SSD and eMMC Forensics 2016
SSD and eMMC Forensics 2016 – Part 3
What Has Changed in 2016 in the Way SSD Drives Self-Destruct Evidence. Demystifying eMMC, M.2, NVMe, and PCI-E.
by Yuri Gubanov, Oleg Afonin
© Belkasoft Research 2016
In the previous part of the article, we talked about eMMC storages and external SSDs. We also mentioned TRIM when talking about trimming behavior of eMMC. We will talk a bit more about TRIM this time and then move on to some real-life cases.
More about TRIM: Checking TRIM Support
There are several levels of TRIM support, all of which are worth checking.
- TRIM support by the SSD drive itself.
- Whether TRIM is enabled and active on a given system/configuration.
- Whether TRIM is correctly implemented by the SSD controller.
- Whether the SSD supports and implements DRAT and DZAT.
Checking whether a particular SSD drive advertises TRIM support is as easy as reviewing its S.M.A.R.T. output, using the manufacturer’s bundled tool (e.g. SSD Toolbox, Samsung Magician and similar) or using a third-party tool such as CrystalDiskInfo.
NOTE: this test simply returns information about the theoretical capability of the SSD drive to support TRIM. It does not mean that TRIM is actually enabled on a given system, and does not certify that TRIM is correctly implemented by the SSD controller.
Checking whether TRIM is enabled in a particular system involves the use of a
command-line tool (must run under administrative account). Type “fsutil behavior
query DisableDeleteNotify” in the command line. If the result of “1” is returned,
TRIM is disabled; if you see “0”, TRIM is enabled. As you can see from the next
screenshot, on our system TRIM is enabled (“0” is returned).
NOTE: this test does not alter the content of the SSD drive being checked. However, it only displays whether TRIM is active on a given system. If you perform this test on your computer, it will not give the correct indication on whether or not TRIM was enabled on the suspect’s system.
What is particularly interesting, however, is whether TRIM is fully working in the given SSD drive or not. Normally, once information is deleted, a low-level read command will return a string of zeroes as specified by Definite Read After Trim (DRAT) or Definite Zeroes After Trim (DZAT). This is normal behavior in most 2 to 4 year old SSD models. However, many current entry-level SSD drives consider DRAT/DZAT support a luxury, while some SSD controllers partially forego TRIM due to the use of built-in compression (Sandforce controllers, Intel 535 series).
Checking factual TRIM support takes writing a block of data, deleting it, and reading that block again. If you can see the data that was originally written to a data block, TRIM support is at least partially ineffective (meaning that the data may or may not be erased in the future).
We discovered an open-source SSD TRIM Check tool: https://github.com/CyberShadow/trimcheck