How to perform SSD Forensics | Part — I

Hello Readers.

Recently I went to a Conference on cyber forensics‍ . There I saw people demonstrating various acquisition methods, evidence‍ collection, storage and analysis‍ . One thing is peculiarly noticed that people when say “Evidence acquisition” or “ Data recovery ” from computers they generally mean to acquire it from magnetic storage media, like Hard Disks (HDD). They were going on about disk forensics, slack space and all those related stuff. After listening to their orthodox speech, I raised some queries:

Do the methods of disk forensics, like block level analysis, apply on Solid state drives ,flash drives?

Flash drives totally remove the concept of block or any rotating part, so what now?

Do your delete, erase, wipe and format concept still work in a similar way? etc. etc.

I asked around 10 questions and all I got was blithering. That made me ponder about the different individuals who are dealing forensics and how many do not follow the dernier cri in the industry.

I decided I need to write something on forensics involving flash drives. My focus on this article is about Solid State Drives‍ (SSDs) . For understanding difference between HDD , SSD , and Flash Drives please download my document PC Storage Media — TheD4RKr3ap3r

Why it’s needed?

With Technology evolving every moment, even the criminals are getting updated with the new

technology and are becoming more powerful. This has led to an increase in crime rate along with their complexity. There are many cases which can be solved using the aid of digital forensics‍ . Forensic investigators have followed some orthodox mechanisms for solving these cases on hard drives. Technological enhancements have led to people using solid state drives which came in as a competitor for hard disk drives. But the methodologies that were triumphant for cracking evidence in hard drives were not successful in the case of solid state drives.

As I have said above, in two points I can answer the question:

• Whatever the current well-defined practices are they are mostly for Rotating magnetic media (conventional hard drives, for example)
• Solid state drives (SSDs‍ ) behave quite differently and present latest challenges

Both accomplish the same thing (provide a way to store files on a computer system), however in different ways: -Hard drives use magnetic spinning platters, while SSDs use flash‍ memory chips.

Traditional Drives

The traditional spinning hard drive is the basic non-volatile storage on a computer. That is, information on it doesn’t “vanish” when you turn off the system, as is the case with data stored in RAM. A hard drive is essentially a metal platter with a magnetic coating that stores your data, whether informative reports from the last century, classic movies, or your digital music collection. A read/write head on an arm accesses the data while the platters are spinning. Hard drives are the most widely used storage devices from over decades. The most important part of hard drives is platters. They are made up of a hard material such as glass and aluminum, coated with a thin layer of metal which can be demagnetized and magnetized. The read-write head does not touch the magnetic platter, there is a layer of air or fluid in between them, i.e.in between the head and the magnetic platter surface, thus reducing the wear and tear as a result.

A traditional solid-state drive (SSD, also known as a solid-state disk) is a solid state storage device that uses integrated circuit assemblies as memory to store data persistently. SSD technology primarily uses electronic interfaces compatible with traditional block input/output (I/O) hard disk drives (HDDs), which permit simple replacements in common applications.

What do we know

New I/O interfaces like SATA Express and M.2 have been designed to address specific requirements of the SSD technology.

At this point in the evolution of computers, the operation of conventional hard drives is well understood: We have bits of data placed onto magnetic media via repositionable recording R/W heads. The data may be randomly accessed by moving the heads over a selected cylinder.All such operations are easily controlled via drive control commands which, for example, allow a sector of information to be read or written.

• Data deleted on a traditional hard drive is not truly deleted and can often be recovered quite easily. (How? Please refer disk recovery)
• Formatting, Quick Formatting, Delete , erase and Wipe all have different roles. A simple quick format doesn’t mean you HDD is wiped clean. No complete purge occurred.
• Even a full 1 Pass write doesn’t ensure permanent data loss.
• The physical location of a block of data do not get changed independently of the operating system. OS involvement is needed.
• Incoming data are not optimized or manipulated. It accepts the raw unaltered data.
• The most important — these features are all common for any hard disk.

Flash chips, in contrast, are not as well understood. Complicating matters is the fact that flash memory implementation schemes cause data to be stored within the SSD in a manner which seems to randomly place sectors of any file in any physical sector. (There is no internal linear mapping of sectors in a SSD). So, to get familiarized with SSD forensics we need to know about Flash and it’s functioning. This is because when we are considering about data recovery and it’s analysis we know all about Hard disks but for SSDs we need to understand first the way

information is being stored, what happens when data is being modified and when data is deleted. The answers to these questions are the key to understanding the challenges in retrieving information and how to handle them.

How do SSD operate?

Solid state drives use memory known as “flash memory” which is like a RAM. However, unlike RAM which clears its contents whenever the computer is power down / power sources from Ram is disconnected, SSD memory would remain the same even there is a power loss. SSD’s use a grid of electrical cells for sending and receiving data. Grids are being separated in the section known as pages, pages are the place where data is being stored. These pages clumped together and form blocks. SSD can write to empty pages in a block, in Hard disk data can be written to any location on the magnetic plate at any time, i.e., data can be overwritten easily. SSD’s cannot overwrite the data, SSD should first find an empty page in the block and write data to that empty page . When enough pages in the block are being marked as unused the SSD will take the content of the block, commit that to the memory, and would erase the whole block. Once it is done, it would take the committed image and will reprint it on that block without unused pages.

To fully understand the functioning of a SSD and the forensic challenges it poses, we need To understand the functioning of an SSD, we first need to know the two most important parts: The controller and NAND flash memory. These components along with few others are being placed on a PCB known as printed circuit board which is being housed in a casing known as SSD. The real memory blocks are th Flash chips.

Controller

Controller is an embedded processor that bridges the flash memory components to host, i.e., computer. The controller executes the codes that are provided by the SSD’s firmware, i.e., the mini operating system to fulfill data requests received from the host. The controller would decide how SSD would perform and the features it offers. The popular functions and features decided by the controller include reading, writing, error checking, erasing, garbage collection, encryption, wear-levelling, overprovisioning, and RAISE (Redundant Array of Independent Silicon Elements)

Courtesy:Google Images

Mainstream SSD controllers include the following electrical elements, many times contained within a single Integrated Circuit (IC):

• Embedded processor – usually a 32-bit microcontrolle
• Electrically Erasable data firmware ROM
• System RAM
• Support for external RAM – usually DDR/DDR2 as SDRAM
• Error Correction Code (ECC) circuitry
• Flash component interface – usually a standard interface such as the Open NAND Flash Interface (ONFI)

Host electrical interface – usually SATA, USB, SAS, or combination

What are NAND FLASH

It all started with EPROMs and EEPROMs. In the early 1980s, before we ever had such wondrous things as cell phones, tablets or digital cameras, a scientist named Dr Fujio Masuoka was working for Toshiba in Japan on the limitations of EPROM and E2PROMs chips.

An EPROM (Erasable Programmable Read Only Memory) is a type of memory chip that, unlike RAM for example, does not lose its data when the power supply is lost — in the technical jargon it is non-volatile. It does this by storing data in “cells” comprising of floating-gate transistors. EPROMs could have data loaded into them (known as programming), but this data could also be erased by the means of ultra-violet light so that new data could be written. This cycle of programming and erasing is known as the program erase cycle (or PE Cycle) and is important because it can only happen a limited number of times per device- And thus the limited number of Read/Writes. However, while the reprogrammable nature of EPROMS was useful in laboratories, it was not a solution for packaging into consumer electronics — after all, including an ultra-violet light source into a device would make it cumbersome and commercially non-viable. And we wanted something that is both readable and writable.

Whereas EEPROMs, a subsequent development, could be erased through the application of an electric field, rather than using light. Now that’s what we are talking when words like “consumers” and “feasible” come into picture. This was clearly advantageous as this could now easily take place inside a packaged product. Unlike EPROMs, E2PROMs could also erase and program individual bytes rather than the entire chip. However, the E2PROMs came with a disadvantage too: every cell required at least two transistors instead of the single transistor required in an EPROM. In other words, they stored less data: they had lower density.

So EPROMs had better density while EEPROMs had the ability to electrically reprogram cells. Now of course it would be better if we had two. What if a new method could be found to incorporate both benefits without their associated weaknesses? Dr Masuoka’s idea, in did exactly that. It used only one transistor per cell (increasing density, i.e. the amount of data it could store) and still allowed for electrical reprogramming. This new design is what we use as base for our modern SSDs

The new design achieved this target by only allowing multiple cells to be erased and programmed instead of individual cells. This not only gives the density benefits of EPROM and the electrically-reprogrammable benefits of E2PROMs, it also results in faster access times: it takes less time to issue a single command for programming or erasing a large number of cells than it does to issue one per cell.

But without a con you can’t couple two technologies together, at least this easily. Same happened here. The number of cells that are affected by a single erase operation is different — and much larger — than the number of cells affected by a single program operation. And it is this fact that, above all else, that results in the behavior we see from devices built on flash memory

NAND and NOR

The Flash Drives‍ use two kind of memory technologies:

• NAND‍ Based Flash
• NOR‍ Based Flash

Both are considered as leading non-volatile Flash memory‍ technologies. NAND and NOR Flash meet completely different design needs based on their individual attributes. NOR offers faster read speed and random-access capabilities, making it suitable for code storage in devices such as smart phones, fitness bands etc. However, it has slower write and erase functions in comparison with NAND. NOR has higher bit density compared to NAND. Since code storage tends to require lower density memory than file storage, NOR’s larger cell size is not considered a concern when used in these applications.

Well, NAND offers faster write/erase capability than NOR. But in terms of read speed it’s slower. NAND is, however, more than sufficient for most consumer applications such as Movies, music, document, games etc. NAND’s fast write/erase speed combined with its higher available densities and a lower cost-per-bit than NOR make it the favored technology for file storage. Due to faster read/write, NAND is typically used for storing large quantities of information in devices such as Flash drives, MP3 players, multi-function cell phones, digital cameras and USB drives. And the SSDs that we use are NAND Flash Based.

Stochastic Forensics

The way these Modern SSD operate, allows little space for positive assertions.

Courtesy: Wikipedia

With SSD drives, the only thing that can be assumed is that an investigator can access existing information stored on the disk. However, Retrieval is whole different issue, unlike HDDs. Deleted files and data the suspect attempted to destroy (by e.g. formatting the disk — even in “Quick Format” mode) may be lost forever in a matter of minutes. And even if the computer is powered off immediately after a destructive command has been issued (e.g. in a few minutes after the Quick Format), there is no easy way to prevent the disk from destroying the data once the power is back on. The situation is somewhat of a paradox, reminding of Schrödinger’s cat: one will never know if the cat is alive before opening the box.

The golden age of forensics is going to end. “Given the pace of development in SSD memory and controller technology, and the increasingly proliferation of manufacturers, drives, and firmware versions, it will probably never be possible to remove or narrow this new grey area within the forensic and legal domain,” the scientists, from Australia’s Murdoch University, wrote. “It seems possible that the golden age for forensic recovery and analysis of deleted data and deleted metadata may now be ending.”

SSD Obstacles

The hitch with SSD storage devices is that they use flash memory chips. And the flash memory chips have a stumbling block- They suffer two nearly fatal flaws:

1. Limited Read/Write Cycles :Over the time, with repeated write operations, they wear out. Standard flash lifetimes are up to 100,000 cycles per block before failure is possible.1

2. Block based Operations : All write operations to the flash memory chips must occur on a block by block basis. Practically, it is impossible to overwrite new data in place of old data( unless you have lots of time). (A block within a flash memory chip is similar to, but not the same as, a sector of information.) As a result, for highest SSD performance, it is imperative that we always have a fresh supply of empty SSD blocks, ready to be written with new data. It would take too much time to always have to clear a block before we wrote (or overwrote) new data into that block.

More about blocks , pages, die etc. in the second part of this SSD series. We will also delve in various methodological challenges and process needed for forensics analysis of different SSDs.

Thanks and Do share so that some one can find this useful.