Here is an interesting analysis of an SSD performed and reported by Alex Golding. You can find his blog at http://dig-forensics.blogspot.com/
-----------------------------
Solid State Drives are getting increasingly more affordable and therefore increasingly more common, especially with expensive laptops having them built in. If you’re not familiar with them; they basically use flash memory instead of magnetic disks; hence the name. They don’t need an arm to move across the disk reading the data so the seek times are much better and therefore they read data much faster than a normal hard-disk. They have a few different utilities which are meant to speed up the drive, I won’t go too technical but TRIM is one of these functions and when a file is deleted the area the file is stored is wiped to allow for quicker write speeds later.
Seeing as I just bought a Solid State Drive I thought it would be a good idea to check TRIM was working: I found a couple of utilities to get me started. The first thing to do was to launch the Computer Management program: This is obviously with Windows 7 as TRIM is supported by the OS without any fiddling around. Ubuntu will require further research. With Computer Management open you choose the drive in question and enter its properties menu.
In this case it is disk 0. The drive is only a 64gb drive due to lack of funds, its used primarily as an OS drive with the majority of programs also installed. It doesn’t half fly though! Remember to right-click on the Disk and not the partition. From here navigate to the details tab and choose Hardware Id’s from the drop down menu.
_
As you can see from the screenshot there is a long list of information but the end of each entry is key, in my case there is “0006”, this refers to the firmware number. As drives get newer all will have TRIM enabled by default but in my case it was essential to check the firmware supported it, and it does. The next thing to do is to run a command within command prompt to determine whether its enabled within Windows 7 (It should be). You need to launch the prompt as administrator otherwise the command won’t work. Easiest way to do this is search for cmd in the start menu and right-click run-as administrator and press yes/continue to the UAC. Once you have done this the following command needs to be entered:
fsutil behavior query disabledeletenotify
If it is set to 0 then TRIM commands are enabled, set to 1 and they are disabled. So Trim is enabled.
I also came across some software which supposedly tells you if TRIM is supported by the drive but I’m unsure if it just checks the drive type so in my opinion this is a better way of checking, but if you want to have a play the software is called “CrystalDiskInfo” available here: http://crystalmark.info/software/CrystalDiskInfo/index-e.html
Anyway now for the forensic side of it all. I took two drives, my main drive which is only 6 months old and the fastest HDD other than raptors – the F3 1TB and the c300 64GB. The fact that the drives are different sizes doesn’t matter here as there’s plenty of space free on each drive. I created two identical files with the word “TESTER” flooded until the file was 548KB. I saved this to the root directory of the main partition on each drive. I previewed the drives within EnCase with the files not deleted to ensure that they were visible as normal which they were:
SSD:
As you can see they are visible. I then removed the drives from the case and proceeded to delete both files from the drives using shift-delete to permanently delete them without entering the recycle bin. From deleting the files to adding the drives back into encase the whole process took 30 seconds. In this case both files were visible as deleted files:
SSD:
HDD:
The interesting thing was that even though the file was deleted from both, the SSD entry had the data wiped from where the file supposedly was whereas the HDD entry had the data intact. I searched the SSD for the word TESTER. But nothing was found. About ten minutes had passed in this time so I decided to add the devices back into encase and see if the file was still visible as a name for both. Low and behold the file had disappeared from the SSD and remained on the HDD.
SSD:
HDD:
This indicates that in the 30 seconds the entire file was wiped, it was interesting to see that in the first 30 seconds the file name was still visible but with no content this is almost useless. The HDD behaved as expected as it doesn’t support TRIM. After 10 minutes the file name was completely gone and I imagine it disappeared shortly after the device was added to EnCase. In theory all TRIM is handled in exactly the same way as it’s a call from the operating system which handles the blocks on the drive being wiped and not like garbage collection which is initiated solely by the firmware of the drive. It bares great significance to forensic acquisition as it’s not something that’s going to go away, it greatly improves write-speeds on SSD’s and could eventually be used on USB pen drives as they function in a very similar way.
(10396)