SSD and eMMC Forensics 2016 – Part 3

What Has Changed in 2016 in the Way SSD Drives Self-Destruct Evidence: Demystifying eMMC, M.2, NVMe, and PCI-E.

by Yuri Gubanov & Oleg Afonin
© Belkasoft Research 2016

In the previous part of the article, we talked about eMMC storages and external SSDs. We also mentioned TRIM when talking about trimming behavior of eMMC. We will talk a bit more about TRIM this time and then move on to some real-life cases.

More about TRIM: Checking TRIM Support

There are several levels of TRIM support, all of which are worth checking.

  • TRIM support by the SSD drive itself.
  • Whether TRIM is enabled and active on a given system/configuration.
  • Whether TRIM is correctly implemented by the SSD controller.
  • Whether the SSD supports and implements DRAT and DZAT.

Checking whether a particular SSD drive advertises TRIM support is as easy as reviewing its S.M.A.R.T. output, using the manufacturer’s bundled tool (e.g. SSD Toolbox, Samsung Magician and similar) or using a third-party tool such as CrystalDiskInfo.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

NOTE: this test simply returns information about the theoretical capability of the SSD drive to support TRIM. It does not mean that TRIM is actually enabled on a given system, and does not certify that TRIM is correctly implemented by the SSD controller.

Checking whether TRIM is enabled in a particular system involves the use of a command-line tool (must run under administrative account). Type “fsutil behavior query DisableDeleteNotify” in the command line. If the result of “1” is returned, TRIM is disabled; if you see “0”, TRIM is enabled. As you can see from the next screenshot, on our system TRIM is enabled (“0” is returned).

NOTE: this test does not alter the content of the SSD drive being checked. However, it only displays whether TRIM is active on a given system. If you perform this test on your computer, it will not give the correct indication on whether or not TRIM was enabled on the suspect’s system.

What is particularly interesting, however, is whether TRIM is fully working in the given SSD drive or not. Normally, once information is deleted, a low-level read command will return a string of zeroes as specified by Definite Read After Trim (DRAT) or Definite Zeroes After Trim (DZAT). This is normal behavior in most 2 to 4 year old SSD models. However, many current entry-level SSD drives consider DRAT/DZAT support a luxury, while some SSD controllers partially forego TRIM due to the use of built-in compression (Sandforce controllers, Intel 535 series).

Checking factual TRIM support takes writing a block of data, deleting it, and reading that block again. If you can see the data that was originally written to a data block, TRIM support is at least partially ineffective (meaning that the data may or may not be erased in the future).

We discovered an open-source SSD TRIM check tool: https://github.com/CyberShadow/trimcheck

Written by Vladimir Panteleev, the tool provides an easy way to test whether TRIM works as expected on a given SSD. Run the tool from the SSD drive you are about to check (administrative privileges required).

The first time you run the tool, it creates a file with pre-defined data. The tool notes physical sectors occupied by that file, then deletes the file.

You are supposed to wait for around 20 seconds, and then launch the tool again.

As we can see, TRIM is properly working on this SSD drive (Crucial M550, an old model superseded by MX100, MX200, then BX100 and finally BX200). The same test performed on a test system equipped with an Intel 535 series SSD returned a different result displaying TRIM as not working.

IMPORTANT: SSD Trim Check alters the content of the SSD drive being tested. This is NOT a forensic tool, and it is NOT to be used during the investigation. Trim Check does not function through a write-blocking device.

Use Cases

Since publishing the original article on SSD forensics, we have received numerous emails with questions, additions and corrections. Some of those messages described interesting use cases that are quite common in the world of digital forensics. In this section, we are about to discuss some of the most popular cases we have become aware of.

Very Slow SSD

Back in 2013, Yuri bought a high-end laptop. Slick, thin and light, his brand new laptop appeared blazingly fast. A year later, the laptop became significantly slower. It started lagging and stuttering, and took much longer than usual to open a Web browser or save a document. Yuri tried factory resetting his laptop, yet it did not do much to speed it up.

As it turned out, Yuri’s ultra-thin laptop was equipped with a PCI-E SSD. Even though his new portable computer arrived with factory installed Windows 8, Yuri did not like the new Start menu and installed Windows 7 instead. As we now know, Windows 7 does not support trim on PCI-E SSDs, so his fairly small disk was quickly filled up with remnants of uncleaned data. The SSD drive became slow to the point of being almost unusable.

Did Yuri update his laptop to Windows 10, free of charge? This would have solved most issues since Windows 10 supports trim in PCI-E SSDs and comes with a built-in disk optimization tool that would restore his disk to full performance in a matter of minutes. Instead, Yuri used this as an excuse to buy a newer and better laptop, using the old one for presentations about SSD forensics as a demonstration of the fact that trim is not always available.

Lesson to be learned: some systems are better to be used with the OS they shipped with. Downgrading the OS may introduce unexpected issues.

P.S. The name Yuri is the same as of one of the article’s authors, which is purely coincidental. Though it was him.

Upgrading a Mac

John was a happy Mac OS user. Some years ago, he replaced his hard drive with an SSD. He was well aware that Apple did not support trim on non-Apple SSD drives, yet the speed boost compared to the original hard drive was still significant.

In June 2015, John received an OS update. His system was brought to version 10.10.4 Yosemite. One of the features of the new OS was the ability to enable trim on user-supplied drives.

However, John did not notice any changes in storage performance. He had to open the terminal and use the new “trimforce” tool and reboot to enable trim. He had no issues and received a significant performance boost at no extra charge.

Lesson to be learned: OS updates may change trim behavior. Changes may not be effective automatically, and user actions may be needed to enable trim.

Unexpected Encryption

Sarah enjoyed using her Windows 8 ultrabook until its battery died. Replacing the built-in battery would cost nearly as much as a brand new device (with better specs), so she decided to pull her hard drive and transfer her data to her desktop.

Since the laptop used a small M.2 SSD, she had to buy an M.2 USB adapter to connect the SSD drive to her desktop.

M.2 to USB adapter

When she connected the SSD to her desktop and tried to open the disk, she saw a Windows prompt informing her that the disk was encrypted. Sarah was puzzled as she had never encrypted her disk before.

As it turned out, her ultrabook was equipped with a TPM module and soldered RAM. When Sarah logged in, she was offered to upgrade her Windows account to Microsoft Account, which she did. What she did not know, however, was that Windows 8 automatically encrypted her data with BitLocker Device Protection. The decryption key was stored in the TPM module and was not accessible, as the laptop would not power on.

Sarah had to mount the encrypted volume using her BitLocker Recovery Key that Windows backed up to her Windows Account (https://onedrive.live.com/recoverykey). She also learned that her brand-new replacement laptop was also encrypted with BitLocker Device Protection.

Lesson to be learned: be aware of your primary data partition encryption status. Know where your encryption recovery (escrow) keys are stored.

External SSD

Peter is a wedding photographer. He bought an external SSD drive to store images and videos that he showed to his clients. Since Full HD videos are large, he wanted the fastest portable storage solution to minimize transfer times.

Samsung USB3.1 SSD Drive

At first, he was very happy with his new SSD. The disk was writing video files at 450 MB/s. It took less than 10 minutes to fill up the drive. Unfortunately for Peter, after just a few sessions, the SSD was no longer that fast. Write speeds dropped dramatically. Instead of 10 minutes, Peter now had to wait half an hour just to save files to his SSD drive. Did he get a defective drive?

An important fact about the SSD technology is that SSD drives are only fast when writing data into empty (erased) cells. If he used the full capacity of his SSD drive, deleted the files, and started writing a new set of data, the SSD controller would have to erase data blocks before it could store new data. Erasing is slow, so SSD manufacturers implemented trimming and background garbage collection in their drives. Trim does not work over a USB connection, and so the external SSD drive demonstrated dramatic decrease in write speeds.

Lesson to be learned: advertised transfer rates can be misleading. “Up to 450 MB/s” write speeds may only apply to external (USB) SSD drives while they are brand new. Once the disk is filled up, its write speeds may drop dramatically unless the device works as part of the UASP environment.

External SSD 2

Peter returned his first external SSD, but he still needed a fast external storage device. He read some online forums and discovered that a new communication protocol had been introduced for external SSD drives. The UASP (USB-attached SCSI Protocol) compliant devices could potentially allow reaching higher transfer speeds while supporting trim.

Peter went ahead and bought a (much more expensive) UASP model. While this model looked similar to his original drive and still used a USB port to connect to Peter’s computer, its performance was consistently at a high level. Peter enjoyed sustained write speeds of 450 MB/s over and over again.

Lesson to be learned: some USB SSD drives do in fact support trim (via SCSI “unmap” command). We can no longer safely assume that all external USB enclosures are trim-less.

Conclusion

In this article, we tried to cover the changes that have happened in development of SSD and eMMC since the publication of our previous article on the topic in 2014 and explain significance of these trends for forensics. Some old things remained unchanged, some got new tweaks to them in reaction to progressing technology, but if we were to note one trend important for forensics, it would be the fact that the majority of SSD manufacturers have not been competing in terms of technological advancement. Instead, “cheaper and cheaper” has been the name of the game. Thus we have today’s entry-level SSD drives with advertised write speeds of 130-180 MB/s (compare that to 450-500 MB/s of two year old SSDs). Sustained performance is even worse, with shady NAND cells and weak controllers hindering performance.

Why does it all matter to SSD forensics? Because many recent-generation SSD drives do not have features that seemed mandatory just two years ago. In particular, many drives do not support DZAT or even DRAT (see our original article for definitions). Moreover, some Sandforce-based SSDs (such as the new Intel 535 series) do not even trim properly due to the way the controller implements data compression. As a result, you are much more likely to be able to recover information from a recently made, budget SSD drive.

About Belkasoft

Founded in 2002, Belkasoft is a global leader in digital forensics technology, known for their sound and comprehensive forensic tools. With a team of professionals in digital forensics, data recovery and reverse engineering, Belkasoft focuses on creating technologically advanced yet easy-to-use products for investigators and forensic experts to make their work easier, faster, and more effective.

With this focus in mind, Belkasoft introduces their flagship product, Belkasoft Evidence Center – an easy-to-use, integrated solution for collecting and analyzing digital evidence from mobile and computer devices. Customers in law enforcement, police, military, business, intelligence agencies, and forensic laboratories in 70+ countries worldwide use Belkasoft Evidence Center to fight homicide, crimes against children, drug trafficking, data leakage, fraud, and other online and offline crimes.

Request a free fully functional trial of Belkasoft Evidence Center: belkasoft.com/trial

About authors

Oleg Afonin is an author, expert, and consultant in computer forensics.

Yuri Gubanov is a renowned digital forensics expert. He is a frequent speaker at industry-known conferences such as CEIC, HTCIA, TechnoSecurity, FT-Day, DE-Day and others. Yuri is the Founder and CEO of Belkasoft, the manufacturer of digital forensic software empowering police departments in about 70 countries. With years of experience in digital forensics and security domain, Yuri led forensic training courses for multiple law enforcement departments in several countries. You can add Yuri Gubanov to your LinkedIn network at http://linkedin.com/in/yurigubanov.

Contacting the authors

You can contact the authors via email: research@belkasoft.com

Follow Belkasoft on Twitter: https://twitter.com/Belkasoft

Subscribe to the blog: https://belkasoft.wordpress.com

About Belkasoft Research

Belkasoft Research is based in St. Petersburg State University, performing non-commercial researches and scientific activities. A list of articles by Belkasoft Research can be found at belkasoft.com/articles.

Leave a Comment

Latest Videos

Digital Forensics News Round Up, March 27 2024 #dfir #digitalforensics

Forensic Focus 27th March 2024 6:06 pm

Digital Forensics News Round-Up, March 21 2024 #digitalforensics #dfir

Forensic Focus 21st March 2024 6:15 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles