Computer Forensics on SSD’s with TRIM and Garbage Collection

Robert BuheckerDigital Forensics Information

SSD Garbage Collection and TRIM explained

 

Data is not written to drives in to drives in all the same way. SSD drives write data very differently to the drive than SATA drives. Instead of the data being written to platters (which are spinning magnetic disks) as seen in SATA drives, the data is written to blocks which is controlled by the SSD controller. The data on SSD’s are written in a very interesting way.

Contact Us Now

There are no moving parts on an SSD. The data is written to pages and when enough pages are collected the pages then written to a block on the drive. When the drive is empty the writes are faster because the controller does not have to search as long for open blocks. But as drives fill up the write process will take longer because the SSD controller will rewrite pages to other blocks. The data in these blocks are wiped before the rewrite takes place.

This process of data being wiped and rewritten is called garbage collection. Garbage collection works with another function called TRIM. What TRIM does is it clears the unallocated space on an SSD. Fortunately or unfortunately this function is continuously taking place when the computer is running. It is fortunate for us as a user because this process is seamless and it allows us to use the drive without having any major slowdowns and it increases drive efficiency. The unfortunate part is that when the machine is up and running potential evidence can be overwritten in the TRIM and garbage collection process. Unallocated space is a great place to find files or parts of files. If files are overwritten then they will be unrecoverable. This is a good place to discuss unallocated space. If a file is deleted it is still recoverable in most cases, what happens is that the space that it occupies (or that was allocated) , now becomes available (or unallocated). This is generally what happens a user sends a file to the Recycle Bin, it tells the Operating System that the particular file is no longer needed and the space it once occupied can now be reused for something else. To better explain allocated and unallocated space lets look at an example of a file. If a deleted file was 13615 bytes and the new file was only 10 bytes then 13605 bytes potentially could remain of recoverable data. With The TRIM function this will clear the 13605 bytes and make any hope of recovering remnants of the file nearly impossible to impossible.

To prevent files from being overwritten by the TRIM and garbage collection process the machine must be turned off. Shutting the computer down through the operating system is always risky because the user may have installed a malicious program that can cause data destruction if a password is not entered. To avoid this possible problem, a hard shutdown is recommended. A hard shutdown can be accomplished by either holding down the power button until the computer shuts down. Shutting down the computer will also ensure that the TRIM and garbage collection stops and no further data destruction will take place.

Now that the device has been isolated the preservation process continues by protecting the contents of the hard drive. If the hard drive is an SSD the drive is constantly being overwritten through the garbage collection and TRIM processes. These processes create their own set of challenges and the longer the machine is left up and running, the more data will be deleted. To protect the data, shut the computer down as soon as possible. Shutting the computer off safely is best accomplished by doing a hard shutdown. A hard shutdown is completed by holding in the power button until the computer shuts down. A hard shutdown is the preferred method because if the user has installed a malicious program, the hard shutdown will not allow the program to run. If the hard drive is encrypted please be sure to include the key to prevent delays in the processing of the hard drive.

SSD’s are designed for speed and efficiency. The TRIM and garbage collection processes aid in the overall functions of the SSD but can create challenges during Computer Forensic investigations. If you have a need for solid state hard drive forensics, or any other computer or digital forensic service then don’t hesitate to contact us today.