DOCSLIB.ORG

Forensic Research on Solid State Drives Using Trim Analysis

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Forensic Research on Solid State Drives Using Trim Analysis St. Cloud State University theRepository at St. Cloud State Culminating Projects in Information Assurance Department of Information Systems 4-2020 Forensic Research on Solid State Drives using Trim Analysis Rusvika Reddy Nimmala [email protected] Follow this and additional works at: https://repository.stcloudstate.edu/msia_etds Recommended Citation Nimmala, Rusvika Reddy, "Forensic Research on Solid State Drives using Trim Analysis" (2020). Culminating Projects in Information Assurance. 106. https://repository.stcloudstate.edu/msia_etds/106 This Starred Paper is brought to you for free and open access by the Department of Information Systems at theRepository at St. Cloud State. It has been accepted for inclusion in Culminating Projects in Information Assurance by an authorized administrator of theRepository at St. Cloud State. For more information, please contact [email protected]. Forensic Research on Solid State Drives using Trim Analysis By Rusvika Reddy Nimmala A Starred Paper Submitted to the Graduate Faculty of St. Cloud State University in Partial Fulfillment of the Requirements for the Degree of Master of Science in Information Assurance May, 2020 Starred Paper Committee: Mark Schmidt, Chairperson Lynn Collen Sneh Kalia 2 Abstract There has been a tremendous change in the way we store data for the past decade. Hard Disk Drives, which were one of the major sources of storing data, are being replaced with Solid State Drives considering the higher efficiency and portability. Digital forensics has been very successful in recovering data from Hard Disk Drives in the past couple of years and has been very well established with Hard Disk Drives. The evolution of Solid State Drives over Hard Drive Drives is posing a lot of challenges to digital forensics as there are many crucial factors to be considering the architecture and the way data is stored in Solid State Drives. This paper gives a very detailed picture of the evolution of Solid State Drives over Hard Disk Drives. We understand the differences in their architecture and the ways to extract data from them. We further discuss in detail the various challenges Solid State Drives pose to the field of digital forensics, and we try to answer contradictory beliefs those are 1) Would data be permanently deleted in a Solid State Drives destroying the forensic evidence required to solve a case? 2) Can data be restored in a Solid State Drives by using proper techniques and still can be used as evidence in digital forensics? In this paper, we talk about the introduction of concepts such as the TRIM Command and Garbage collection, their importance, and we set up an experimental scenario where we implement the TRIM command and try extracting data from different types of Solid State Drives. We compare and evaluate the results obtained through the experiment and try to analyze the uses of the TRIM command and its performance over various Solid State Drives. The paper also discusses future work to make the role of Solid State Drives more efficient in digital forensics. 3 Table of Contents Page List of Tables ............................................................................................................................ 7 List of Figures ........................................................................................................................... 8 Chapter I. Introduction ....................................................................................................................... 13 What is Forensics? ..................................................................................................... 13 Digital forensics ........................................................................................................ 13 Digital Evidence ........................................................................................................ 14 Integrity and Dependence of Digital Evidence ......................................................... 15 The process of Digital Forensics ............................................................................... 16 Pros and cons of Digital forensics ............................................................................. 17 Problem Statement .................................................................................................... 18 Nature and Significance of the Problem .................................................................... 19 Objective of the Study ............................................................................................... 19 Study Questions ......................................................................................................... 19 Limitations of the Study ............................................................................................ 20 Definition of Terms ................................................................................................... 20 Summary ................................................................................................................... 20 4 Chapter Page II. Background and Literature Review .................................................................................. 21 Introduction ............................................................................................................... 21 Background Related to the Problem .......................................................................... 21 Literature Review Related to the Problem ................................................................ 21 Hard Disk Drive (HDD) ..................................................................................... 21 Architecture and operation of HDD ................................................................... 22 Data arrangement on hard disks ......................................................................... 23 How is Data deleted in HDD? ............................................................................ 25 How does data recovery happen in HDD? ......................................................... 29 Challenges of HDD ............................................................................................ 31 Solid State Drive (SSD) ..................................................................................... 32 Architecture and operation of SSD .................................................................... 33 How does data deletion happen in SSD? ........................................................... 36 How does data recovery happen in the SSD? .................................................... 39 Challenges of SSDs ............................................................................................ 41 Hard Disk Drive Vs. Solid State Drive .............................................................. 42 Literature Related to the Methodology ..................................................................... 47 Features and Techniques Solid-State Drives ..................................................... 47 5 Chapter Page Wear Levelling................................................................................................... 47 TRIM Functionality ........................................................................................... 51 Self-Corrosion .................................................................................................... 53 Garbage Collection ............................................................................................ 54 Encryption .......................................................................................................... 57 Summary ................................................................................................................... 58 III. Methodology ..................................................................................................................... 59 Introduction ............................................................................................................... 59 Design of the study .................................................................................................... 60 Data Collection .......................................................................................................... 60 Tools and Techniques ................................................................................................ 61 Hardware and software requirements ................................................................ 61 Test Devices ....................................................................................................... 61 Literature Related to Methodology ........................................................................... 63 How does TRIM SSD work? ............................................................................. 63 Enabling TRIM for SSDs in Windows Operating System ................................ 64 How to Check for TRIM status on SSD?........................................................... 65 How to enable TRIM for SSD? ......................................................................... 65 6 Chapter Page How to disable TRIM for SSD?......................................................................... 65 Summary .................................................................................................................. 65I IV. Data Presentation and Analysis ........................................................................................ 66 Introduction ..............................................................................................................
Load more

Recommended publications
  • A New Generation of Hard Disk Recovery Software
    EASEUS Data Recovery Wizard Free Edition – A New Generation of Hard Disk Recovery Software NEW YORK CITY, N.Y., June 29 (SEND2PRESS NEWSWIRE) — EASEUS Data Recovery Wizard Free Edition, the innovative and leading data recovery software, has proven itself to be the first world-wide free hard disk recovery software and a new generation in its category since its release. Totally free and providing powerful features that no other free data recovery software like Recuva™ and Pandora™ have, even some commercial ones, it is the most popular and feature-rich hard disk recovery freeware for Windows today. With the use of computers continuing to increase, hard disk recovery is not a welcome task, but something that is very important for our business and daily life. Those who have computers know data loss is a common possibility because of accidental deletion, format, partition damage or loss, software crash, computer virus infection, power failure, etc. Whatever the cause, quality free hard disk recovery software is a preferable remedy to data loss and to get those lost files back quickly and easily. EASEUS Data Recovery Wizard Free Edition, the professional and comprehensive Windows disk recovery software, helps recover deleted or lost files easily from hard drive disks or other storage media whenever needed, and is tops in other areas due to: * Totally free and with powerful features of commercial ones; * Unformat files with original file name and storage paths; * FAT/NTFS Partition recovery when partitions are deleted or damaged; * Recover files from dynamic disk and RAID; * Recover lost files from Linux (EXT2/EXT3) files system under Windows; * Recover files from all kinds of storage media like external hard drive, USB disk, SD card, memory card; * Continue data recovery process at any time you want.
    [Show full text]
  • CERIAS Tech Report 2017-5 Deceptive Memory Systems by Christopher N
    CERIAS Tech Report 2017-5 Deceptive Memory Systems by Christopher N. Gutierrez Center for Education and Research Information Assurance and Security Purdue University, West Lafayette, IN 47907-2086 DECEPTIVE MEMORY SYSTEMS ADissertation Submitted to the Faculty of Purdue University by Christopher N. Gutierrez In Partial Fulfillment of the Requirements for the Degree of Doctor of Philosophy December 2017 Purdue University West Lafayette, Indiana ii THE PURDUE UNIVERSITY GRADUATE SCHOOL STATEMENT OF DISSERTATION APPROVAL Dr. Eugene H. Spa↵ord, Co-Chair Department of Computer Science Dr. Saurabh Bagchi, Co-Chair Department of Computer Science Dr. Dongyan Xu Department of Computer Science Dr. Mathias Payer Department of Computer Science Approved by: Dr. Voicu Popescu by Dr. William J. Gorman Head of the Graduate Program iii This work is dedicated to my wife, Gina. Thank you for all of your love and support. The moon awaits us. iv ACKNOWLEDGMENTS Iwould liketothank ProfessorsEugeneSpa↵ord and SaurabhBagchi for their guidance, support, and advice throughout my time at Purdue. Both have been instru­ mental in my development as a computer scientist, and I am forever grateful. I would also like to thank the Center for Education and Research in Information Assurance and Security (CERIAS) for fostering a multidisciplinary security culture in which I had the privilege to be part of. Special thanks to Adam Hammer and Ronald Cas­ tongia for their technical support and Thomas Yurek for his programming assistance for the experimental evaluation. I am grateful for the valuable feedback provided by the members of my thesis committee, Professor Dongyen Xu, and Professor Math­ ias Payer.
    [Show full text]
  • Data & Computer Recovery Guidelines
    Data & Computer Recovery Guidelines Data & Computer Recovery Guidelines This document contains general guidelines for restoring computer operating following certain types of disasters. It should be noted these guidelines will not fit every type of disaster or every organization and that you may need to seek outside help to recover and restore your operations. This document is divided into five parts. The first part provides general guidelines which are independent of the type of disaster, the next three sections deal with issues surrounding specific disaster types (flood/water damage, power surge, and physical damage). The final section deals with general recommendations to prepare for the next disaster. General Guidelines 2. Your first step is to restore the computing equipment. These are general guidelines for recovering after any type If you do try to power on the existing equipment, it of disaster or computer failure. If you have a disaster is best to remove the hard drive(s) first to make sure recovery plan, then you should be prepared; however, the system will power on. Once you have determined there may be things that were not covered to help the system powers on, you can reinstall the hard drive you recover. This section is divided into two sections and power the system back on. Hopefully, everything (computer system recovery, data recovery) works at that point. Note: this should not be tried in the case of a water or extreme heat damage. Computer System Recovery 3. If the computer will not power on then you can either The first step is to get your physical computer systems try to fix the computer or in many cases it is easier, running again.
    [Show full text]
  • Data Remanence in Non-Volatile Semiconductor Memory (Part I)
    Data remanence in non-volatile semiconductor memory (Part I) Security Group Sergei Skorobogatov Web: www.cl.cam.ac.uk/~sps32/ Email: [email protected] Introduction Data remanence is the residual physical representation of data that has UV EPROM EEPROM Flash EEPROM been erased or overwritten. In non-volatile programmable devices, such as UV EPROM, EEPROM or Flash, bits are stored as charge in the floating gate of a transistor. After each erase operation, some of this charge remains. It shifts the threshold voltage (VTH) of the transistor which can be detected by the sense amplifier while reading data. Microcontrollers use a ‘protection fuse’ bit that restricts unauthorized access to on-chip memory if activated. Very often, this fuse is embedded in the main memory array. In this case, it is erased simultaneously with the memory. Better protection can be achieved if the fuse is located close to the memory but has a separate control circuit. This allows it to be permanently monitored as well as hardware protected from being erased too early, thus making sure that by the time the fuse is reset no data is left inside the memory. In some smartcards and microcontrollers, a password-protected boot- Structure, cross-section and operation modes for different memory types loader restricts firmware updates and data access to authorized users only. Usually, the on-chip operating system erases both code and data How much residual charge is left inside the memory cells memory before uploading new code, thus preventing any new after a standard erase operation? Is it possible to recover data application from accessing previously stored secrets.
    [Show full text]
  • Databridge ETL Solution Datasheet
    DATASHEET Extract and Transform MCP Host Data for Improved KEY FEATURES Client configuration tool for Analysis and Decision Support easy customization of table layout. Fast, well-informed business decisions require access to your organization’s key performance Dynamic before-and-after indicators residing on critical database systems. But the prospect of exposing those systems images (BI-AI) based on inevitably raises concerns around security, data integrity, cost, and performance. key change. 64-bit clients. For organizations using the Unisys ClearPath MCP server and its non-relational DMSII • Client-side management database, there’s an additional challenge: Most business intelligence tools support only console. relational databases. • Ability to run the client as a service or a daemon. The Only True ETL Solution for DMSII Data • Multi-threaded clients to That’s why businesses like yours are turning to Attachmate® DATABridge™. It’s the only increase processing speed. true Extract, Transform, Load (ETL) solution that securely integrates Unisys MCP DMSII • Support for Windows Server and non-DMSII data into a secondary system. 2012. • Secure automation of Unisys With DATABridge, you can easily integrate production data into a relational database or MCP data replication. another DMSII database located on an entirely different Unisys host system. And because • Seamless integration of DATABridge clients for Oracle and Microsoft SQL Server support a breadth of operating both DMSII and non-DMSII environments (including Windows 7, Windows Server 2012, Windows Server 2008, UNIX, data with Oracle, Microsoft SQL, and other relational AIX, SUSE Linux, and Red Hat Linux), DATABridge solutions fit seamlessly into your existing databases. infrastructure.
    [Show full text]
  • File Scavenger User Guide
    File Scavenger® Version 3.2 Comprehensive Data Recovery Tool For Microsoft® Windows® 7, Vista, XP, 2008, 2003, 2000 and NT User’s Guide Revision: 4 Date: September 2010 QueTek® Consulting Corporation COPYRIGHT © Copyright 1998-2010. This document contains materials protected by International Copyright Laws. All rights reserved. No part of this manual may be reproduced, transmitted or transcribed in any form and for any purpose without the express written permission of QueTek® Consulting Corporation. TRADEMARKS Companies and products mentioned in this manual are for identification purpose only. Product names or brand names appearing in this manual may or may not be registered trademarks or copyrights of their respective companies. NOTICE Reasonable effort has been made to ensure that the information in this manual is accurate. QueTek® Consulting Corporation assumes no liability for technical inaccuracies, typographical, or other errors contained herein. QueTek® Consulting Corporation provides this manual “as is” without warranty of any kind, either express or implied, including, but not limited to the implied warranties or conditions of merchantability or fitness for a particular purpose. In no event shall QueTek® Consulting Corporation be liable for any loss of profits, or for direct, indirect, special, incidental or consequential damages arising from any defect or error in QueTek® Consulting Corporation’s products or manuals. Information in this manual is subject to change without notice and does not represent a commitment on the part of QueTek® Consulting Corporation. User Guide - ii LICENSE AGREEMENT AND LIMITED WARRANTY READ THE FOLLOWING TERMS AND CONDITIONS CAREFULLY PRIOR TO PURCHASING THE LICENSE CODE TO UNLOCK FILE SCAVENGER®.
    [Show full text]
  • User's Manual Undelete® for Windows
    User’s Manual Undelete® for Windows® Up-to-the-minute Data Protection® July 2007 This document describes the installation and operation of the Undelete file recovery solutions. It applies to the Server, Desktop Client, Professional and Home Editions of Undelete and is intended for Windows users and system managers. Revision/Update Information: This is a revised manual Software Versions: Undelete 5.0 Server Edition Undelete 5.0 Professional Edition Undelete 5.0 Home Edition Undelete 5.0 Desktop Client Operating Systems: Windows Server 2003 Windows XP Windows 2000 Diskeeper Corporation, Burbank, California ________________________ July 2007 _________ © 2000 — 2007 by Diskeeper Corporation The Software described in this document is owned by Diskeeper Corporation and is protected by United States copyright laws and international treaty provisions. Therefore, you must treat the Software like any other copyrighted material (e.g. a book or musical recording) except that you may either (a) make one copy of the Software solely for backup or archival purposes, or (b) transfer the Software to a single hard disk provided you keep the original solely for backup or archival purposes. You may not copy the user documentation provided with the Software, except for your own authorized use. RESTRICTED RIGHTS LEGEND The software and documentation are provided with RESTRICTED RIGHTS. Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 or subparagraphs (c)(1) and (2) of the Commercial Computer Software-Restricted Rights at 48 CFR 52.227-19 as applicable.
    [Show full text]
  • Technology of Enterprise Solid State Drive
    White Paper | April 2014 Technology of Enterprise Solid State Drive Recently, large capacity and high-performance storages are highly required in the cloud computing and data center due to rapidly increasing amount of information and number of access. When many people heavily access to internet services such as social network service (SNS) or web search engine, they will always expect an instant response from the service. In the corporate on-premise network system and financial trading system, micro seconds range of the response time makes big difference to the business outcome. As an evolution of the enterprise server and storage system, more focus is placed on speed, response time and latency to support large number of SNS user accesses and time-critical business transactions. Then Solid State Drive (SSD) plays an important role for server system to make the transactions faster. Enterprise class SSD is a storage device with NAND flash memories and required the design to store and retrieve data at very high speed under high duty operation conditions with reliable endurance performance. It will be very beneficial for system managers to deploy SSD for boosting up computing process and storage access speed. By positioning between host processor and hard disk drive (HDD) storage pools as a large cache memory, SSD increases the system transaction speed. SSD has also good points, in addition to higher performance, such as smaller footprint and lower power consumption. Toshiba has matured leading edge technologies in the SSD as the first company developing NAND flash memory. Interfaces Host Controller Interface) is popular for client application.
    [Show full text]
  • Database Analyst Ii
    Recruitment No.: 20.186 Date Opened: 5/25/2021 DATABASE ANALYST II SALARY: $5,794 to $8,153 monthly (26 pay periods annually) FINAL FILING DATE: We are accepting applications until closing at 5 pm, June 8, 2021 IT IS MANDATORY THAT YOU COMPLETE THE SUPPLEMENTAL QUESTIONNAIRE. YOUR APPLICATION WILL BE REJECTED IF YOU DO NOT PROVIDE ALL NECESSARY INFORMATION. THE POSITION The Human Resources Department is accepting applications for the position of Database Analyst II. The current opening is for a limited term, benefitted and full-time position in the Information Technology department, but the list may be utilized to fill future regular and full- time vacancies for the duration of the list. The term length for the current vacancy is not guaranteed but cannot exceed 36 months. The normal work schedule is Monday through Friday, 8 – 5 pm; a flex schedule may be available. The Information Technology department is looking for a full-time, limited-term Database Analyst I/II to develop and manage the City’s Open Data platform. Initiatives include tracking city council goals, presenting data related to capital improvement projects, and measuring budget performance. This position is in the Data Intelligence Division. Our team sees data as more than rows and columns, it tells stories that yield invaluable insights that help us solve problems, make better decisions, and create solutions. This position is responsible for building and maintaining systems that unlock the power of data. The successful candidate will be able to create data analytics & business
    [Show full text]
  • Error Characterization, Mitigation, and Recovery in Flash Memory Based Solid-State Drives
    ERRORS, MITIGATION, AND RECOVERY IN FLASH MEMORY SSDS 1 Error Characterization, Mitigation, and Recovery in Flash Memory Based Solid-State Drives Yu Cai, Saugata Ghose, Erich F. Haratsch, Yixin Luo, and Onur Mutlu Abstract—NAND flash memory is ubiquitous in everyday life The transistor traps charge within its floating gate, which dic- today because its capacity has continuously increased and cost has tates the threshold voltage level at which the transistor turns on. continuously decreased over decades. This positive growth is a The threshold voltage level of the floating gate is used to de- result of two key trends: (1) effective process technology scaling, termine the value of the digital data stored inside the transistor. and (2) multi-level (e.g., MLC, TLC) cell data coding. Unfortu- When manufacturing process scales down to a smaller tech- nately, the reliability of raw data stored in flash memory has also nology node, the size of each flash memory cell, and thus the continued to become more difficult to ensure, because these two trends lead to (1) fewer electrons in the flash memory cell (floating size of the transistor, decreases, which in turn reduces the gate) to represent the data and (2) larger cell-to-cell interference amount of charge that can be trapped within the floating gate. and disturbance effects. Without mitigation, worsening reliability Thus, process scaling increases storage density by enabling can reduce the lifetime of NAND flash memory. As a result, flash more cells to be placed in a given area, but it also causes relia- memory controllers in solid-state drives (SSDs) have become bility issues, which are the focus of this article.
    [Show full text]
  • Filesystem Considerations for Embedded Devices ELC2015 03/25/15
    Filesystem considerations for embedded devices ELC2015 03/25/15 Tristan Lelong Senior embedded software engineer Filesystem considerations ABSTRACT The goal of this presentation is to answer a question asked by several customers: which filesystem should you use within your embedded design’s eMMC/SDCard? These storage devices use a standard block interface, compatible with traditional filesystems, but constraints are not those of desktop PC environments. EXT2/3/4, BTRFS, F2FS are the first of many solutions which come to mind, but how do they all compare? Typical queries include performance, longevity, tools availability, support, and power loss robustness. This presentation will not dive into implementation details but will instead summarize provided answers with the help of various figures and meaningful test results. 2 TABLE OF CONTENTS 1. Introduction 2. Block devices 3. Available filesystems 4. Performances 5. Tools 6. Reliability 7. Conclusion Filesystem considerations ABOUT THE AUTHOR • Tristan Lelong • Embedded software engineer @ Adeneo Embedded • French, living in the Pacific northwest • Embedded software, free software, and Linux kernel enthusiast. 4 Introduction Filesystem considerations Introduction INTRODUCTION More and more embedded designs rely on smart memory chips rather than bare NAND or NOR. This presentation will start by describing: • Some context to help understand the differences between NAND and MMC • Some typical requirements found in embedded devices designs • Potential filesystems to use on MMC devices 6 Filesystem considerations Introduction INTRODUCTION Focus will then move to block filesystems. How they are supported, what feature do they advertise. To help understand how they compare, we will present some benchmarks and comparisons regarding: • Tools • Reliability • Performances 7 Block devices Filesystem considerations Block devices MMC, EMMC, SD CARD Vocabulary: • MMC: MultiMediaCard is a memory card unveiled in 1997 by SanDisk and Siemens based on NAND flash memory.
    [Show full text]
  • SATA 6Gb/S 3I+1 SSD Hybrid Pcie Quick Installation Guide
    SATA 6Gb/s 3i+1 SSD Hybrid PCIe Quick Installation Guide Introduction The SATA 6Gb/s 3i+1 SSD Hybrid PCIe is a high performance SATA host adapter which adds three Serial ATA 6Gb/s channels and one SATA SSD socket to your PCIe-equipped computer and helps users to save more space in their computer. Features and Benefits • Compliant with Serial ATA specification, Revision 3.0 • Built-in socket for a 2.5" SATA SSD for space saving and superior drive performance • Hybrid (HyperDuo) enables 80% of SSD performance at one-third the cost • Hardware RAID to offload the host CPU for max performance. Supports RAID 0, 1 & 10 04-0897A 1 • Supports Port Multiplier FIS-based and Native Command Queuing (NCQ) • Supports TRIM to extend the life of SSDs for maximum durability System Requirements • Desktop PC with an available 4-lane (or more) PCIe slot • Windows® 8 (32-/64-bit) / 7 (32-/64-bit) / Vista (32-/64-bit) / XP (32-/64-bit) /Server 2003 & 2008 (32/64-bit) / Server 2008 R2 Package Contents • SATA 6Gb/s 3i+1 SSD Hybrid PCIe • SATA data cables (2) • Screws (4) • Driver CD • Quick installation guide 2 Layout + - HDD LED pins (Front chassis LED) 3 SATA internal connectors Screw holes SSD slot Figure 1: Layout Application Three HDDs or SSDs connected to the internal SATA channels One SSD installed to the SSD slot Figure 2: Application 3 Hardware Installation SSD Installation Install the 2.5" SATA SSD to the SATA 6Gb/s 3i+1 SSD Hybrid PCIe before card installation. 1. Simply insert the SATA SSD to end of the SSD slot.
    [Show full text]