June 11, 2012

Solid-State Drives Are a Game Changer for Deleted Files

John Sammons – June 11, 2012

For years, people have been trying to cover their tracks by deleting incriminating files from their computers. The recovery of this kind of evidence from magnetic drives has been the bread and butter of digital forensics for years, but those days may very well be coming to an end.

The traditional magnetic drives that we are accustomed to using are being replaced more and more by solid-state drives (SSDs). Traditionally, magnetic drives afford examiners the ability to recover significant amounts of user-deleted data. As we’ll see, SSDs store data in a completely different way than their magnetic cousins, and, as a result, these drives don’t afford forensic examiners the same opportunities when it comes to deleted file recovery and acquisition verification.

To get a true understanding of the challenges presented by SSD technology for forensic recovery, we need to understand how traditional hard drives function.

Traditional Magnetic Drives
The hard disk drives we find in our computers today trace their roots back to the 1950s. The data is stored on circular, spinning disks called platters. Platters are made of non-magnetic materials such as aluminum, ceramic, or glass. Each platter is coated with a thin layer of magnetic material that holds the data. The platters themselves spin at several thousand revolutions per second. Data is written to the disk by the read/write head. The read/write head also moves rapidly over the platters, reading and writing data. You can see a video of these spinning platters and the read/write head connected to the actuator arm here.

Traditional Data Storage and File Recovery
Data is stored on the platters in defined spaces called sectors. Think of sectors as the smallest container a computer can use to store information. Traditionally, each sector holds up to 512 bytes of data. It can hold less, but it can’t hold more.

Suppose we save a file, “evidence.doc,” to our hard drive. We’ll make it 1,024 bytes in size. Our computer would assign that file to two separate sectors.

Later on, we decide to delete that file, and we hit the delete key, sending that file to the Windows Recycle Bin. We then empty the Recycle Bin, content in the knowledge that evidence.doc is now residing in digital oblivion.

But once a file is deleted, it’s typically not really gone; the space it occupied is simply referred to as unallocated space. Unallocated space is comprised of the areas on the disk that are no longer tracked by the computer. In our case, the file was deleted by the user—that simply means that the computer (specifically the file system) is instructed to no longer “see” the file. This means that the user can’t find the file through the operating system (Windows, Linux, and so on). The computer recognizes the sectors that the file occupied as being open and available to store data. The file remains precisely where it was until it’s overwritten by another file.

Therefore, “unallocated” simply means “ready to be reused” —not “empty.” Files or fragments of files can sometimes be recovered from unallocated space, as long as they haven’t been completely overwritten.

Partially Overwritten Files on Traditional Hard Drives
Continuing the example above, let’s say we create a new document, “smoking_gun.doc.” It’s a little smaller than evidence.doc, containing 780 bytes. Our computer, acting solely on its own volition, decides to place this new file in the same two sectors originally occupied by our first file, evidence.doc. Remember that those sectors are now listed as “ready to be reused.”

So, what happens to our original file, evidence.doc? The first 780 bytes have been overwritten. Some quick math tells us that there are still 244 bytes worth of our original file that are left untouched. Those 244 remaining bytes comprise what is called the slack space or file slack. The slack space is the difference between the space that is assigned to the current file and the space that is actually used by the current file.

Out of the slack space, we can recover fragments of the previous file. It may not be useful. But then again, it just might. It could be part of an incriminating email or picture. The use of recovered files and fragments of files from unallocated and slack space is not new to digital forensics or courtroom testimony, and it has provided dispositive findings for many cases.

How SSDs Store Data
As the name implies, SSDs have no moving parts. SSDs are similar to USB thumb drives, storing data in tiny transistors.

While magnetic drives have the ability to instantly overwrite data to any sector that’s labeled as unallocated, SSDs do not. Each transistor must be reset (erased) before it can be reused. This reset process tends to slow down the drive, and it would be worse if this had to be done each time before data was saved to the disk. To speed things up, SSD manufacturers have configured the drive’s controller to automatically reset unused portions of the drive. This process occurs without any prompting by the user or the computer. This resetting process is known as garbage collection.

The Forensic Problem: Taking Out the Trash
SSDs can be said to have a mind of their own, as many SSDs initiate the garbage-collection routine completely on their own. Researchers have found that the garbage-collection process can start within minutes of an SSD receiving power. This is problematic from the perspective of forensic analysis.

First, there is the automated destruction of potentially relevant data on the drive. All of the data that was potentially recoverable from the slack or unallocated space will very likely be overwritten very quickly.

Another issue is one of evidence verification. Traditionally, forensic examiners have relied on cryptographic hashing algorithms, such as MD5 or SHA1, to take the “digital fingerprint” or “digital DNA” of a hard drive. We can then take the “fingerprint” of our evidentiary image at any time and compare it with the “fingerprint” of the original. They should match exactly, verifying the integrity of the evidence. But this approach to verification may not work with an SSD, as the SSD can start to reset all of the unallocated space very shortly after receiving power. This resetting will alter the pattern of bits (1s and 0s). Changing even a single bit will result in a completely different hash value, rending a different digital fingerprint. If the garbage-collection routine is run during or after its forensic acquisition, validation becomes exponentially more difficult because the hash values won’t match if the forensic acquisition process is repeated.

Certain capabilities and protocols forensic examiners and their legal counterparts have taken for granted for so long may no longer be applicable when dealing with an SSD. However, SSDs are not widely used quite yet, mainly due to cost. That, however, is slowly changing, and SSDs can be found in a number of devices today.

It isn’t clear what the future will bring. Tools and techniques may be developed to overcome these challenges. The drive makers may make some changes that restore some or all of examiners’ abilities to collect and verify evidence stored on an SSD. Either way, it is clear that the SSD is going to create some very troubling issues that must be tackled by forensic practitioners and attorneys alike.

Keywords: litigation, technology for the litigator, solid-state drives, deleted files, spoliation, hard drive, computer forensics, data recovery


John Sammons – June 11, 2012