Thursday, June 18, 2015

Unique Challenges in SSD Forensics

Introduction

In today’s computers, traditional hard disk drives (HDDs) are being rendered obsolete by solid state drives (SSDs) that are faster, smaller, and more reliable. (Domingo, 2015) SSDs accounted for 13.6% of total PC storage sold in 2013, but are predicted to account for over 33% in 2017. (Kingsley-Hughes, 2013) Popular computers like Apple’s Macbook Pro and Air lines now exclusively use SSD memory. From the user’s perspective, an SSD is a drop-in replacement for a HDD, but their underlying method of operation is fundamentally different and presents several unique challenges to forensic investigators.

SSD Method of Operation

Consumer SSDs consist of multiple NAND flash memory cells, where data is stored, and a microcontroller that interfaces between the memory cells and the computer. It is much faster to read NAND flash memory than to write to it, and manufacturers of SSDs have employed a variety of techniques such as TRIM, wear-leveling, hardware compression, and overprovisioning to overcome the slow write speeds of NAND flash. These technologies impact the ability of forensic investigators to make forensically sound copies of SSDs and recover deleted data.

TRIM

How It Works

Unlike magnetic storage like HDDs, the NAND flash storage used in SSDs needs to be erased before being re-written. Data is written to NAND memory in “pages” of 4 or 8KB each, but can only be erased in “blocks” that contain hundreds of pages. Since erasing and re-writing hundreds of pages is a slow operation, SSDs write data to empty pages first rather than erase deleted blocks. If this operation was left unchecked, however, the SSD will suffer severe performance degradation once empty space has been used up. The TRIM function was created to prevent this from happening by telling SSD controllers to erase deleted blocks as part of a background process. When data is deleted or re-written with TRIM enabled, the SSD queues the block to a background process known as the “garbage collector” which erases the blocks on during idle time. As a result, the performance impact of erasing deleted blocks is hidden from the user and fresh blocks remain available for writing. Practically all modern SSDs support TRIM. (Gubanov, 2012) (Belkasoft, 2014)

TRIM’s Impact on Forensics

Since TRIM commands are executed by the SSD microcontroller, it is impossible to stop once started. TRIM commands will finish even if the SSD is powered cycled. Additionally, a re-format command will cause TRIM to clear the whole partition. This means that a forensic investigator will not be able to read deleted data from a TRIM-enabled SSD, and users can effectively erase whole partitions just seconds before acquisition.
There is a notable exception to this, however, involving files smaller than 2MB. Since these files will take up less than 1 block of NAND space, they will not be subject to TRIM if that same block also contains part of a non-deleted file. There are several other limitations: TRIM is disabled if the operating system doesn’t support it or if the physical interface doesn’t transmit TRIM commands. The USB interface, for example, doesn’t support TRIM and therefore deleted data may be recovered from external USB SSDs. (Belkasoft, 2014) Generally, pre-configured PCs with internal SSDs will have TRIM properly configured.

Wear-Leveling

How it Works

Wear-leveling is a feature in SSDs that increase speed and longevity by distributing data across the whole drive. NAND has limited life compared to HDDs: each block on an NAND chip can only be erased 10 to 100 thousand times before becoming unusable. To ensure no blocks fail prematurely, SSD manufacturers built wear-leveling algorithms into SSD microcontrollers to ensure that each memory block is written to equally. There are two types of wear-leveling: dynamic wear leveling algorithms distribute new data across the blocks with the least number of previous writes, and static wear-leveling also cycles existing data out of less-used blocks so that all blocks can be written to equally. (Memon, 2009) Both of these types of wear-leveling hinder the abilities of forensic investigators.

Wear-Leveling’s Impact on Forensics

Dynamic and static wear-leveling result in extreme fragmentation of data in the physical NAND chips, since data is not store sequentially but rather in whatever blocks have the least number of previous writes. This fragmentation is not predictable. If the chips were to be removed from the SSD to be examined with a custom-built reader, a process known as chip-off, it is difficult and sometimes impossible to re-combine the resulting data into whole files. (Memon, 2009)
Static wear-leveling presents the additional challenge of invalidating cypto-hashes. Forensic investigators generate a cryptographic hash of an acquired drive before and after imaging the drive to prove that the drive was not tampered with during the process. They also take a hash of the image and compare it to the hash of the drive to ensure that their image is a perfect copy of the original. If the drive is an SSD with static wear-leveling, however, the wear-leveling process can move blocks around in the background as soon as the drive is powered on, resulting in a different hash before and after imaging. The wear-leveling process, like TRIM, is executed by the SSD’s internal microcontroller and therefore cannot be stopped unless the NAND chips are physically removed from the circuit board. (Wiebe, 2013)

Compressing Controllers

How it Works

As explained earlier, the NAND flash chips used in SSDs have limited read-write lifespans. To prolong the life of NAND chips, some SSD manufactures use microcontrollers (Sandforce is a well-known brand) that compress data on the fly before writing it to NAND. By reducing the amount of data written to the NAND cells, compressing controllers can significantly improve the lifespan of SSDs. (Memon, 2009)

Compressing Controllers’ Effect on Forensics

Since these compression algorithms are proprietary to the chipset manufacturer, there’s currently no way to decompress data through off-chip analysis short of sending the drive to the manufacturer. This is an expensive and time-consuming process that is reserved for only the most critical investigations. If a forensic investigator acquires a drive equipped with a compressing controller, the only option is to use acquire the image through the SSD’s interface and risk forensic spoilage as a result of static wear-leveling.

Overprovisioning and Secure Erase

How it Works

Since NAND blocks have limited life expectancy, SSD manufacturers often incorporate extra NAND capacity in their devices to take the place of prematurely failing NAND. This practice is known as overprovisioning. Since this extra memory is not directly accessible to the consumer, concerns were raised by the US government about the ability to securely erase the contents of SSDs. The secure erase command addresses this concern by sending a TRIM command to every available block on the SSD, including these “backup” blocks. When properly implemented, secure erase completely destroys all data on the SSD. (Gubanov, 2012)

Secure Erase’s Effect on Forensics

Using secure erase, a SSD user can destroy digital evidence much faster than with a HDD. Secure erase takes just minutes rather than hours as in HDDs, so it’s feasible that a suspect can issue a secure erase command immediately before the acquisition of the device- for example by seeing investigators outside his/her window. As with individual file deletion, secure erase is ultimately processed by the SSD microcontroller and therefore can’t be stopped once started unless de-chipped.

Conclusion

SSDs have been engineered to overcome the limitations of NAND flash memory, and the resulting technologies pose real challenges to forensic investigators. As a general rule, it is much easier for users to securely delete data and much harder for forensic investigators to recover deleted data from SSDs. Background processes like static wear leveling make it harder for investigators to prove cryptographically that drives weren’t tampered with, and even processes like chip-off where the NAND chips are physically read without the interference of the controller will often fail due to fragmentation or compression. As SSDs increase in popularity, digital forensics will face greater challenges recovering evidence from computing devices unless significant innovations are made in the field.



Bibliography

Belkasoft. (2014, September 23). Recovering Evidence from SSD Drives in 2014: Understanding TRIM, Garbage Collection and Exclusions. Retrieved from Forensic Focus: http://articles.forensicfocus.com/2014/09/23/recovering-evidence-from-ssd-drives-in-2014-understanding-trim-garbage-collection-and-exclusions/
Domingo, J. S. (2015, February 17). PCWorld. Retrieved from SSD vs. HDD: What's the Difference?: http://www.pcmag.com/article2/0,2817,2404258,00.asp
Gubanov, Y. (2012, October). Why SSDs Destroy Cort Evidence, and What Can Be Done About It. Retrieved from Belkasoft: https://belkasoft.com/en/why-ssd-destroy-court-evidence
Kingsley-Hughes, A. (2013, May 7). SSDs set to grab over one third of PC storage solutions market by 2017: IHS. Retrieved from ZDNet: http://www.zdnet.com/article/ssds-set-to-grab-over-one-third-of-pc-storage-solutions-market-by-2017-ihs/
Memon, N. (2009, December 14). Challenges of SSD Forensic Analysis. Retrieved from Digital Assembly: http://digital-assembly.com/technology/research/talks/challenges-of-ssd-forensic-analysis.pdf

Wiebe, J. (2013, May 28). Forensic Insight into Solid State Drives. Retrieved from Forensic Mag: http://www.forensicmag.com/articles/2013/05/forensic-insight-solid-state-drives

1 comment:

  1. Great post! I'm doing a research project on overcoming challenges in SSD digital forensics, and this blog post provides a concise and organized summary of the challenges as well as useful references.

    ReplyDelete