Solid State Drives (SSD) and Their Challenges to Digital Forensics

Thanavit Cheevaprabhanant
Department of Computer Science Metropolitan College, Boston University

Abstract
In digital forensics, data in information systems is the key that answers problems in law enforcement. Data that is remained or stored in electronic devices must be preserved and discovered with specific methods depend on the nature of computing devices and storage media. Since technology keeps advancing, new type of storage media emerged. Solid-State Drives (SSD) is a new type of storage device that their special characteristics have created many challenges to digital forensic examiners. In this paper, the architecture of SSD will be briefly described to illustrate mechanisms that it uses to store and remove data. These mechanisms have made it special storage media and also resulted in some important concerns to forensic investigators when involving SSDs that differs from other types of storage media. Since storage media is involved in every process in digital forensics, involvement of SSD is all the way along as well, ranging from using it to store forensic copy to having it as original electronic evidence. This paper will illustrate challenges in forensic processes and provides recommendations including special concerns on SSD to forensic investigators.

2. Understanding SSD Architecture

A Solid State Devices (SSD) is a data storage device that uses integrated circuit assemblies as memory to store data persistently. Unlike its traditional magnetic disk counterpart that contains spinning platters and movable read/write heads, SSD uses memory access style to store and retain digital data. SSD can be constructed from either nonvolatile NAND-based flash memory or volatile random-access memory (RAM, e.g. Dynamic RAM or DRAM), but the former type has been very common recently due to its advantage on retaining the data without a constant power supply.

2.1 Memory Unit and Operations

SSD is implemented on the same technology found in USB flash drives that uses flash memory to store data by utilizing microscopic transistors as to retain a small electric charge. The presence of the electric charge in transistor will be determined if the transistor represents a digital value either 0 or 1. A fully charged transistor will not allow any more electricity to flow through it; the drive recognizes this and returns a 0. An uncharged transistor on the other hand, allows current to flow through it, resulting in a 1. A totally empty drive has all transistors fully charged [1]. The structure of wired flash memory on silicon is divided into pages and blocks. There are typically 64-256 pages in a block. Program operations (i.e. writing operations) apply to pages and can only change 1s to 0s. With this approach, program operations apply to a byte or a word at a time in a random access fashion. Erase operations apply to blocks and set all the bits in a block to 1. Starting with a freshly erased block (all the bits in a block are uncharged and set 1), any

1. Introduction
Evidence that is stored in storage media must be maintained authority of beholder and be protected its integrity by various processes in digital forensics so that it will keep evidential value and be admissible in the court. As a mandatory forensic procedure, the forensic examiner and investigator need to understand the nature of each storage media type so that they can follow standard procedures and perform documentation, acquisition, authentication, and analysis correctly and effectively.

location within that block can be programmed (a bit in a byte or a word is charged and set to 0). However, once a bit has been set to 0 (has been programmed), only by erasing the entire block can it be changed back to 1. In other words, flash memory (specifically NOR flash) offers random-access read and programming operations, but does not offer arbitrary random-access rewrite or erase operations [2]. According to the flash memory structure described above, in-place update is not possible and this becomes an important limitation of flashbased SSD that significantly affects evidence preservation in digital forensics, which will be discussed later in this paper.

To prevent forensic image contaminated with data remnant and to protect the integrity of the original evidence from any alteration, the forensic drive that will be used to store or examine the evidence must be sanitized or forensically wiped prior to starting a case. This can be performed as to follow standard procedures and document all actions in order to prove beyond a shadow of doubt the integrity of the evidence [3].

3.2 Challenges with Data Remanence in SSD Sanitization

There are many government standards provide guidance for storage sanitization [4]. For the magnetic storage such as hard drives, the standards are consistent as to overwrite the drive a number of times, execute the built-in secure erase command and destroy the drive, or degauss the drive. For flash memory, however, the standards do not agree among each other and provide guidance for sanitizing flash memory in different ways [2]. One reason that causes disagreement among the standards and the difficulty in sanitizing flash memory is because its internal design. The structure of flash memory and its access method in SSD are different from those in the traditional magnetic disk storage counterpart, which have been established over the last two decades. Traditional ATA and SCSI hard drives employ magnetizing materials to write contents to a physical location that's known as the LBA, or logical block address. SSDs, by contrast, interact host interfaces (e.g. ATA, Serial ATA, SCSI, USB, etc.) via the SSD Controller that has flash translation layer (FTL) as a component to manage the contents [5]. A ash translation layer (FTL) in SSD manages the mapping between logical block addresses (LBAs) that are visible via the ATA or SCSI interface and physical pages of ash memory. Because of the mismatch in granularity between erase operations and program operations in ash, in-place update of the sector at an LBA is not possible. Instead, to modify a sector, the FTL will write the new contents for the sector to another location and update the map so that the new data appears at the target LBA. As a result, the old version of the data remains in digital form in the ash memory. These left over data are referred as digital remnants [2].

3. SSD as the Forensic Drive in Acquisition

Storage devices and hard drives that are used for forensic collections store many forms of data such as forensic images, network and email data, smart phone and tablet data, databases, and more. New hard drives may have residual data, even right out of the box.

3.1 Before Forensic Imaging

In addition to the authorization of the evidence that protected by appropriate Chain of Custody procedures, data integrity is the most crucial part of forensic investigation that is arguably and will certainly be challenged in the courtroom for any contamination during the acquisition process that can compromise their evidential value and may affect the admissibility of the digital evidence. The contamination of digital evidence in acquisition process usually resulted from inappropriate acquisition that cause forensic image contaminated with existing data remnants residing on the forensic drive, which will be used for forensic examination. Data remnant (or data remanence) is the residual representation of data that remains even after attempts have been made to remove or erase the data. This residue may result from data being left intact by a nominal file deletion operation, by reformatting of storage media that does not remove data previously written to the media, or through physical properties of the storage medium that allow previously written data to be recovered.

3.3 Recommendations in Preparation of SSD as a Storage for Forensic Image

According to the empirical research [2], there are two recommendations for sanitizing entire SSD. The first recommendation is to use built-in sanitize commands, which are effective when implemented correctly, and software techniques work most, but not all, of the time with the reason that the manufacturer is the one who knows its own design. There are some points that should be noted to this recommendation. The effectiveness of using built-in sanitize commands depends on the utility provided by the manufacturer. The usefulness of the utility also depends on the manufacture keeping it up-to-date and available online. Hence, each implementation of the security commands must be individually tested before it can be trusted to properly sanitize the drive. The second recommendation is to overwrite the entire visible address space of an SSD twice, which is usually, but not always, sufficient to sanitize the drive. However, this overwriting technique appears to be effective in some cases across a wide range of drives while, conversely, is poor in many cases. Therefore, it is not universally reliable [2].

written to an infinite amount of times, a microscopic transistor in SSD has a comparatively short life expectancy. Its endurance is typically 10,000 to 100,000 erase cycles [7]. In order to share load balance for all transistors across the chips of an SSD and to extend transistor lifetime due to disk write operations, wear-leveling algorithm is introduced. Unlike the magnetic hard disk, which tries to keep blocks of a file as close to each other as possible; an SSD employs wear-leveling algorithm to spread the load across all the unused transistors in the drive randomly. This approach avoids consistently storing charge in the same group of transistors, which would make them wear out faster [1]. As discussed earlier, FTL in SSD manages the contents and maintain the map between its internal memory addresses to hard drive sectors represents as LBA. This mechanism assists the computers operating system to interact with SSD controller transparently via existing interfaces, for example, ATA, Serial ATA, SCSI, USB, and so on. At this point, there could be implications on a forensics investigation where evidence is stored on an SSD with a damaged controller card. In comparison with the same situation that occurs on a magnetic disk, replacement of the controller card with one from the same model would allow an investigator to fix the drive and recover the data. However, without knowing the specifics of the wear-leveling mechanisms used by SSD manufacturers, it is impossible to say for certain whether a replacement controller card would know how to translate the correct virtual-tophysical mappings back to the investigators machine or imaging device. If this is a truly random process and only the damaged controller card knows how the mappings have been set up, it wouldnt. The contents of the drive would be presented as a jumbled up mess, making data recovery an almost impossible task. Worse still, the integrity of the evidence could be called into question, because the image that the investigator acquired would bear no resemblance to the original disk layout [1]. 4.1.2 Destructive Garbage Collector As discussed earlier in the first section of this paper that the structure of integrated circuit of

4. SSD as the Original Evidence in Acquisition and Authentication

Every SSD includes a controller that incorporates the electronics that bridge the NAND memory components to the host computer. The controller is an embedded processor that executes firmwarelevel code and is one of the most important factors of SSD performance [6]. Some of the functions performed by the controller include: error correction (ECC), wearleveling, bad block mapping, read scrubbing and read disturb management, read and write caching, garbage collection, and encryption.

4.1 Challenges with Problematic Operations in SSD Controller

4.1.1 FTL Dependency In contradiction with the magnetic coating on typical magnetic disk that can theoretically be

flash memory in SSD affects operations differently. Program operation applies to bit(s), which take less time than erasure operation that applies to all the bits in a block (e.g. 256 pages per block). Moreover, program operation that applies to a page that has been used requires erasure operation to clear that block before it can be programed again. This behavior results in program operation that applies on a used page (rewriting/overwriting) requires multiple passes and takes much more time than program operation that applies on an unused page (i.e. a clean page). To address this issue, manufacturers are believed to be implementing routines called garbage collector that will identify areas that are not in use, and reset them as soon as possible [8]. These routines are managed by the SSDs onboard controller. The implementation of garbage collector has presented the single greatest challenge to accepted digital forensics practice to date. For magnetic disk or tape, when it is attached to the write-blocker, one can ensure that there is no command that could alter evidence will reach the disk controller; but when the command is generated by the controller itself as in SSD, one may not ensure controls anymore. The critical point that is worth to take note here is the garbage collection routines are executed anytime when the controller is idle and at the time SSD is attached to power source or to interfaces. Assuming there are no other commands executed, SSD is performing clean up after a short time it is powered up or attached to the interface cable. The disk will wipe out those blocks it knows they are unused. There is an experiment demonstrates using FTK Imager on an SSD via write-blocker [1] to create and compare hash values. The first hash operation takes time around one hour, and then the second hash operation is started right after the first hash operation is completed. The result yields different hash values and this means garbage collection routines have started cleaning up already. This makes it impossible for the investigator to confirm the integrity of the evidence and with that, widely accepted forensics best practice is rendered useless [1].

This could also create a worse situation when a format command (i.e. quick-format command) is executed. A report [8] illustrates that the SSD controller starts wiping out data within 160 seconds and the cleaning process is completed within 300 seconds. With this short time, it is nearly impossible that a police team would seize an SSD and power it down in 300 seconds [9].

4.2 Implications and Recommendations for Accessing SSD as Original Evidence

As noted by Bell and Boddington [8], the automatic nature of the resetting function on space determined by the controller to be unallocated has several implications for standard forensics procedures [10]: data in unallocated space will quickly disappear on such a device (Quick format will actually cause the drive contents to be erased on short order) the data recorded by a forensic acquisition with a write-blocker will be inconsistent with a subsequent acquisition until the reset process has completed. The cryptographic checksums (e.g., MD-5, SHA-1) generated on successive acquisitions will thus be inconsistent.

With the above reasons, there is currently no reliable method that would generate the same hash value from an SSD twice. Moreover, the researchers [8] give opinion that it is nearly impossible to legislate against garbage collection. In addition, breaking open the drive casing to try and disable/remove the drive controller and prevent garbage collector from running would also probably be a very significant technical challenge, given the extent to which the drive controller is bound to the data via the flash translation layer, and given the wide diversity of drives, controllers and memory that exist. Hence, the digital forensic examiners should treat SSD as any other volatile evidence. The digital forensic investigators will have to rely on both documentation and demonstration skills to show exactly what steps have been taken while working on the evidence, and hope for an understanding jury [1].

Conclusion
The Solid State Devices (SSD) involves in all digital forensic processes due to current technology. This new type of storage media has its characters and operations different from other types of storage media, which require very special treatments and procedures to be performed by forensic examiners and investigators. SSD as the forensic drive in the acquisition process must be forensically sanitized; while SSD as the original electronic evidence in the acquisition and authentication processes may not be performed by traditional forensic procedures that are currently used with other type of storage media due to some limitations. Therefore, the digital forensic examiners and investigators must heavily rely on appropriate forensic procedure and documentation in order to evidential value of the evidence and to maintain admissibility.

Practices (1st ed.). Upper Saddle River, New Jersey: Prentice Hall. [4] Kissel, R., Scholl, M., Skolochenko, S., & Li, X. (2006, September). NIST Special Publication 800-88: Guidelines for Media Sanitization. Gaithersburg, MD: National Institute of Standards and Technology. [5] Goodin, D. (2011, February 21). Flash drives dangerously hard to purge of sensitive data: When secure wiping isn't. Retrieved from The Register: http://www.theregister.co.uk/2011/02/21/flas h_drive_erasing_peril/ [6] Rent, T. M. (2010, April 9). SSD Controller. Retrieved from StorageReview.com: http://www.storagereview.com/ssd_controller [7] AMD. (2003, July). AMD DL160 and DL320 Series Flash: New Densities, New Features . Sunnyvale, CA. [8] Bell, G. B., & Boddington, R. (2010). Solid State Drives: The Beginning of the End for Current Practice in Digital Forensic Recovery? Journal of Digital Forensics, Security and Law (JDFSL) , 5 (3), 11-20. [9] Moellenkamp, J. (2011, March 1). Garbage Collection on SSD makes digital forensics more problematic. Retrieved from c0t0d0s0.org: http://www.c0t0d0s0.org/archives/7201Garbage-Collection-on-SSD-makes-digitalforensics-more-problematic..html [10] Gezelter , R. (2011, March 7). Solid-State Disk Behavior Underlying Digital Forensics. Retrieved from Infosec Island: http://www.infosecisland.com/blogview/1237 5-Solid-State-Disk-Behavior-UnderlyingDigital-Forensics.html

References
[1] Sheward, M. (2012, January 5). Rock Solid: Will Digital Forensics Crack SSDs? (InfoSec Institute) Retrieved August 17, 2012, from InfoSec Resources: http://resources.infosecinstitute.com/ssdforensics/ [2] Wei, M., Grupp, L. M., Spada, F. E., & Swanson, S. (2011). Reliably Erasing Data From Flash-Based Solid State Drives. FAST'11: 9th USENIX Conference on File and Storage Technologies. San Jose: USENIX. [3] Volonino, L., Anzaldua, R., & Godwin, J. (2007). Computer Forensics: Principles and