www.belkasoft.com
SSD Forensics 2014
Oleg Afonin, Yuri Gubanov
www.belkasoft.com
SSD Forensics 2014
• 10% of all laptops sold in 2013 featured SSD drives
• SSD adoption steadily growing
• Samsung expects 30% SSD adoption rate in 2015 and 2016
• SSD forensics important today, essential in nearest future
Solid-state storage technology has arrived
www.belkasoft.com
2014 SSD Trend
• More space for less money
• Cunning technologies
• Compressing controllers fading away
• Chip-off acquisition did not take off
Bigger, faster, cheaper
www.belkasoft.com
Who Made That SSD?
www.belkasoft.com
SSD Forensics: Probability Based
• Whether or not a particular SSD is recoverable depends on numerous factors
• Forensic outcome is impossible to predict
• Rules, exceptions and exceptions from exceptions
• While it’s always worth trying, understanding how and why SSD’s destroy evidence is essential
No definite ‘Yes’ or ‘No’
www.belkasoft.com
Checklist
• As an example of how complex the whole TRIM issue is, here’s an excerpt from a Synology document:
• The following is applicable to <list of models> (other NAS models don’t support TRIM at all).
• SSD TRIM is not available when an SHA cluster exists.
• TRIM cannot be enabled on iSCSI LUN.
• The TRIM feature under RAID 5 and 6 configurations can only be enabled on the SSDs with DZAT (Deterministic Read Zero after TRIM) support. Please contact your SSD manufacturers for details on DZAT support.
TRIM support is not a given
www.belkasoft.com
Chip-Off Forensics
• Chip-off forensics for SSD’s never took off
• VERY few exceptions
• No all-in-one solution
• Why?
Direct access to flash chips
TEEL Tech BGA
Acquisition Toolkit
www.belkasoft.com
Chip-Off Forensics
• Existing data extracted via SATA (no such thing for mobile phones)
• SSD internal data structures extremely complex
• Data remapping, shuffling and overprovisioning
• Heavy fragmentation on logical and physical levels due to massively parallel writes
Direct access to flash chips: unfeasible?
www.belkasoft.com
Why SSD’s Destroy Evidence
• SSD self-corrosion: a poorly understood phenomenon that permanently destroys deleted evidence
• TRIM and background collection used in all new SSD’s
• On-the-fly compression and constant remapping make off-chip acquisition practically impossible
• Numerous exceptions make destroyed evidence recoverable
SSD technology: wear leveling and performance considerations
www.belkasoft.com
Facts about SSD Self-Corrosion
• SSD self-corrosion is a by-product of SSD wear leveling and performance optimization
• Self-corrosion continues even SSD is installed into a write-blocking imaging device
• If the self-destruction process has already started, there is no practical way of stopping it
Practical outcome: content of deleted files magically disappears
www.belkasoft.com
How TRIM Works (On Paper)
www.belkasoft.com
Facts about TRIM and Garbage Collection
• TRIM does not delete data
• TRIM is an advisory measure
• Data is destroyed by background garbage collection
• Data becomes inaccessible because of remapping
• SSD over-provisioning makes intact data blocks non-addressable and inaccessible
TRIM fact sheet
www.belkasoft.com
Facts about SSD Over-Provisioning
• SSD over-provisioning makes intact data blocks non-addressable and inaccessible
• Reliability measure and performance aid
• SSD drives have more space than advertised
• No way to access ‘hidden’ blocks
SSD over-provisioning and why it’s important
www.belkasoft.com
TRIM: Controversial and Poorly Understood
TRIM Not Always SupportedNot Always Engaged Not Always Working
www.belkasoft.com
TRIM: Is It Enabled?
TRIM is enabled in most computers, but still worth a check
• Analyzing a live Windows 7, 8 or 8.1 PC:
fsutil behavior query disabledeletenotify
• DisableDeleteNotify = 1 means that Windows TRIM is disabled
• DisableDeleteNotify = 0 means that Windows TRIM is enabled
• fsutil is a standard tool in Windows 7, 8, and 8.1.
• One can enable TRIM with “fsutil behavior set disabledeletenotify 0”or disable it with “fsutil behavior set disabledeletenotify 1”.
www.belkasoft.com
TRIM: Not Always Supported
TRIM is not supported in certain configurations
• OS prior to Windows 7 or Mac OS X 10.6.8Exceptions: Intel SSD Optimizer and similar third-party software
• Mac OS X: TRIM only in native SSD drives• Old and basic SSD hardware• Windows: non-NTFS volumes• Legacy RAID configurations
Recent platforms support TRIM, e.g. RAID 0 + Intel H67, Z77, Z87, H87, Z68, Z97 + recent Intel Rapid Storage Technology (RST) driver
www.belkasoft.com
TRIM: Not Always Engaged
TRIM is not engaged in certain situations
• Data corruption• Slack space• Resident files (MFT attributes)• External drives: USB, FireWire, NAS
Exceptions: certain Synapsis NAS units started supporting TRIM in some configurations (and only for DZAT-type SSD’s)
• Non-SATA SSD (e.g. PCI Express)Exceptions: some PCI Express type SSD’s implement on-board SATA controllers
www.belkasoft.com
SSD Slack Space
www.belkasoft.com
TRIM: Not Always Working
Sometimes, TRIM does not work
• SSD firmware bugs• Faulty implementations of SSD over-provisioning• Bait-and-switch
www.belkasoft.com
SSD Shadiness: Bait-and-Switch
Online reviews not to trust
• Kingston and PNY caught switching SSD components after good reviews
• Second revision of PNY Optima drives features forensic-friendly SandForce controller
• http://www.extremetech.com/extreme/184253-ssd-shadiness-kingston-and-pny-caught-bait-and-switching-cheaper-components-after-good-reviews
www.belkasoft.com
Special Considerations
• Apple FileVault 2 TRIM enabled
• Microsoft BitLocker TRIM enabled
• TrueCrypt TRIM enabled
• PGP WDE TRIM disabled (optional)
Encrypted volumes
www.belkasoft.com
Life After TRIM
• Sometimes, trimmed data remains recoverable
• User experience varies
Why?
What happens to trimmed data?
www.belkasoft.com
Life After TRIM
• Several implementations, different handling of deleted data
• Deterministic Read After Trim (DRAT)
• Deterministic Zeroes After Trim (DZAT)
• Undefined
$ sudo hdparm -I /dev/sda | grep -i trim
* Data Set Management TRIM supported (limit 1 block)
* Deterministic read data after TRIM
What happens to trimmed data?
www.belkasoft.com
Reality Steps In
Why?
Significant success rate when investigating real SSD’s
www.belkasoft.com
Reality Steps In
www.belkasoft.com
Reality Steps In
• Marketing ploy: it’s not a real SSD
• Ultra-thin devices: PCI Express SSD
• Software bugs
• Requires BIOS, firmware or drivers update
• Unsupported configurations
Significant success rate when investigating real SSD’s
www.belkasoft.com
What’s New in 2014
• SSD recognition grows among software makers and hardware manufacturers
• TRIM now supported in some RAID configurations
• TRIM now supported in some NAS units (e.g. Synology)
• Buggy Sandforce controllers are becoming a thing of the past (but many existing drives carry one)
• Windows XP discontinued, less PC’s with no TRIM support
TRIM adoption steadily growing
www.belkasoft.com
Alternative Data Sources
Evidence is available elsewhere
• Memory dumps• Hibernation and page files• Deleted SQLite records• Alternative data sources contain copies or traces of deleted
evidence:• Jumplists• Thumbnail cache• Skype ‘chatsync’• SQLite ‘freelist’
www.belkasoft.com
Alternative Sources
Live RAM Analysis
• RAM (Volatile Memory) analysis reveals more evidence• Instant access to TrueCrypt, PGP, BitLocker and other encrypted
volumes with binary encryption keys• Recent social network communications• Data from browsing sessions with enforced privacy settings• BelkaCarving™ recovers fragmented data from memory dumps• Support for binary RAM dumps, hibernation and page file analysis• Proper acquisition technique is required
www.belkasoft.com
Data Carving
Destroyed Evidence Recovered with Data Carving
• Carving is used to locate evidence in existing files and unallocated space
• Locates hidden evidence• Recovers deleted files• Recovers evidence from formatted volumes
and repartitioned hard drives• Implements binary signature-search analysis• Carving available for logical and physical disks,
forensic drive images and memory dumps,hibernation and page files
• Fully automated operation requires no specialskills
www.belkasoft.com
Not All Deleted Evidence Is Destroyed
Cleared Skype Histories and Deleted SQLite Records
• Cleared Skype histories are not deleted from the disk• Deleted SQLite records are not affected by SSD TRIM• SQLite is used in:
most system and user-level Android and iOS apps Skype, Yahoo Messenger, eBuddy, PhotoBox, Picasa
Explorer Major Web browsers: Mozilla, Chrome, Safari
• Deleted SQLite records recoverable via ‘freelist’ analysis• Cleared Skype histories and conversation logs can be
recovered
www.belkasoft.com
Capturing Memory Dumps
Live RAM Capturer
• Free forensically sound memory acquisition tool• True kernel-mode operation in 32-bit and 64-bit
environments• Bypasses active anti-debugging and anti-dumping
protection• Forensically tested with minimum footprint• Portable operation• Produces binary memory dumps that are usable
in Belkasoft and third-party tools• Download from belkasoft.com/ram-capturer
www.belkasoft.com
Hands On Experience
Free Demo Version
• Downloadable evaluation version• Fully-featured demo by request
• Request your FREE demo at belkasoft.com/trial