Digital Forensics: PC-3000 SSD – how to bypass the TRIM

Hey there!

In this article we are going to speak about the TRIM command which appears in the beginning of SSD era (around 14 years ago) and become a native feature in all existing Solid State Drives.

So, what is that and how’s it working?

TRIM – is an internal hardware SSD command which works in pair with Operating System. By default, TRIM was fully integrated in all OS starting from Windows Vista SP1, Windows 7 and MacOS X 10.6 (approximately from 2009-2010).

We know that NAND memory chip can write and read information extremely fast. But REWRITING is going to be extremely slow because NAND memory has to:

1. Find the place where to write new data;
2. Erase the old data (fill the NAND cells by zeroes);
3. Make a writing operation.

To prevent such slow processing, SSD developers decide to add a TRIM command (a garbage collector) which in the background erases all data that was marked as deleted. It helps to save time in the future, when user decides to write new data in the place which was already TRIMed and cleaned. How the SSD knows which data should be TRIMed? Well, Operating System tells the drive which data was marked as “deleted”, and SSD simply erases the blocks which belong to deleted areas.

Scheme of TRIM activity

Zero size of TRIMed folders in DE

Sometimes the SSD can do even a more easier thing – in case of fast formatting, the SSD simply erases the translator – main microprogram which addresses physical to logical sectors. As a result, the SSD returns only ZEROES on attempt to read any data from it (new logic translator doesn’t know anything about old physical data, so it “reads” just zeroes).

The same thing digital cameras can do with mSD, SD and CF cards when you format them via Digital Camera by mistake. And in RAW recovery you can’t find anything because the translator has been erased, and the new version of translator also doesn’t care about any old data.

In such case, we are using the PC-3000 Flash and our method to read the NAND memory from mSD/SD and reconstruct the image. Then it would be possible to see the data in RAW and sometimes even build an image with complete or partial folder structure.

But for SSDs chip-off doesn’t work because all modern SSDs contain  full hardware encryption or adaptive XOR with data compressing, so we will not see any data inside of the NAND before decryption.

Remember the old good days when customer brings you a formatted HDD and asks for recovery? Just a few buttons clicks in DE, and you’ve got a complete folder structure and a dozen gigs of data in RAW.

Unfortunately, these days are gone, because even  classic Hard Disk Drives based on  Shingle Magnetic Record (SMR) technology are also using the TRIM! As a result, after a fast formatting, the translator becomes erased, and you will get only zeroes instead of real data.

But let’s return to SSDs. Formatted SMR recovery would be another topic for the future blog article 🙂

So, let’s imagine that the customer did a format of his SSD by mistake, and now he wants to recover data. Will it be possible to do? It depends on such things as: drive capacity, number of data written on the drive, etc. Usually, it takes from 10 minutes to 24 hours before the drive will completely erase the data in the background.

Modern SSD controllers have a multicore structure, which allows them to do a few things at the same time. For example – when you’re trying to scan the drive and find at least something in RAW using the Data Extractor, another CPU core will continue the background process and all data will keep being erasing.

The main thing you should remember – drive is TRIMing the data, even if it’s simply plugged to a power supply source! If you disconnect the SATA based SSD from SATA cable – it will not help you because the CPU will keep erasing in the background.

Default drive initialization and processing

The only way to prevent the TRIM – disable access from CPU to NAND chips! How we can do that? The only way is to short the drive in SAFE MODE – it will help us to disable any access to the NAND chips and will keep the drive to be operating in CPU-RAM mode only. So, we could write something in RAM or read info from RAM chip, but it would be impossible to influence the NAND chips.

Example of SAFE MODE shorting on HP EX900 M.2 NVMe drive

Scheme of SAFE MODE on any SSD

Now, we need a Loader – a specified and optimized small firmware which was made by ACELab developers. It’s something like a tiny Firmware compatible with the target controller, where ACELab developers completely switched off all background activities and unlocked some additional features which had previously been locked. If we have a compatible Utility, we can try to load the loader into the drive RAM, and get access to the Techno Mode of the current SSD. Then – try to rebuild the translator using an old copies of it, and upload it into the drive RAM. After that, we could try to access the data in Data Extractor using a custom loader that we did before. In this case, drive will work in a single-channel mode – slowly, but without any background activity.

Scheme of Techno Mode after the Loader uploading

Now let’s summarize the information:

1. TRIM works very fast. If something was deleted or drive was formatted, you got just a few minutes before the data will be gone forever;
2.  Do not plug the drive to a power source! Any drive connection for further researching (via SATA, M.2, USB, etc) will be a cause of TRIM functionality in SSD CPU!
3. Target drive MUST BE SUPPORTED by the PC-3000 SSD. If it’s not supported, we can not disable the TRIM or prevent the data erasing;

To demonstrate how it’s working, let us show you one real life example. We got here a noname (SmartBuy NOVA) drive based on SM2259XT controller and two NAND chips made by Intel/Micron.

We are checking the content on this drive, and it is full of user data. Some videos, pictures, documents – everything what a random customer is using daily.

Now, let’s try to format this drive with a quick format button on Windows;

As you can see, data was gone.

In the Universal Utility and in the Data Extractor we will see only zeroes, because DE is using the native drive translator – and it’s a new one which was made after a quick drive formatting.

Zeroes instead of data in Universal Utility in LBA 1 232 134

Empty partition after the drive formatting

RAW doesn’t have any old data – just a new NTFS records after partition formatting

We don’t have much time now, because the more we scan the drive, the more blocks will be erased in the background. We need to be in a hurry to short the drive in a SAFE MODE – this trick will help us to disable the NAND chips from the CPU.

Now, let’s keep the drive to be shorted, because for Silicon Motion and Phison controllers, we need to repower them a few times during the drive initialization. The SSD has to be in a SAFE MODE all the time.

Let’s launch the compatible Utility for SM2259XT (for example – Silicon Power) and upload the loader for activating the drive extra functions.

Sometimes we need to select the compatible loader manually

When the drive will complete initialization, it will be possible to launch the translator building process. Drive will scan the Service Area, will take some important SA modules which contain information about reallocated, deleted, bad and good sectors, and will make a new translator in automatic mode.

Translator building is ready. Moving forward to the Data Extractor and making a new task using the PC-3000 UTILITY as a source.

When everything will be ready, before imaging the drive, let’s first check the LBA 1 232 134 which was filled by zeroes after drive format. Now, it contains data!

After the translator building, LBA 1 232 134 contains data, not zeroes!

And of course, we have to use RAW recovery to see the files. If we got some – let’s stop the process and start with the complete drive imaging. In case of some troubles with the drive, we still got a full content copy.

Now, in RAW we see a lot of data just after 1 000 000 LBA scanning! 

Sector-by-sector copy to another drive for further analysis

When copying will be finished, let’s go back to RAW and will try to find something useful. As you can see, RAW is full of data! Unfortunately, sometimes the Folder Structure could disappear because the quick formatting overwrites Zero Block which includes information about Master Boot and BOOT sectors. Without this information File System will be absent.

Result after just 10% of RAW scan – lot of files are still on the SSD

But Data Extractor is a very powerful thing, and after disk analysis, even in case of drive formatting, it will be possible to find old copies of partitions, and recover them. Of course, it’s worse than a complete FS, but much better than just a RAW.

So guys, here it is! A large portion of information how you can use the PC-3000 SSD to prevent the TRIM. Let’s summarize the most critical information one more time:

• TRIM is switched-on by default in every OS and in every SSD since 2010;
• Data becomes TRIMed from 1 minute to 24 hours (depending on the drive capacity and amount of deleted data);
• Even a quick formatting will cause a translator erasing. All data will be displayed like ZEROES in the Data Extractor;
• The only way to prevent TRIM – switch off the drive from power source or keep it in SAFE MODE permanently;
• It’s still possible to recover data after deleting or SSD formatting, but the drive must be supported by the PC-3000 SSD!

If you have any questions regarding your data recovery cases, you’re welcome to address them to the Technical Support department.