Introduction
In today’s computers, traditional hard disk drives (HDDs)
are being rendered obsolete by solid state drives (SSDs) that are faster,
smaller, and more reliable. (Domingo, 2015) SSDs accounted for
13.6% of total PC storage sold in 2013, but are predicted to account for over
33% in 2017. (Kingsley-Hughes, 2013) Popular computers
like Apple’s Macbook Pro and Air lines now exclusively use SSD memory. From the
user’s perspective, an SSD is a drop-in replacement for a HDD, but their
underlying method of operation is fundamentally different and presents several
unique challenges to forensic investigators.
SSD Method of Operation
Consumer SSDs consist of multiple NAND flash memory cells,
where data is stored, and a microcontroller that interfaces between the memory
cells and the computer. It is much faster to read NAND flash memory than to
write to it, and manufacturers of SSDs have employed a variety of techniques
such as TRIM, wear-leveling, hardware compression, and overprovisioning to
overcome the slow write speeds of NAND flash. These technologies impact the
ability of forensic investigators to make forensically sound copies of SSDs and
recover deleted data.
TRIM
How It Works
Unlike magnetic storage like HDDs, the NAND flash storage
used in SSDs needs to be erased before being re-written. Data is written to
NAND memory in “pages” of 4 or 8KB each, but can only be erased in “blocks”
that contain hundreds of pages. Since erasing and re-writing hundreds of pages
is a slow operation, SSDs write data to empty pages first rather than erase
deleted blocks. If this operation was left unchecked, however, the SSD will
suffer severe performance degradation once empty space has been used up. The
TRIM function was created to prevent this from happening by telling SSD
controllers to erase deleted blocks as part of a background process. When data
is deleted or re-written with TRIM enabled, the SSD queues the block to a background
process known as the “garbage collector” which erases the blocks on during idle
time. As a result, the performance impact of erasing deleted blocks is hidden
from the user and fresh blocks remain available for writing. Practically all
modern SSDs support TRIM. (Gubanov, 2012) (Belkasoft,
2014)
TRIM’s Impact on Forensics
Since TRIM commands are executed by the SSD microcontroller,
it is impossible to stop once started. TRIM commands will finish even if the
SSD is powered cycled. Additionally, a re-format command will cause TRIM to
clear the whole partition. This means that a forensic investigator will not be
able to read deleted data from a TRIM-enabled SSD, and users can effectively
erase whole partitions just seconds before acquisition.
There is a notable exception to this, however, involving
files smaller than 2MB. Since these files will take up less than 1 block of
NAND space, they will not be subject to TRIM if that same block also contains
part of a non-deleted file. There are several other limitations: TRIM is
disabled if the operating system doesn’t support it or if the physical
interface doesn’t transmit TRIM commands. The USB interface, for example,
doesn’t support TRIM and therefore deleted data may be recovered from external
USB SSDs. (Belkasoft, 2014) Generally, pre-configured PCs with
internal SSDs will have TRIM properly configured.
Wear-Leveling
How it Works
Wear-leveling is a feature in SSDs that increase speed and
longevity by distributing data across the whole drive. NAND has limited life
compared to HDDs: each block on an NAND chip can only be erased 10 to 100
thousand times before becoming unusable. To ensure no blocks fail prematurely,
SSD manufacturers built wear-leveling algorithms into SSD microcontrollers to
ensure that each memory block is written to equally. There are two types of
wear-leveling: dynamic wear leveling algorithms distribute new data across the blocks
with the least number of previous writes, and static wear-leveling also cycles
existing data out of less-used blocks so that all blocks can be written to
equally. (Memon,
2009)
Both of these types of wear-leveling hinder the abilities of forensic
investigators.
Wear-Leveling’s Impact on Forensics
Dynamic and static wear-leveling result in extreme
fragmentation of data in the physical NAND chips, since data is not store
sequentially but rather in whatever blocks have the least number of previous
writes. This fragmentation is not predictable. If the chips were to be removed
from the SSD to be examined with a custom-built reader, a process known as
chip-off, it is difficult and sometimes impossible to re-combine the resulting data
into whole files. (Memon, 2009)
Static wear-leveling presents the additional challenge of
invalidating cypto-hashes. Forensic investigators generate a cryptographic hash
of an acquired drive before and after imaging the drive to prove that the drive
was not tampered with during the process. They also take a hash of the image
and compare it to the hash of the drive to ensure that their image is a perfect
copy of the original. If the drive is an SSD with static wear-leveling,
however, the wear-leveling process can move blocks around in the background as
soon as the drive is powered on, resulting in a different hash before and after
imaging. The wear-leveling process, like TRIM, is executed by the SSD’s
internal microcontroller and therefore cannot be stopped unless the NAND chips
are physically removed from the circuit board. (Wiebe, 2013)
Compressing Controllers
How it Works
As explained earlier, the NAND flash chips used in SSDs have
limited read-write lifespans. To prolong the life of NAND chips, some SSD
manufactures use microcontrollers (Sandforce is a well-known brand) that
compress data on the fly before writing it to NAND. By reducing the amount of
data written to the NAND cells, compressing controllers can significantly
improve the lifespan of SSDs. (Memon,
2009)
Compressing Controllers’ Effect on Forensics
Since these compression algorithms are proprietary to the
chipset manufacturer, there’s currently no way to decompress data through
off-chip analysis short of sending the drive to the manufacturer. This is an
expensive and time-consuming process that is reserved for only the most
critical investigations. If a forensic investigator acquires a drive equipped
with a compressing controller, the only option is to use acquire the image
through the SSD’s interface and risk forensic spoilage as a result of static
wear-leveling.
Overprovisioning and Secure Erase
How it Works
Since NAND blocks have limited life expectancy, SSD
manufacturers often incorporate extra NAND capacity in their devices to take
the place of prematurely failing NAND. This practice is known as overprovisioning.
Since this extra memory is not directly accessible to the consumer, concerns
were raised by the US government about the ability to securely erase the
contents of SSDs. The secure erase command addresses this concern by sending a
TRIM command to every available block on the SSD, including these “backup”
blocks. When properly implemented, secure erase completely destroys all data on
the SSD. (Gubanov, 2012)
Secure Erase’s Effect on Forensics
Using secure erase, a SSD user can destroy digital evidence
much faster than with a HDD. Secure erase takes just minutes rather than hours
as in HDDs, so it’s feasible that a suspect can issue a secure erase command
immediately before the acquisition of the device- for example by seeing
investigators outside his/her window. As with individual file deletion, secure
erase is ultimately processed by the SSD microcontroller and therefore can’t be
stopped once started unless de-chipped.
Conclusion
SSDs have been engineered to overcome the limitations of
NAND flash memory, and the resulting technologies pose real challenges to
forensic investigators. As a general rule, it is much easier for users to
securely delete data and much harder for forensic investigators to recover
deleted data from SSDs. Background processes like static wear leveling make it
harder for investigators to prove cryptographically that drives weren’t
tampered with, and even processes like chip-off where the NAND chips are
physically read without the interference of the controller will often fail due
to fragmentation or compression. As SSDs increase in popularity, digital
forensics will face greater challenges recovering evidence from computing
devices unless significant innovations are made in the field.
Bibliography
Belkasoft. (2014, September 23). Recovering
Evidence from SSD Drives in 2014: Understanding TRIM, Garbage Collection and
Exclusions. Retrieved from Forensic Focus:
http://articles.forensicfocus.com/2014/09/23/recovering-evidence-from-ssd-drives-in-2014-understanding-trim-garbage-collection-and-exclusions/
Domingo, J. S. (2015, February 17). PCWorld.
Retrieved from SSD vs. HDD: What's the Difference?:
http://www.pcmag.com/article2/0,2817,2404258,00.asp
Gubanov, Y. (2012, October). Why SSDs Destroy
Cort Evidence, and What Can Be Done About It. Retrieved from Belkasoft:
https://belkasoft.com/en/why-ssd-destroy-court-evidence
Kingsley-Hughes, A. (2013, May 7). SSDs set to
grab over one third of PC storage solutions market by 2017: IHS. Retrieved
from ZDNet:
http://www.zdnet.com/article/ssds-set-to-grab-over-one-third-of-pc-storage-solutions-market-by-2017-ihs/
Memon, N. (2009, December 14). Challenges of SSD
Forensic Analysis. Retrieved from Digital Assembly:
http://digital-assembly.com/technology/research/talks/challenges-of-ssd-forensic-analysis.pdf
Wiebe, J. (2013, May 28). Forensic Insight into
Solid State Drives. Retrieved from Forensic Mag:
http://www.forensicmag.com/articles/2013/05/forensic-insight-solid-state-drives
Great post! I'm doing a research project on overcoming challenges in SSD digital forensics, and this blog post provides a concise and organized summary of the challenges as well as useful references.
ReplyDelete