SSD and eMMC Forensics 2016
SSD and eMMC Forensics 2016 – Part 1
What Has Changed in 2016 in the Way SSD Drives Self-Destruct Evidence. Demystifying eMMC, M.2, NVMe, and PCI-E.
by Yuri Gubanov, Oleg Afonin
© Belkasoft Research 2016
This publication continues the series started with an article on SSD forensics we published in 2012. We investigated the issues of SSD self-corrosion, demystified trimming, garbage collection and data remapping. Two years later, we revisited the issue. Back then, manufacturers released innovations in quick succession. 3D TLC, bigger and faster drives, the end of compressing controllers and the introduction of self-encrypting SSD drives were all big news. Fast-forward to 2016, and we have abundance of cheaper SSD models with seemingly little changes on the high-tech battlefront.
In addition to 2.5-inch models, we have seen a new popular form factor used in super-slim ultrabooks, and a new type of solid-state memory introduced by Samsung and used in many mobile devices. On the lower end of the spectrum, we are seeing eMMC chips being used in low-end Windows tablets and subnotebooks, where these chips take place of traditional SSD drives. In this article, we will try to figure out what all this means for a forensic investigator.
As this publication is designed to continue the original series, we skipped most of the basics, including definitions. If you are in the beginning of your journey into the world of SSD forensics, please consider reading the original publications first. Information provided in the original series still stands.
These and other Belkasoft articles can be found here: https://belkasoft.com/articles.
Nearly a decade ago, Solid State drives (SSD) revolutionized computer storage, bringing to the table blazing fast access speeds, low power consumption, and absence of moving parts. Along with these benefits, consumers saw severely restricted lifespan. An older SSD could only withstand so much wear before it would start losing memory. A limited number of write cycles still remains a limitation today. By this day, we still have to cope with the same limitations thanks to the ever shrinking manufacturing process and the invention of new types of NAND cells (namely TLC cells that can keep 3 bits of information per physical cell instead of 2 bits in MLC and a single bit in SLC cells).
In order to overcome these technological limitations while continuously reducing the cost-per-gigabyte of storage, manufacturers perfected some very smart software algorithms. These algorithms ensure that the load is distributed evenly among the cells, quickly remapping logical addresses of NAND cells to ensure that the next write operation will occur to a cell with the least wear.
Another limitation of flash-based memory is the fact that one can only write new data into an empty (erased) cell. Once an SSD drive fills up, each subsequent write operation would involve erasing the content of a data block and then writing new data into the cell. Since erasing flash cells is a much slower process than writing data, manufacturers implemented garbage collection algorithms that erase cells containing data that is no longer used by the system.