Research

SSD and eMMC Forensics 2016 – Part 2

What Has Changed in 2016 in the Way SSD Drives Self-Destruct Evidence. Demystifying eMMC, M.2, NVMe, and PCI-E.

by Yuri Gubanov, Oleg Afonin
© Belkasoft Research 2016

In the first part of this article, we reviewed different kinds of the most commonly used modern SSDs (M.2, PCI-E, NVMe devices) and talked about acquisition of these devices. In this part of the article, we will talk about external SSDs and eMMC and will cover trimming of eMMC.

The Advent of eMMC Storage

eMMC is a storage specification for flash-based non-volatile storage used in many compact and mobile devices. You will find eMMC storage in most Android smartphones, Android and Windows tablets, and in some of the less expensive Windows convertibles, low-end netbooks and ultra-portable devices, particularly those equipped with smaller displays and Intel Atom CPUs. eMMC storage has a lot in common with SD cards, and lacks sophistication and parallelism of SSD drives.

Traditionally, SSD drives have been large and expensive. Recent generations of Windows tablets, convertibles and ultra-light nettops (most of which are built around Intel Atom chip sets) employ a much smaller, cheaper and slower kind of storage in the form of eMMC chips. An eMMC chip is essentially an SD card that is built as a BGA chip soldered to the main board. Just like SSD drives, eMMC chips have a built-in controller, although eMMC controllers are considerably simpler and slower compared to those used in SSD drives. As a result, while eMMC may employ many of the same techniques as SSD drives (namely, overprovisioning, remapping, trimming and background erase), they may not implement some other options (e.g. many security features such as DRAT or DZAT). Even if an eMMC controller implements background garbage collection, it is going to work much slower compared to SSD drives since there is only a single channel available that is used for all read and write operations. eMMC chips do not have the massive parallelism of SSD drives, and are much slower to read or write data.

Notably, eMMC standard correctly defines trimming of empty blocks. So what happens to trimmed blocks located on an eMMC chip? Similar to an SSD drive, they may or may not be mapped out of the addressable space at any given time. Unlike SSDs, the eMMC standard does not define either DRAT (definite read after trim) or DZAT (definite zeroes after trim), which leaves it to the eMMC manufacturer to define what exactly the storage controller returns when an attempt is made to read a trimmed data block. In our experience, trimmed blocks that have not yet been erased may still be read by making a physical dump of the eMMC chip (via physical acquisition, JTAG, ISP or chip-off).

Imaged eMMC chips have a much higher probability to retain data in trimmed blocks compared to SSD drives.

Similar to SSD drives, eMMC chips may have an overprovisioned area that is non-addressable and inaccessible from the outside. There is no feasible way of extracting information from the overprovisioned area. The area is invisible to physical acquisition, JTAG, ISP or chip-off since overprovisioned data blocks are not mapped onto available address space. Only the built-in controller has access to these data blocks. No interface is exposed to allow reading them from outside of the chip. Even if you take the chip out and read it directly, you will be unable to access overprovisioned blocks, as chip-off extraction of eMMC chips still relies on sending commands to the eMMC controller.

A Word on External SSDs: The Advent of UASP

In our original article, we claimed that external SSD drives and USB enclosures did not provide trim functionality. Since then, a relatively new development has emerged.

A new storage connectivity protocol was developed specifically for attaching solid-state storage over USB. USB Attached SCSI (UAS or UASP) is a new protocol that uses the standard SCSI command set instead of the older USB Mass Storage protocol available in most current products.

Essentially, the new protocol supports trim pass-through via SCSI “unmap” command. However, in order for trim to work, all of the following conditions must be met:

  • Full hardware support for UASP: computer motherboard, SSD, and storage controller in the enclosure must all support UASP
  • OS support: Windows natively supports UASP since Windows 8
  • Drivers: only a handful of UASP-compliant chipsets have Windows driver support
  • Cable and USB port: UASP will only work if the device is connected with a USB3.0 cable to a USB3.0 port. Connecting with a different cable or using a legacy USB2.0 port will in most cases break compatibility (the drive will still work as a USB Mass Storage device but no trim support will be available)

UASP compliant external storage devices have been around since late 2014, so it is about time we include them in our new article.

More on USB3.0 TRIM support in this AnandTech article.

eMMC: Trimming Behavior in Windows and Android

Trimming behavior differs between Windows and Android devices. Since you are very likely to encounter eMMC memory in an Android smartphone or tablet, we will make a mention of it here, although a more specialized Android literature will give you much more technical detail.

Windows

The trim command is issued to the OS immediately after the operating system releases a data block. Trimming only works on NTFS-formatted partitions. In addition, Windows 8 and later have a built-in disk optimization and defragmentation tool that can run periodically and trim the entire unallocated space on solid-state media. Windows 7 also has a disk defragmentation utility, although it does not come with optimization for solid-state media. In other words, once a file is deleted from an eMMC disk in Windows, you may assume its disk space has been trimmed (but not necessarily erased by the eMMC controller).

Android

Full trim support is only available in Android since version 4.3 Jelly Bean. Moreover, one can be certain that an Android device comes with active trim support if and only if the device originally shipped with Android 4.3 or newer. Many devices that shipped with Android 4.2 that were later updated to Android Kit Kat or even Lollipop never received trim support from their manufacturers (yet some other devices did).

According to Google, some 25% of all active Android devices are running Android 4.2 or earlier. Of those 34% running Kit Kat, an unknown number were updated from earlier versions of Android and did not receive full trim support. What about these older devices then?

Earlier versions of Android relied on Linux fstream for cleaning up unused data blocks. With no ‘live’ trimming available, the cleanup (trimming) was performed every time the device was shut down. This is one of the reasons for ACPO guidelines to exist, detailing the process of seizing and storing mobile devices in their original state (“if it’s turned on, don’t turn it off”).

If you are handling an Android device, and it is one of the older ones, you may be able to dump a physical image of its eMMC chip and have full access to its unallocated space.

Analyzing contents of SSD and eMMC devices with Evidence Center

Once you are through with acquisition part, you will need a reliable forensic tool to examine the data source. Belkasoft Evidence Center is an all-in-one forensic solution that allows investigators to quickly and conveniently discover hundreds of various types of evidence, such as images and videos, documents, chats, browsing histories, system files, databases, and many more. Evidence Center can analyze any operating systems – computer ones as well as mobile ones. The reporting feature is fast and convenient and has multiple options for investigators to choose from, and reports created by the product are accepted by courts worldwide.

Get your hands-on experience in working with Evidence Center! Request a fully functional evaluation license at https://belkasoft.com/trial.

Part 3: Use Cases

The next part of the article will be published in a couple of weeks. It will contain a number of real-life examples of SSD usage and problems that people may face in doing so.

About the authors

Oleg Afonin is an author, expert, and consultant in computer forensics.

Yuri Gubanov is a renowned digital forensics expert. He is a frequent speaker at industry-known conferences such as CEIC, HTCIA, ICDDF, FT-Day, and others. Yuri is the Founder and CEO of Belkasoft, the manufacturer of digital forensic software empowering police departments in about 70 countries. With years of experience in digital forensics and security domain, Yuri led forensic training courses for multiple law enforcement departments in several countries. You can add Yuri Gubanov to your LinkedIn network athttp://linkedin.com/in/yurigubanov.

Contacting the authors

About Belkasoft Research

Belkasoft Research is based in St. Petersburg State University, performing non-commercial researches and scientific activities. A list of articles by Belkasoft Research can be found at https://belkasoft.com/articles.

Discussion

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 959 other followers

%d bloggers like this: