worldwide in 2013, and a substantial portion of those will be built using Solid State Drives (SSDs). Any browsing at a computer store or online retailer will show many models of notebooks and tablets featuring SSDs, and investigators are already commonly encountering SSDs in many investigations.

Rotating magnetic media (conventional hard drives, for example) and SSDs both accomplish the same thing, but in different ways: they provide a way to store files on a computer system. Hard drives use magnetic spinning platters, while SSDs use flash memory chips.

 


 

At this point in the evolution of computers, the operation of conventional hard drives and rotating media is well understood: bits of data are placed onto magnetic media via repositionable recording heads. The data may be randomly accessed by moving the heads over a selected cylinder. All such operations are easily controlled via drive control commands which, for example, allow a sector of information to be read or written.

Flash chips, in contrast, are not as well understood. Complicating matters is the fact that flash memory implementation schemes cause data to be stored within the SSD in a manner which seems to randomly place sectors of any file in any physical sector. (There is no internal linear mapping of sectors in a SSD.)

The placement of sectors is managed by a totally transparent layer within SSDs known as the Logical to Physical Sector Block Address Translation Layer. From the viewpoint of the operating system, the SSD appears just like conventional rotating media. From an internal point of view, the arrangement of sectors minimizes write cycles per unique block, thus increasing the longevity of the drive. More on this important topic later.

Further complicating matters is the fact that operating system vendors and SSD vendors have implemented new commands which streamline SSD operation (thus improving performance) in ways which destroy deleted files.

SSDs create an obvious problem for forensic investigators: What should an investigator do when deleted files are no longer recoverable using standard forensic investigative software?

The answer to this question comes from understanding the basic operation of the SSD, then examining the forensic implications.

 

SSD Problems
The problem with SSD storage devices is that they use flash memory chips. The problem with flash memory chips is that they suffer two nearly fatal flaws:

1. Over time, with repeated write operations, they wear out. Standard flash lifetimes are up to 100,000 cycles per block before failure is possible.1

2. All write operations to the flash memory chips must occur on a block by block basis. For practical purposes, it is impossible to overwrite new data in place of old data. (A block within a flash memory chip is similar to, but not the same as, a sector of information.)2 As a result, for highest SSD performance, it is imperative that we always have a fresh supply of empty SSD blocks, ready to be written with new data. It would take too much time to always have to clear a block before we wrote (or overwrote) new data into that block.

It is easy to illustrate these problems.

Consider a standard File Allocation Table, generic to any operating system: it is frequently rewritten and updated as files are changed on a storage device.

If files on our hypothetical SSD were accessed and changed 100,000 times in a single day (which is easily possible), then, in the absence of corrective technology, the SSD could experience failures soon thereafter. The rewritten sector of FAT data, changed each time the file was updated, would be particularly vulnerable to failure.

The second problem requires us to write a full block of data every time we want to write anything to the SSD.

 

SSD Implementations Solve the Problems
The common Etch-A-SketchTM is a helpful illustration for understanding these problems!

Using an Etch-A-Sketch is a lot like using flash memory.

  1. Before writing a new image to the toy, it must be shaken (or erased). The resulting image is a blank silver screen. The blank screen represents our flash memory chip, when it is ready to receive new block information.

  1. It is then possible write a new image to the toy. Remember that the image is an allegory for anything at all—an image, a file, an excel spreadsheet, a FAT table, an e-mail. This represents the way in which we’ve written new information to a block in our flash device.

The picture on the Etch-A-Sketch is readable at any time just by looking at it. But if you want to overwrite or change the picture in any way, you have to shake it and start with a blank slate. The constant image shows us that we can view, or read, our data anytime we want.

Using an Etch-A-Sketch, it’s easy to understand how we have to shake the screen back to a cleared state every time we want to write a new image.

With our Etch-A-Sketch as our fundamental illustration, it’s time to introduce a new concept within our flash memory understanding—the concept is Wear Leveling.

Every time we want to modify a block of information on our flash device, we have to make a copy of that information, then clear the original block, then rewrite the block with the modified information. That’s a lot of movement of data, just to change a few bits!

In order to speed this process, it would be helpful to always have a fresh supply of cleared blocks, ready to go. If we were using our Etch-A-Sketch illustration, we would have a small pile of blank toys, ready to go. In the world of flash memory, we accomplish a similar thing, by having extra blocks, always available to use. In SSD terminology, these extra blocks are referred to as overprovision space. They are an absolute requirement for long term, reliable operations of SSD devices:

  1. They provide a steady pool of empty blocks, ready for the next write operations. This saves the time of reading, clearing, and rewriting an existing block for a write operation.
  2. They allow the SSD to always select the least used block from the available pool of empty blocks! This allows us to understand another key design element of SSD storage devices: wear leveling.
  3. When a SSD is aware that a particular block will no longer be used, it can move it into the available pool of wear leveling blocks. Using free time, it can clear the block so that it is ready to be re-written at some future point in time.

Another key in understanding SSDs is how to tie these facts together: The constantly changing pool of empty blocks, along with the desire to always pick the least used block, requires the SSD to maintain a pointer table of where each block currently resides. This pointer table is called the Logical to Physical Block Address Translation Table, or LBA–PBA translation table.

The bottom line is that the physical location of any block within the SSD device will almost certainly not match the external Logical Block Address.

The final key in this puzzle, especially from a forensic basis, is to grasp the fact that the operating system can speed operation of the SSD by alerting it to potentially re-usable blocks through the use of the “TRIM” command. This command is a recent innovation in storage architecture, and it lets the OS tell the SSD storage device that a particular area of that storage device is available for clearing and re-use. For instance, after a file has been deleted by the user, the OS will tell the SSD drive to “TRIM” that area encompassing the deleted file. After receiving the “TRIM” command, the SSD will usually take the blocks in question, move them out of logical file space, and into overprovision space, where they will be eventually cleared of data and marked for re-use.

The operation of “TRIM” would seem to be a huge problem for the forensic investigator, and indeed, it usually is.

 

Forensic Response to SSDs
It is possible to remove flash chips from a SSD and image these chips using hardware products from various vendors, a process which is referred to as dechipping. This represents a brute-force forensic imaging solution, but is fraught with problems, the least of which is that internal (physical) sectors of the SSD have been effectively randomized through the LBA–PBA table. As a result, any data removed from the flash chips may be unusable, as the block order appears in a random manner.

Another problem with dechipping is that SSD devices often compress their internal information using proprietary compression schemes. This produces better wear-leveling characteristics (because, over time, less data is written internally to the SSD), but this obscures potential information for the forensic investigator.

The “TRIM” command is also a real problem for digital forensic investigators.

The recovery of “deleted” information on a hard drive is a significant component of many digital forensics assignments. On most computers today, a digital forensics expert can often recover information that a user believes he or she has deleted. This information is available because rather than immediately deleting the associated data, the operating system merely marks the data as “unallocated,” meaning the space the deleted file takes up on the hard drive can be overwritten with new data at some point in the future but remains untouched until then. As a result, unless a user has purposefully used software or another method to overwrite unallocated space, an expert may find fragments of a deleted file on the computer hard drive and put them together to reconstruct some or all of the original file.

The TRIM instruction set, however, eliminates the ability to recover data on SSDs in this way. Instead of merely flagging a spot on an SSD as allocated for new data, it immediately purges the areas of the SSD where the deleted data resided. The instruction is intended to enhance computer performance by expediting access to available space on a drive; TRIM purges the deleted data before the operating system gets around to it. The effect, though, is that no remnants of the deleted data remain on the TRIM-enabled SSD for an expert to dig out later. If a fraud perpetrator, for example, deletes some incriminating files from his SSD, and the TRIM command is enabled, that evidence will immediately disappear, for now and forever. 3

Here are my recommendations for Forensic Investigators:

  1. Logical data on a SSD storage device is still logical data! It should be imaged like any other storage device.
  1. Because of their makeup, SSDs use wear leveling and overprovisioning. These techniques cause junk data to be deleted, sometimes in milliseconds. Deleted files are also treated as junk data, at least in modern operating systems (Windows 7, OS X LION), by utilizing the Trim command. Unfortunately for the forensic investigator, they may be gone forever.
  1. Due to the nature of flash memory devices in SSDs, any command causing a format or secure erase of the disk might cause a complete wipeout of all data within minutes (or even seconds, or even milli-seconds!). At this time, there is no recovery from this. A possible defense is disconnecting power from the SSD before the flash erasing begins.
  1. While write-blockers may stop the TRIM command from reaching a hard drive, they do not stop a SSD drive from executing internal wear-leveling algorithms.
  1. Due to the nature of SSD controllers, it appears possible for the hash of a source binary SSD drive image to change over time, even though the logical image of that same storage device does not change! This is due to the background clearing of unused blocks which have been identified by the drive for inclusion in the wear-leveling pool.
  1. There is anecdotal evidence throughout the SSD industry that implementation of commands such as operating system Format command and the AT Secure Erase command are unevenly implemented among competing vendors.4
  1. Unlike rotating media, SSDs are all about remapping logical blocks (those which the operating system can see) into physical blocks (those which can only be seen within the SSD). The court system is interested in the logical block address structure (the disk image), not the physical block address structure. In order to be clear, you need to be aware that you are presenting testimony about the LBA structure (logical) of the disk in question—not the physical structure. If you could see the physical structure of the SSD, it might be hard to recognize. Ironically, rotating media has been doing this remapping for decades—bad sectors, phantom NTFS file structures, and HPAs all come to mind.
  1. Dechipping is a technique of looking into physical blocks within a SSD, but only provides a window into what our forensic practice is really after—logical files.

SSDs are a game changer for Forensic Investigators. Investigators with insight into their operation will have certainty that the evidence has been properly and completely gathered.

 

References

(Etch-A-Sketch is a TradeMark of the Ohio Art Company)

  1. http://www.snia.org/sites/default/files/SSSI_NAND_Reliability_White_Paper_0.pdf
  2. https://www.snia.org/sites/default/education/tutorials/2009/spring/solid/JonathanThatcher_NandFlash_SSS_PerformanceV10-nc.pdf
  3. http://www.crowehorwath.com/folio-pdf/BIS12901_ExpertPositioningArticle_lo.pdf
  4. http://cseweb.ucsd.edu/users/swanson/papers/Fast2011SecErase.pdf

For further reading on SSDs:

  • http://www.etch-a-sketch.com/index.html
  • http://www.imation.com/PageFiles/83/SSD-Reliability-Lifetime-White-Paper.pdf
  • http://download.intel.com/support/ssdc/hpssd/sb/intel_ssd_optimizer_white_paper_rev_2.pdf
  • http://www.myharddrivedied.com/blog/blog-tags/ssd-hard-drives-interview-cyberspeak-forensics-ovie-carroll
  • http://en.wikipedia.org/wiki/Write_amplification
  • http://nvsl.ucsd.edu/sanitize/
  • http://cseweb.ucsd.edu/users/swanson/papers/TR-cs2011-0963-Safe.pdf
  • research.microsoft.com/en-us/projects/flashlight/winhec08-ssd.pptx
  • http://flashdoctor.salvationdata.com/
  • http://www.acelaboratory.com/pc3000flash.php
  • http://www.gillware.com/docs/SSD_whitepaper.pdf
  • http://flash-extractor.com/
  • http://www.centon.com/flash-products/chiptype
  • http://www.tomshardware.com/reviews/ssd-520-sandforce-review-benchmark,3124-11.html
  • www.hardwaresecrets.com/
  • http://www.crowehorwath.com/folio-pdf/BIS12901_ExpertPositioningArticle_lo.pdf
  • http://en.wikipedia.org/wiki/Flash_memory
  • http://www.quora.com/Derek-Chew/answers

James Wiebe is well known in the computer forensic profession. Along with his wife, Kathy, he started WiebeTech in 2000 and grew it into a leading hardware forensic company. After selling WiebeTech to CRU in 2008, James has remained active with the company through an active calendar of conference speaking, product development, and customer engagement.

Advertisement
Advertisement