Digital Forensics for Solid State Drives (SSDs)
In recent years, there has been a change in the computer data storage industry. While hard drives (HDDs) have historically been the champions of storage, solid state drives (SSDs) have seen tremendous market growth due to a combination of rising storage capacities and falling prices. Technological advances are a large reason for this change, with advances such as 3D NAND allowing for greater data storage density, which over time contributes to a lower cost per gigabyte. With more SSDs flooding the global market, forensic examiners are likely to see more of these devices as time goes on, making SSD forensics an increasingly important expertise area for forensics labs.
Solid State Drive Overview
Solid state drives are remarkable pieces of technology. Unlike a hard drive’s rapidly spinning platters with magnetic substrate to store data, SSDs don’t have any moving parts. Instead they rely on electrons for data storage. By default, the transistors in the NAND chips of an SSD don’t contain electrons. When writes are performed to the drive, electrons are sent to the individual memory cells. Once electrons are in a cell, the charge state is altered and the cell is therefore storing data. By varying the number of electrons in a cell, multiple charge states are achievable and data storage density can be increased. This is called MLC, or Multi-level cell NAND.
MLC NAND is used in most solid state drives in production today, though SLC (single-level cell), which is NAND with only two potential charge states per cell, is favored in the enterprise space for its increased reliability and performance. SLC is considered more reliable because there is a greater tolerance between charge states, as the cell can only be on or off. With MLC NAND, more charge states with smaller error tolerances for each means a greater probability of errors occurring. The tradeoff is that users can store much more data in MLC drives than in SLC drives.
One thing to note with SSDs is the difference between reading/writing and erasing data. While data can be read or written to individual pages of data, it can only be erased in blocks, which are composed of multiple pages. To put it simply, it’s a little like using an etch-a-sketch. Users can make little black lines on the screen wherever they want, but those lines can only be erased if the whole screen is erased by shaking the etch-a-sketch. In this case, the pages are the little black lines and the screen is the block. This difference between pages and blocks makes erasing much more time intensive than reading or writing to a drive. It can also cause some complications for examiners in SSD forensics cases due to features such as garbage collection and TRIM.
Challenges in SSD Forensics
While by no means an exhaustive list of potential issues for forensic examiners, garbage collection and TRIM are particularly relevant because they are unique to solid state drives. Garbage collection is a function of the firmware of the drive and is used to help free up space where files have been erased by the operating system. To explain the concept of erased files more, erased files aren’t really gone until garbage collection actually resets a block. Before garbage collection resets the block, erased files are simply marked as free space by the operating system. This is one of the reasons deleted files are sometimes able to be recovered.
Typically, the garbage collection program doesn’t know about erased files until the operating system tries to save new files over them. Since the space with the erased files isn’t free yet, it moves the new files to another location and marks the previously erased files for garbage collection. Since blocks are the smallest groups of data that can be erased, garbage collection has to first migrate all the good data in the block somewhere else before it is able to wipe the whole block. Wear leveling can be initiated at this point, but not always.
So how does garbage collection affect forensic examiners? Since garbage collection is a function of the drive itself, it can occur whenever power is supplied to the drive and therefore can run whether or not forensic examiners want it to. This can mean a few things. First, hashes may be different when acquiring multiple images of a drive since the garbage collection feature might move some data and erase other data as it sees fit. Second, erased data might not be recoverable even if data has been previously located in unallocated blocks. While not always the case, garbage collection could begin during a recovery after powering the device on, eradicating the deleted data and making a recovery impossible.
This problem is exacerbated by TRIM, which is a function of the OS. TRIM helps the process of garbage collection by marking erased files and letting the drive know they are ready for garbage collection. Instead of the drive having to stumble upon deleted files, it can proactively get rid of them since the operating system has told it to do so. Basically, it increases the chances that garbage collection will occur on deleted files and decreases the chances of successfully recovering that deleted data. On the positive side, since TRIM is a function of the OS and isn’t compatible with certain drives/operating systems, it can either be disabled or simply isn’t a factor in some SSD forensics cases.
SSD Forensics Services by Gillware
Our engineers have years of experience working with solid state drives and are familiar with the many issues that can arise when working on them, including the ones described above. Though not all of these issues are avoidable, every precaution is taken by our engineers to ensure that any preventable issues don’t occur when working on a case. In fact, our Director of Research and Development, Greg Andrzejewski, pioneered many of the SSD data recovery techniques that are used in our lab today. His expertise goes hand in hand with President Cindy Murphy’s 17 years working in digital forensics, meaning SSD-based cases are in good hands with Gillware.
With our world-class digital forensics experts and the right tools to handle difficult cases, use Gillware for all your SSD forensics needs.