Recovering Evidence from SSD Drives

In 2012, DFI News published an article called “Why SSD Drives Destroy Court Evidence, and What Can Be Done About It”. Back then SSD self-corrosion, TRIM, and garbage collection were little known and poorly understood phenomena. In 2014, the situation looks different. Having handled numerous cases involving the use of SSD drives and gathered a lot of statistical data, we now know things about SSD drives that allow forensic specialists to obtain information from them despite the obstacles.

SSD Self-Corrosion
The effect of SSD self-corrosion, as well as the root cause, is well covered by existing publications, including our own 2012 paper on SSD forensics. The evidence self-destruction process is triggered by the TRIM command issued by the operating system to the SSD controller at the time the user either deletes a file, formats a disk, or deletes a partition. The data destruction process is only triggered by the TRIM command; the data destruction itself is carried out by the separtate process of background garbage collection.

In many cases the TRIM command is not issued at all. This article discusses these exclusions to gain a better understanding of the situations when deleted data can still be recovered from an SSD drive.

Deterministic Read After Trim
Experiences recovering information from SSD drives vary greatly among SSD users.

“I ran a test on my SSD drive, deleting 1,000 files and running a data recovery tool five minutes later. The tool discovered several hundred files, but an attempt to recover them returned a bunch of empty files filled with zeroes,” said one Belkasoft customer.

“We analyzed an SSD drive obtained from a suspect’s laptop and were able to recover 80% of deleted files several hours after they’ve been deleted,” said another user.

Why such inconsistency in user experiences? The answer lies in the way the different SSD drives handle trimmed data pages.

Some SSD drives implement what is called Deterministic Read After Trim (DRAT) and Deterministic Zeroes After Trim (DZAT), returning all-zeroes immediately after the TRIM command releases a certain data block, while others do not implement this protocol and will return the original data until it’s physically erased with the garbage collection algorithm.

With non-deterministic TRIM, each read command after a Trim may return different data, while with both DRAT and DZAT, all read commands after a TRIM return the same data.

As we can see, in some cases the SSD will return non-original data (all zeroes, all ones, or some other non-original data) not because the physical blocks have been cleaned immediately following the TRIM command, but because the SSD controller says that there is no valid data held at the trimmed address on a logical level previously associated with the trimmed physical block.

Read More