Having previously worked with a computer forensic team, we had a checklist of standard questions to ask our clients before each engagement to prepare the equipment we need and create a timeline for computer imaging and analysis. Some of these questions include “How many computers to image?”, “What type of computer (e.g., desktop, laptop, server)?” and “What are the sizes of the storage for each computer?”. It was only recently that we included the question “Are you using SSD for storage?” or for the less technical people, “What are the models of these computers?”. Then we’ll just Google the model to find out if it’s using SSD for storage. But why knowing if the computer is using SSD for storage or not is essential for forensic investigators?
A solid-state drive or SSD works similarly with the traditional computer hard disk drive (HDD). But instead of using spinning disk platters, SSD store data on flash memory chips. All memory chips where your data is located are accessible simultaneously, unlike HDD, where the drive needs to wait for a platter to spin on the desired data location. This makes SSD’s accessing data much faster, on top of it being smaller and lighter compared to HDD. [1]
One of the main challenges of forensic investigators is SSD’s file recovery of deleted items. Because of SSD’s way of deleting files in most modern computers, it is more challenging now and almost impossible to recover files once they are deleted. As computer forensic investigators, it is vital to communicate these details to manage the client’s expectations.
The next sections will give a general overview of how SSDs process deleted items and the chances that files can still be recovered.
TRIM and Garbage Collection
The reason why performing file recovery on deleted files becomes a challenge is because of the implementation of the TRIM function and Garbage Collection. TRIM is a command issued by the operating system to the SSD controller at the time the user deletes a file, formats the disk, or deletes a partition [2]. This function was implemented starting on Windows 7 release. Older versions of Windows (i.e., XP and Vista) do not support this function. Garbage Collection, on the other hand, is a firmware function/module on SSDs, which cleans or purges the data blocks marked as deleted.
When a user deletes a file or formats a disk or a partition, the operating system will send the TRIM command to the SSD. The SSD will then perform the Garbage Collection process. Garbage Collection is implemented in the disk itself, so even though the machine is powered off while the process is ongoing, data cleaning will resume when the computer is powered on again. The process also continues even if the drive is extracted and attached to a write-blocker. Below is the illustration of how the TRIM and Garbage Collection process works.
![Figure 1 TRIM process [2]](https://miro.medium.com/v2/resize:fit:1100/format:webp/1*0W_YmC2miuZvxQwUukBc-g.png)
Garbage Collection does not occur if the TRIM command has not been issued. Though purging of data blocks is almost inevitable after the TRIM command has been sent, there are factors and scenarios wherein this command is not executed or works accordingly. Below are some of TRIM’s limitations:
- TRIM is not supported/enabled in the OS.
2. TRIM does not function in most RAID environment, external SSD and NAS.
3. TRIM is only supported in SATA, eSATA, and SCSI (SSD connected through USB is unaffected).
4. Many SSD drives were released with buggy firmware, effectively disabling the effects of TRIM and Garbage Collection [2].
5. The file is just corrupted and not deleted.
With the limitations mentioned above, recovering deleted files under these conditions is possible. A file can also be recovered if its size is less than the size of a data block. A data block is the smallest unit of storage that can be erased. Recovery is also possible through file carving if the TRIM type being used is DRAT (Deterministic TRIM). Below are the types of TRIM supported in the SATA protocol.
- Non-deterministic TRIM: each read command after a Trim may return different data
2. Deterministic Read After TRIM (DRAT): all read commands after a TRIM shall return the same data, or become determinate
3. Deterministic Zero After TRIM (DZAT): all read commands after a TRIM shall return zeroes until the page is written with new data.
Sending the TRIMmed SSD disk for recovery (on a physical level) to the manufacturer may be a viable proposition if some crucial evidence is concerned.
For a more detailed explanation of how SSD works, you may read the article published by Gubanovis and Afonin [2]: https://articles.forensicfocus.com/2014/09/23/recovering-evidence-from-ssd-drives-in-2014-understanding-trim-garbage-collection-and-exclusions/
Test Performed
Recovering deleted files performed was tested on a Lenovo T430 with a 250 GB SSD and a forensic Dell Latitude E6410 with 250 HDD. On both laptops, the following steps were performed.
1. Created three documents (.docx) files with the same content on the Desktop
2. Scenario 1: File is not deleted
3. Scenario 2: Delete the file using Right Click -> Delete (to be sent to Recycle Bin)
4. Scenario 3: Permanently delete the file using Shift -> Delete
5. Shutdown the machine
6. Extract the drives from the laptop
7. Connect the drive to a write-blocker and view in EnCase
In this test, we will see how Files 1, 2, and 3 will look like in EnCase (version 7.12).
TRIM is by default enabled on both laptops. You can check it by executing the command “fsutil behavior query disabledeletenotify” in the cmd, as illustrated in Figure 2.
Below are the screenshots of these three files per computer, as viewed in Encase.
Dell Latitude E6410 with 250 HDD
We can see, based on EnCase’s Text view, the content of the file in an HDD is still intact and can even be fully recovered in all three scenarios, despite being marked as already deleted in Scenario 3 (Figure 3c). Let’s now see how the file looks like in SSD.
Lenovo T430 with a 250 GB SSD
In Scenarios 1 and 2 (Figures 4a and 4b), the file is still intact when sent to Recycle Bin; thus, it can still be fully recovered by the software. However, in Scenario 3 (Figure 4c), part of the file is already overwritten as denoted by the red characters. Part of the file is still intact, so we can still do partial recovery for this file through file carving. Also, note that the filename of the permanently deleted file is still viewable because MFT records are not affected by TRIM and Garbage Collection functions.
Conclusion
Now that we know that files are likely to be overwritten in computers using SSDs, we ask, is it still necessary to recover these files? That actually depends on the nature of the case and timeline of engagement. File carving for overwritten files takes more time, and it will most probably throw you a lot of “garbage files” or files that have no value (usually system files) to your investigation. But if it is a critical investigation, you may want to recover as many files as possible to make sure that you don’t miss any crucial evidence.
References
[1] J. Martindale, “What is an SSD?” Digital Trends, 6 September 2020. [Online]. Available: https://www.digitaltrends.com/computing/what-is-an-ssd/. [Accessed 17 September 2020].
[2] Y. Gubanovis and O. Afonin, “Recovering Evidence from SSD Drives in 2014: Understanding TRIM, Garbage Collection and Exclusions,” Forensic Focus, 23 September 2014. [Online]. Available: https://www.forensicfocus.com/articles/recovering-evidence-from-ssd-drives-in-2014-understanding-trim-garbage-collection-and-exclusions/. [Accessed 12 August 2019].
