SSD and eMMC Forensics 2016—Part 2
What Has Changed in 2016 in the Way SSD Drives Self-Destruct Evidence. Demystifying eMMC, M.2, NVMe, and PCI-E.
by Yuri Gubanov, Oleg Afonin
© Belkasoft Research 2016
In the first part of this article, we reviewed different kinds of the most commonly used modern SSDs (M.2, PCI-E, NVMe devices) and talked about acquisition of these devices. In this part of the article, we will talk about external SSDs and eMMC and will cover trimming of eMMC.
The Advent of eMMC Storage
eMMC is a storage specification for flash-based non-volatile storage used in many compact and mobile devices. You will find eMMC storage in most Android smartphones, Android and Windows tablets, and in some of the less expensive Windows convertibles, low-end netbooks and ultra-portable devices, particularly those equipped with smaller displays and Intel Atom CPUs. eMMC storage has a lot in common with SD cards, and lacks sophistication and parallelism of SSD drives.
Traditionally, SSD drives have been large and expensive. Recent generations of Windows tablets, convertibles and ultra-light nettops (most of which are built around Intel Atom chip sets) employ a much smaller, cheaper and slower kind of storage in the form of eMMC chips. An eMMC chip is essentially an SD card that is built as a BGA chip soldered to the main board. Just like SSD drives, eMMC chips have a built-in controller, although eMMC controllers are considerably simpler and slower compared to those used in SSD drives. As a result, while eMMC may employ much of the same techniques as SSD drives (namely, overprovisioning, remapping, trimming and background erase), they may not implement some other options (e.g. many security features such as DRAT or DZAT). Even if an eMMC controller implements background garbage collection, it is going to work much slower compared to SSD drives since there is only a single channel available that is used for all read and write operations. eMMC chips do not have the massive parallelism of SSD drives, and are much slower to read or write data.
Notably, eMMC standard correctly defines trimming of empty blocks. So what happens to trimmed blocks located on an eMMC chip? Similar to an SSD drive, they may or may not be mapped out of the addressable space at any given time. Unlike SSDs, the eMMC standard does not define either DRAT (definite read after trim) or DZAT (definite zeroes after trim), which leaves it to the eMMC manufacturer to define what exactly the storage controller returns when an attempt is made to read a trimmed data block. In our experience, trimmed blocks that have not yet been erased may still be read by making a physical dump of the eMMC chip (via physical acquisition, JTAG, ISP or chip-off).
Imaged eMMC chips have a much higher probability to retain data in trimmed blocks compared to SSD drives.
Similar to SSD drives, eMMC chips may have an overprovisioned area that is non-addressable and inaccessible from the outside. There is no feasible way of extracting information from the overprovisioned area. The area is invisible to physical acquisition, JTAG, ISP or chip-off since overprovisioned data blocks are not mapped onto available address space. Only the built-in controller has access to these data blocks. No interface is exposed to allow reading them from outside of the chip. Even if you take the chip out and read it directly, you will be unable to access overprovisioned blocks, as chip-off extraction of eMMC chips still relies on sending commands to the eMMC controller.
A Word on External SSDs: The Advent of UASP
In our original article, we claimed that external SSD drives and USB enclosures did not provide trim functionality. Since then, a relatively new development has emerged.
A new storage connectivity protocol was developed specifically for attaching solid-state storage over USB. USB Attached SCSI (UAS or UASP) is a new protocol that uses the standard SCSI command set instead of the older USB Mass Storage protocol available in most current products.
Essentially, the new protocol supports trim pass-through via SCSI “unmap” command. However, in order for trim to work, all of the following conditions must be met:
- Full hardware support for UASP: computer motherboard, SSD, and storage controller in the enclosure must all support UASP
- OS support: Windows natively supports UASP since Windows 8
- Drivers: only a handful of UASP-compliant chipsets have Windows driver support
- Cable and USB port: UASP will only work if the device is connected with a USB3.0 cable to a USB3.0 port. Connecting with a different cable or using a legacy USB2.0 port will in most cases break compatibility (the drive will still work as a USB Mass Storage device but no trim support will be available)
UASP compliant external storage devices have been around since late 2014, so it is about time we include them in our new article.
More on USB3.0 TRIM support in AnandTech article: http://www.anandtech.com/show/8567/corsair-flash-voyager-gtx-usb-30-256gb-flash-drive-capsule-review
eMMC: Trimming Behavior in Windows and Android
Trimming behavior differs between Windows and Android devices. Since you are very likely to encounter eMMC memory in an Android smartphone or tablet, we will make a mention of it here, although a more specialized Android literature will give you much more technical details.
Windows
The trim command is issued to the OS immediately after the operating system releases a data block. Trimming only works on NTFS-formatted partitions. In addition, Windows 8 and later have a built-in disk optimization and defragmentation tool that can run periodically and trim the entire unallocated space on solid-state media. Windows 7 also has a disk defragmentation utility, although it does not come with optimization for solid-state media. In other words, once a file is deleted from an eMMC disk in Windows, you may assume its disk space has been trimmed (but not necessarily erased by the eMMC controller).
Android
Full trim support is only available in Android since version 4.3 Jelly Bean. Moreover, one can be certain that an Android device comes with active trim support if and only if the device originally shipped with Android 4.3 or newer. Many devices that shipped with Android 4.2 that were later updated to Android Kit Kat or even Lollipop never received trim support from their manufacturers (yet some other devices did).
According to Google, some 25% of all active Android devices are running Android 4.2 or earlier. Of those 34% running Kit Kat, an unknown number were updated from earlier versions of Android and did not receive full trim support. What about these older devices then?
Earlier versions of Android relied on Linux fstream for cleaning up unused data blocks. With no ‘live’ trimming available, the cleanup (trimming) was performed every time the device was shut down. This is one of the reasons for ACPO guidelines to exist, detailing the process of seizing and storing mobile devices in their original state (“if it’s turned on, don’t turn it off”).
If you are handling an Android device, and it is one of the older ones, you may be able to dump a physical image of its eMMC chip and have full access to its unallocated space.
Analyzing contents of SSD and eMMC devices with Belkasoft X
Once you are through with acquisition part, you will need a reliable forensic tool to examine the data source. Belkasoft X is an all-in-one forensic solution that allows investigators quickly and conveniently discover hundreds of various types of evidence, such as images and videos, documents, chats, browsing histories, system files, databases, and many more. Belkasoft X can analyze various digital devices—computers and laptops, smartphone and tablets, drones and RAM, as well as cloud-based data. Reporting feature is fast and convenient and has multiple options for investigators to choose from, and reports created by the product are accepted by courts worldwide.
Customers in law enforcement, police, military, business, intelligence agencies, and forensic laboratories in 130+ countries worldwide use Belkasoft X to fight homicide, crimes against children, drug trafficking, data leakage, fraud, and other online and offline crimes.
Get your hands on experience in working with Belkasoft X! Request a fully functional evaluation license at https://belkasoft.com/trial.
Part 3: Use Cases
Next part of the article describes a number of real-life examples of SSD usage and problems that people may face in doing so.
Did you like the article?
About the authors
Oleg Afonin is an author, expert, and consultant in computer forensics.
Yuri Gubanov is a renowned digital forensics expert. He is a frequent speaker at industry-known DFIR conferences. Yuri is the Founder and CEO of Belkasoft, the manufacturer of digital forensic software empowering police departments in 130+ countries. With years of experience in digital forensics and security domain, Yuri led forensic training courses for multiple law enforcement departments in several countries. You can add Yuri to your LinkedIn network at http://linkedin.com/in/yurigubanov.