This document discusses challenges with recovering data from solid state drives (SSDs) compared to traditional hard disk drives (HDDs). SSDs use flash memory instead of spinning disks, which allows for no moving parts but introduces new issues. Data on SSDs can be lost through self-maintenance routines like TRIM and garbage collection that automatically erase deleted data. Imaging SSDs for data recovery or forensic purposes is more difficult due to proprietary technologies, encryption, and these self-maintenance routines. The document outlines DriveSavers' experience and processes for recovering data from SSDs despite these challenges.

1. DriveSavers Data Recovery
Title:
ESI Recovery from Solid State Technology
New Challenges for eDiscovery
Presented by:
Chris Bross
Senior Enterprise Recovery Engineer

2. Survey
How many of you own a Solid State Device?
y y
Smart Phone, Camera, Tablet, Ultrabook?

3. NAND flash

4. Who is DriveSavers?
Corporate Profile
Pioneered th d t recovery i d t 27 years ago
Pi d the data industry
Global leader in secure data recovery services
Who We Serve
eDiscovery and L
Di d Law fifirms, fi
financial organizations, F t
i l i ti Fortune 500 companies,
i
healthcare institutions, government agencies, universities and consumers
Compliance and security dependent clients
Capabilities
Fastest, most reliable, and most secure provider
All storage devices — All OS supported
Forensic imaging, eDiscovery and Data Sanitization

5. Data Recovery & Imaging Defined
Software
User and professional tools available
Ineffective with hardware failure
Professional Data Recovery Service
Reverse engineering laboratory and clean rooms
Resolve hardware and more complicated failures
p
Forensic Imaging
Data as evidence
Acquisition, analysis and reporting process

6. The Data Storage Market
Hard Disk Drive
History and market dominance
Current and projected growth
Solid State Drives
Growth in Ultrabooks, MacBooks, premium laptops
In the Enterprise and in the Cloud
p
Smart Devices
2007 birth of the iPhone
Explosive global growth

7. Solid State Storage Defined

8. Solid State Storage Defined
Data Storage on (
g (NVM) Non-Volatile Memory
) y
Semiconductor chip based cellular data storage
NAND flash Technology
Most common NVM today
Costs decreasing, capacity increasing
Scalability, density and reliability challenges
y y y g
Advantages over traditional hard disk drives
No mechanical points of failure
Performance, reliability, power efficiency, security

9. Reliability of Solid State Devices
Reliability Expectations
y p
No mechanical failures, no moving parts
Higher MTBF and lower AFR
Reality in the Data Recovery Lab
Failure does occur, volume increasing with installed base
Recovery can be more challenging than with HDD
y g g
Storage Industry & Technology Evolving
Each generation more reliable
Intel as an example

10. Why Data Recovery from SSD?
Physical & Environmental Issues
y
Impact or physical trauma to device
Environmental or liquid exposure
Device Failure
Electro-logical failure
Controller/firmware or NAND flash
User Fault or Malicious Attack
Data deletion, accidental format
Encryption issues

11. The Issue: Imaging of ESI from SSD
Hard Disk Drive (HDD)
( )
Data stored magnetically on platters
Long data retention, proven imaging methods
Solid State Drive (SSD)
Data stored electronically in cells, within pages, on chips
Shorter data retention, more imaging challenges
g g g
Data Lost Due to Self Maintenance of SSD
Routines like TRIM and garbage collection can
result in automatic destruction of data

12. The Story: Mat Honan @ Wired
Photo: Ariel Zambelich/Wired. Illustration: Ross Patton/Wired

13. Data in Cloud and Solid State

14. The Challenges in this Case
Secure Remote Wipe via iCloud hack of 3 Devices
p
Physical layer overwrite of all data
All storage devices were solid state, no magnetic HDD
iOS Devices Not Recoverable
Remote secure wipe was completed
Apple iOS and hardware encryption complication
pp yp p
MacBook Air w SSD Successful Recovery
“Perfect Storm” of events
Complications of image and recovery process
due to SSD self maintenance

15. Challenges in Forensic Imaging

16. Challenges in Forensic Imaging
Proprietary Technologies From OEM
p y g
Highly protected trade secrets may prevent data access
Rapid competitive technology advances
Encryption
Default built in to SSD hardware controller
Corporate software encryption deployments
p yp p y
TRIM & Garbage Collection
Self maintenance and performance routines
Detrimental to recovery and forensic imaging

17. Encryption
In Software
Common in large corporate or government deployments
No imaging issues if keys/credentials are provided
Physical failure can produce partial corrupt image
In Hardware
Controller or firmware failure can prevent imaging
p g g
Encryption key unknown to user
Firmware reload can trigger key regeneration
Linked via TPM to software encryption

18. TRIM
TRIM defined
Operating system command to remove data at device level
TRIM support
Must be enabled in hardware and supported in software
Current Windows, MacOS and Linux full implementation
Operation and R
O ti d Results
lt
Runs immediately upon empty of recycle bin
Resets (programs) cells to 1 (erased)
Data is unrecoverable

19. Garbage Collection
Background Garbage Collection (
g g (BGC) defined
)
Automatic controller function for maintenance
BGC support
All current SSDs support in hardware
OS independent operation
Operation and R
O ti d Results
lt
Runs indeterminately and quickly in the background
Defragments and optimizes saved data
Resets (programs) cells to 1 (erased)
Prior data is unrecoverable

20. Process in the Recovery Lab

21. Process in the Recovery Lab
Capture & Acquire Image ASAP
p q g
Source is a moving target that may degrade/purge data
Disabling BGC impossible without help from OEM
Using a write-blocker DOES NOT stop these processes
write blocker
Image Access Via Controller & Data Interface
Ideal to work with device intact and functional
Imperative for encrypting devices
NAND Chip Extraction and Imaging
Only on non-encrypting devices
Complicated reverse engineering of write algorithm

22. Advantages at DriveSavers Lab
Engineering and Experience
g g p
Hundreds of thousands of cases completed
Specialized SSD and NAND engineers
Strategic Industry Alliances
Trusted exchange of field failure analysis
Development of OEM specific tools
p p
R&D
Non-stop commitment to new tools and tech
Acting as “thought leaders” for the industry

23. Forensic and eDiscovery Services
Data Collection
Data Processing
Data Export
p
Data Review and Hosting
Expert Witness Testimony
Litigation Management
Data Analytics

24. Best Practices To Follow
Understand the Differences of HDD vs SSD Imaging
g g
First chance may be only chance
Understand the limitations of the technology
Litigation Hold Letters
Consider specific instructions for SSD ESI requests
Require immediate imaging of devices
q g g
If Unable to Image SSD
STOP, power off and engage a professional lab
ESI will potentially degrade with any attempts

25. Looking Forward
Greater Market Adoption of Solid State Storage
p g
Everything mobile, corporate and enterprise
Solid State now in the Cloud!
SandForce/LSI example
New Technologies = New Challenges
More security, encryption & “secret sauce”
Compression, de-duplication, FTL
Sanitization of SSD
Imaging and Recovery Challenges Continue

26. DriveSavers Data Recovery
Q&A

27. DriveSavers Data Recovery
Thank You!
Chris Bross
Senior Enterprise Recovery Engineer
chris.bross@drivesavers.com
chris bross@drivesavers com