SSD and eMMC Forensics 2016
SSD and eMMC Forensics 2016 – Part 2
What Has Changed in 2016 in the Way SSD Drives Self-Destruct Evidence. Demystifying eMMC, M.2, NVMe, and PCI-E.
by Yuri Gubanov, Oleg Afonin
© Belkasoft Research 2016
In the first part of this article, we reviewed different kinds of the most commonly used modern SSDs (M.2, PCI-E, NVMe devices) and talked about acquisition of these devices. In this part of the article, we will talk about external SSDs and eMMC and will cover trimming of eMMC.
The Advent of eMMC Storage
eMMC is a storage specification for flash-based non-volatile storage used in many compact and mobile devices. You will find eMMC storage in most Android smartphones, Android and Windows tablets, and in some of the less expensive Windows convertibles, low-end netbooks and ultra-portable devices, particularly those equipped with smaller displays and Intel Atom CPUs. eMMC storage has a lot in common with SD cards, and lacks sophistication and parallelism of SSD drives.
Traditionally, SSD drives have been large and expensive. Recent generations of Windows tablets, convertibles and ultra-light nettops (most of which are built around Intel Atom chip sets) employ a much smaller, cheaper and slower kind of storage in the form of eMMC chips. An eMMC chip is essentially an SD card that is built as a BGA chip soldered to the main board. Just like SSD drives, eMMC chips have a built-in controller, although eMMC controllers are considerably simpler and slower compared to those used in SSD drives. As a result, while eMMC may employ much of the same techniques as SSD drives (namely, overprovisioning, remapping, trimming and background erase), they may not implement some other options (e.g. many security features such as DRAT or DZAT). Even if an eMMC controller implements background garbage collection, it is going to work much slower compared to SSD drives since there is only a single channel available that is used for all read and write operations. eMMC chips do not have the massive parallelism of SSD drives, and are much slower to read or write data.
Notably, eMMC standard correctly defines trimming of empty blocks. So what happens to trimmed blocks located on an eMMC chip? Similar to an SSD drive, they may or may not be mapped out of the addressable space at any given time. Unlike SSDs, the eMMC standard does not define either DRAT (definite read after trim) or DZAT (definite zeroes after trim), which leaves it to the eMMC manufacturer to define what exactly the storage controller returns when an attempt is made to read a trimmed data block. In our experience, trimmed blocks that have not yet been erased may still be read by making a physical dump of the eMMC chip (via physical acquisition, JTAG, ISP or chip-off).
Imaged eMMC chips have a much higher probability to retain data in trimmed blocks compared to SSD drives.
Similar to SSD drives, eMMC chips may have an overprovisioned area that is non-addressable and inaccessible from the outside. There is no feasible way of extracting information from the overprovisioned area. The area is invisible to physical acquisition, JTAG, ISP or chip-off since overprovisioned data blocks are not mapped onto available address space. Only the built-in controller has access to these data blocks. No interface is exposed to allow reading them from outside of the chip. Even if you take the chip out and read it directly, you will be unable to access overprovisioned blocks, as chip-off extraction of eMMC chips still relies on sending commands to the eMMC controller.
A Word on External SSDs: The Advent of UASP
In our original article, we claimed that external SSD drives and USB enclosures did not provide trim functionality. Since then, a relatively new development has emerged.
A new storage connectivity protocol was developed specifically for attaching solid-state storage over USB. USB Attached SCSI (UAS or UASP) is a new protocol that uses the standard SCSI command set instead of the older USB Mass Storage protocol available in most current products.