The 7th Annual IEEE International Conference on Cyber Technology in Automation, Control and Intelligent Systems July 31-August 4, 2017, Hawaii, USA Inferring File System of Solid State Drives based on Current Consumption Jacob Melton, Ryan Rakvic, James Shey, Hau Ngo, Kevin D. Fairbanks Owens Walker, Justin Blanco, Dane Brown, Luke [email protected] McDowell Electrical and Computer Engineering Department United States Naval Academy Annapolis, MD, US. Abstract—With the increasing demand for faster reliable When using a secondary storage device such as an SSD, a secondary storage, Solid State Drives (SSDs) have provided a file system is used to organize data in memory. A file system viable replacement for Hard Disk Drives (HDDs). SSDs contain provides a method to organize physical data locations so that NAND flash memory components and a processor that executes firmware at the device level to optimize performance. The on- the operating system can keep track of and access the data. board processor and firmware handle operations such as garbage Some file systems such as NTFS provide additional functions collection and encryption with no visibility to the user. Therefore, such as fault tolerance which provides an additional record of classifying SSD internal behavior can help identify compromised file locations in case of unforeseen errors [4]. This extra fault devices. This paper utilizes high precision measurements of tolerance is a result of using a file system’s journaling to track power used by an SSD via an oscilloscope, to infer a drive’s file what data and metadata have not been fully committed. In the system format. We consider four file systems (NTFS, exFAT, FAT32 and EXT4) and demonstrate that frequency analysis of event of a system crash, the journal allows the drive to more power consumption can identify the system in use. In particular, quickly return to a consistent state. This paper investigates the we show that transforming the frequency-domain power file systems NTFS, exFAT, FAT32 and EXT4. EXT4 and signature with principal components analysis can produce a NTFS are journaling file systems while exFAT and FAT32 are small number of highly predictive features. Using a k-NN not. All of these file systems are commonly used in modern classifier, we then demonstrate that these features enable an computing systems. SSD’s power signature to identify the correct file system 94.3 The main contribution of this paper is a measurement and percent accuracy on a Samsung SSD and with 96.5 percent accuracy on a Crucial SSD. analysis technique for inferring file system type by observing the current consumption of the measured device. Knowing the file system used on a drive can help identify what Operating I. INTRODUCTION System (OS) is being used with the SSD. Since OSs have A Solid State Drive (SSD) operates and stores data in a default file systems, a method to determine the file system on fundamentally different way from a Hard Disk Drive (HDD). a device can give information about the OS. It is important for SSD’s utilize a NAND-based flash memory, which has no computer forensics investigators to know the OS being used moving magnetic components while HDD’s have rotating for a computer system. The OS controls how files are being disks. More specifically, NAND flash memory utilizes an accessed not only on the SSD but throughout the whole array of memory cells that are made up of floating gate system [7]. Additionally, being able to classify the file system transistors managed by the flash translation layer [1]. The an SSD is formatted to based on power consumption can be transistors are arranged in columns connected in series with used to identify malfunction or other abnormal behavior [5,6]. the source terminal of a given transistor connected to the drain For instance, a unique component of SSDs compared to HHDs terminal of the next transistor. Many of these columns are is the onboard controller. The user has no visibility to the placed together to form a memory block. Block sizes typically controller’s operations and therefore cannot determine if the can range from 256KB to 4MB and due to the arrangement of firmware being executed contains malicious operations. the flash memory, data has to be erased in blocks [2]. Since Devices can have malware or Trojan circuits that SSDs utilize NAND flash memory, they have lower access compromises the security and integrity of information stored times, higher data transfer rates, and use less power compared on the SSD. Therefore, it is important to develop techniques to to HDDs, which manipulate a magnetic film to record analyze SSD behavior to ensure the device is performing as information. A controller on the SSD serves as a bridge to the expected. In this work, we classify file systems using the host computer executes garbage collection, and performs current consumption signatures of read and write operations of TRIM operations [3]. varying size. U.S. Government work not protected by U.S. copyright 72 II. RELATED WORK Darmstadt, Germany) [14] as seen in Fig. 1(b). The data With their unique advantages, SSDs continue to gain recorder was triggered externally by a voltage pulse sent over popularity with consumers. In [3, 9, 10], the performance of a USB-to-Serial connection to synchronize the start and stop SSDs are analyzed in different situations and potential times of the data runs. improvements are proposed. For example, in [3] the TRIM 3) SSD: The target SSDs were a Samsung 850 Evo device operation’s performance is analyzed in the EXT4 [15] and with a size of 250GB and a Crucial MX200 desvice with a size NTFS file systems. The TRIM operation is shown to degrade of 250GB. The Samsung’s model was MZ-75E250 with a read performance of the SSD over time. speed of 425 MB/s and write speed of 386 MB/s. The Crucial’s In [11], the author uses a black box approach to analyze the model was CT500MX200SSD1, with a read speed of 555MB/s and a write speed of 500MB/s. performance of several different SSD models using a variety of workloads. Creating a model for SSD behavior is important for instances such as designing a storage system. The author of B. Data Collection and Analysis [12] explains how the unique components of SSDs such as the 1) Data Collection: the data collection process is controller contribute to an inability to recover data from drives semi- automated, with the manual step being the formatting of in a computer forensic situation. As SSDs get faster, more the drive with the desired file system of NTFS, exFAT, Fat32 aggressive firmware programs store and permanently delete or Ext4. Once, the file system is chosen, a Python script data in manners that affect recovery of information. creates files of a user-specified size ranging from 10MB to 1 The authors of [8] present a method for inferring TRIM GB comprised of random characters. Each of these different commands which can be seen as the foundation of work that sized text files is then written to or read from the SSD fifteen our team builds upon in this paper. These results show that times each while the current consumption of the device is power analysis techniques can be used to infer or gather more being recorded. These same random text files are used for information about the internal operations of SSDs. In [13], a testing with both SSDs with their varying file systems. A total similar energy consumption monitoring technique is used to of 1800 current data files were gathered for the testing of four identify read and write operations across different different file systems on an SSD. A minimum of two minutes manufactures. Read and write operations for different SSDs is waited between the end of an operation and the initiation of contain similar energy consumption characteristics. another to ensure that any residual processes on the SSD were III. EXPERIMENTAL DESIGN completed before the new operation. The end of an operation is determined when the host computer has finished writing or This section describes the experimental setup and the reading from the SSD. Two minutes was chosen because this software used for data collection and analysis. The apparatus amount of time ensures that there are no visually discernable was developed in a previous study [8] to monitor SSD power signs of activity on the host computer or in the voltage signal consumption. resulting from the operation on the SSD. Subsequently, the SSD was reformatted with a different file system and this data A. Hardware gathering process was repeated. In this section the physical components of the experiment are discussed. 1) Computer System: The computer used to program and interface with the SSD has an Intel Core i5-2400 processor with 8 GB DDR3 RAM. During the data collection phase, Windows 10 was running on the computer. The system had two drives mounted to it, the first was an ADATA SP600 SSD used to store the operating system and software required for the experiments and the second was the target SSD. The target SSD was mounted as a secondary drive to ensure that the resulting current signature was unrelated to the OS operations occurring during the experiment. 2) Taking Measurements from SSD: The measurements were gathered from a daughterboard where a 0.1 Ohm precision resistor was placed in series with the power supply Fig. 1. System Setup including (a) Daughterboard and (b) Data Recorder [8] to the SSD as seen is Fig. 1(a). By measuring the voltage (V) 2) Data Analysis: Since the data gathered by the Gen3i Data across a resistor (R) of known value, the current (I) supplied Recorder were voltage measurements, the data points were can be calculated through the equation V=IR.