SSD and eMMC Forensics 2016 – Part 1

What Has Changed in 2016 in the Way SSD Drives Self-Destruct Evidence. Demystifying eMMC, M.2, NVMe, and PCI-E.

by Yuri Gubanov, Oleg Afonin
© Belkasoft Research 2016

This publication continues the series started with an article on SSD forensics we published in 2012. We investigated the issues of SSD self-corrosion, demystified trimming, garbage collection and data remapping. Two years later, we revisited the issue. Back then, manufacturers released innovations in quick succession. 3D TLC, bigger and faster drives, the end of compressing controllers and the introduction of self-encrypting SSD drives were all big news. Fast-forward to 2016, and we have abundance of cheaper SSD models with seemingly little changes on the high-tech battlefront.

In addition to 2.5-inch models, we have seen a new popular form factor used in super-slim ultrabooks, and a new type of solid-state memory introduced by Samsung and used in many mobile devices. On the lower end of the spectrum, we are seeing eMMC chips being used in low-end Windows tablets and subnotebooks, where these chips take place of traditional SSD drives. In this article, we will try to figure out what all this means for a forensic investigator.

As this publication is designed to continue the original series, we skipped most of the basics, including definitions. If you are in the beginning of your journey into the world of SSD forensics, please consider reading the original publications first. Information provided in the original series still stands.

These and other Belkasoft articles can be found here: https://belkasoft.com/articles.

Introduction

Nearly a decade ago, Solid State drives (SSD) revolutionized computer storage, bringing to the table blazing fast access speeds, low power consumption, and absence of moving parts. Along with these benefits, consumers saw severely restricted lifespan. An older SSD could only withstand so much wear before it would start losing memory. A limited number of write cycles still remains a limitation today. By this day, we still have to cope with the same limitations thanks to the ever shrinking manufacturing process and the invention of new types of NAND cells (namely TLC cells that can keep 3 bits of information per physical cell instead of 2 bits in MLC and a single bit in SLC cells).

In order to overcome these technological limitations while continuously reducing the cost-per-gigabyte of storage, manufacturers perfected some very smart software algorithms. These algorithms ensure that the load is distributed evenly among the cells, quickly remapping logical addresses of NAND cells to ensure that the next write operation will occur to a cell with the least wear.

Another limitation of flash-based memory is the fact that one can only write new data into an empty (erased) cell. Once an SSD drive fills up, each subsequent write operation would involve erasing the content of a data block and then writing new data into the cell. Since erasing flash cells is a much slower process than writing data, manufacturers implemented garbage collection algorithms that erase cells containing data that is no longer used by the system.

How does the SSD controller know which data block is used and which one is not? The operating system tells it by sending the controller a so-called ‘trim’ command. Once the trim command is sent, the controller ‘knows’ that certain data blocks are no longer used, and adds them to the list of ‘dirty’ blocks. These blocks are scheduled to be erased by the internal garbage collection algorithm.

At the same time, the system does not have to wait while a certain physical cell is erased. Should the system need to write a new data block, the SSD controller immediately and instantly assigns a new empty flash cell to the logical address the OS is referring to. This is called remapping. In today’s SSD’s, remapping occurs all the time.

The big forensic question is: what happens to a ‘dirty’ data block then? Does its content immediately disappear, or can it still be extracted from an SSD drive? Today more than ever, the answer is “it depends”.

M.2: Thinner and Lighter SATA SSDs


M.2 is a form factor. Devices conforming to the M.2 form factor can use SATA, PCI-E or USB3.0 connectivity. Most M.2 SSD drives are SATA or PCI-E devices using the AHCI as a logical interface. Some high-end models use PCI-E connectivity and NVMe for interfacing. A laptop equipped with an M.2 SSD drive may or may not be able to use trim if it runs Windows 7.


Originally, SSD drives were available as 2.5” (notebook-size) disks. This was a real limitation when making ultra-portable devices. To overcome this problem, the industry started using M.2, a relatively new form factor for SSD modules used in thin and light devices.

Intel 530 Series M.2 SSD Drive

M.2 devices features a standard PCI-E connector. While most M.2 SSD drives conform to the AHCI specification, supporting all the features of their full-size counterparts and being recognized by the OS as a standard SATA SSD, some models conform to the newer NVMe specification that requires a different driver stack.

M.2 SSD drives can be used with some desktop motherboards

Strictly speaking, an M.2 SSD drive can be one of the following:

  • Legacy SATA. Many M.2 SSD drives are employing the legacy SATA connection, and are interfaced through the AHCI driver. These M.2 drives behave no different from standard 2.5” SSD drives.
  • PCI-E using AHCI. This standard is used for those PCI-E SSDs that are utilizing the PCI Express lanes for connection and AHCI for interfacing with the device. These drives require the OS to include the correct drivers.
  • PCI-E using NVMe. These are the fastest SSD drives that are the least compatible, as they are very new. Installing an NVMe drive into a PC without proper BIOS support may result in an unbootable system. Many motherboards cannot boot from NVMe drives; however, Windows can access such drives with proper drivers even if an older motherboard is used. So far, we have not seen many of these, yet they make their way to some high-end models.

PCI Express (PCI-E) SSDs


PCI-E, or PCI Express, is a physical connectivity standard. PCI-E SSD drives are available in a wide range of form factors including full-size desktop expansion boards, M.2, proprietary and soldered portable storage solutions. PCI-E SSDs can use AHCI or NVMe for interfacing.


Technically, M.2 SSDs are PCI-E devices. However, the PCI-E specification is much broader than M.2. As such, manufacturers can produce proprietary PCI-E SSD drives that do not conform to the M.2 standard, and that may not be used in computers designed to accept M.2 compliant SSD drives.

PCI-E SSD drives are most commonly used in certain high-end workstations (full-size form factor) as well as in some ultra-slim models (such as, for example, Apple’s MacBook 2015). These proprietary storage devices attach directly to the computer’s PCI-E bus, and require the OS to use the correct driver.

Most but not all PCI-E SSD drives support all of the same technologies as their full-size SATA-connected counterparts. Depending on the version of the driver, OS version, and the model of the PCI-E SSD drive, these disks may or may not work correctly with trim.

On a logical level, PCI-E SSD drives can work via the AHCI or NVMe interface.

Intel NVMe SSD drive.

In general, the following compatibility matrix applies to PCI-E SSDs:

  • Mac OS X: trimming is supported on all Apple devices with factory installed PCI-E SSD drives.
  • Macbook computers running Windows: Apple Macbooks use proprietary PCI-E SSD drives. Normally, Apple Bootcamp is used to install Windows as a double-boot or sole OS. In these configurations, trim pass-through is supported where applicable (see below).
  • Windows: trim support for PCI-E drives depends on Windows version and the presence of the correct driver.
    • Windows 7: trim not supported on PCI-E drives regardless of the drivers, even if the PCI-E SSD would accept the command.
    • Windows 8, 8.1 and Windows 10: trim supported with native Microsoft drivers. Trimming in NVMe-based PCI-E SSDs is also supported. Devices using the SCSI driver stack support ‘unmap’, which is a full analog of the trim command from SATA.

NVM Express (NVMe) SSDs


NVMe is a modern logical interface specification that replaces the old AHCI. NVMe is employed in certain high-end PCI-E SSD models in various form factors. Apple MacBook 2015 uses NVMe interface on a proprietary SSD drive soldered to the motherboard. NVMe is still fairly new, with some motherboards failing to recognize NVMe storage as bootable devices.


NVM Express, or NVMe, is a relatively new logical drive interface for implementing non-volatile storage over a PCI Express (PCI-E) bus. NVMe has been designed from the ground up to realize the low latency and internal parallelism of flash-based storage devices.

Similar to SATA SSD drives that exist as 2.5” drives and as slim M.2 boards, NVM Express devices are also available as full-size PCI Express expansion cards, laptop-size boards and 2.5” drives that look similar to SATA SSD drives, only utilizing a PCI Express interface through the U.2 connector instead of a SATA port.

Some NVMe drives look like an ordinary SSD.

NVMe includes trim support as part of the optional command set. In real-life scenarios, NVMe SSD drives are typically found in high-end systems that are properly configured to enable data trimming.

Imaging M.2 and PCI-E SSDs

Forensic imaging of storage devices has its own demands. In particular, the connection to a write-blocking device is an obligatory requirement for digital forensics.

Imaging an M.2 or PCI-E SSD drive requires the use of a dedicated adapter. At this time, there are very few forensic disk imaging solutions targeting M.2 or PCI-E storage devices. Considering that there are at least three different types of M.2 SSDs (here we will not talk about the differences between B-key and M-key connectors), you are looking for a solution to support M.2 SATA (AHCI), M.2 PCI-E (AHCI) and M.2 PCI-E (NVMe) devices.

One solution that supports all three types of M.2 SSDs (albeit with M-key connectors only) is Atola DiskSense. The M.2 SSD drive is first connected to an adapter, then plugged into the imaging unit. Full support is available for SATA devices, while essential features (such as imaging and damaged drive support) are provided for PCI-E drives.

Atola M.2 adapter

Atola M.2 adapter attached to the imaging unit

Atola DiskSense creates forensically sound disk images that can be analyzed with your forensic tool of choice. Our preferred software is Belkasoft Evidence Center – integrated solution for forensic analysis of computer and mobile devices with support for 700 types of digital evidence: pictures and videos, documents, mobile apps, encrypted files and volumes, data from browsers, instant messengers, clouds and social media, system files, registries, SQLite databases, and more.

Atola DiskSense is included in Computer Acquisition Module for Evidence Center. Together with portable RAM capturing tool, this combination of software and hardware will allow you to cover the full forensic cycle from acquisition stage to evidence discovery, analysis, and reporting.

Evidence Center can mount and analyze disk images created by Atola DiskSense, as well as many other types of images

Imaging Apple Proprietary PCI-E SSDs

Apple-made SSD drives used in full-size Macbooks employ proprietary connectors. In addition to being PCI-E, Apple’s SSD drives are also NVMe (as opposed to being AHCI-compliant). Forensic solutions for reading NVMe drives are virtually non-existent, while finding forensic-grade hardware for acquiring Apple proprietary SSD drives can be plain difficult.

Atola manufactures an extensible imaging solution that comes with a number of optional adapters including adapters for imaging proprietary Apple PCI-E SSDs:

Adapter for imaging Apple PCI-E SSDs

Apple adapter at work

Read more in Part 2

In the Part 2 of this article we will bring out more on the topic with the insight into the eMMC storages, eMMC trimming, and external SSDs.

About the authors

Oleg Afonin is an author, expert, and consultant in computer forensics.

Yuri Gubanov is a renowned digital forensics expert. He is a frequent speaker at industry-known DFIR conferences. Yuri is the Founder and CEO of Belkasoft, the manufacturer of digital forensic software empowering police departments in 130+ countries. With years of experience in digital forensics and security domain, Yuri led forensic training courses for multiple law enforcement departments in several countries. You can add Yuri Gubanov to your LinkedIn network at http://linkedin.com/in/yurigubanov.