2

Is it possible to 'view' the space that TRIM would take care of to see if that space was really wiped? I am using both Windows and Linux.

userman48
  • 21
  • 1
  • Yes, it can be done with a hex editor or forensic tools to examine unallocated, or deleted, files. Depending upon the system, the TRIM function may not run against the deleted files for quite some time, as in a few minutes to many minutes. – user10216038 Oct 16 '20 at 04:38
  • Note also that if you are using whole disk encryption on a solid state drive, TRIM use can cause artifact holes. Commonly whole disk encryption initializes the drive to random data. A mount of the encrypted drive is virtual in that the encrypted data is read and written on the fly to appear decrypted virtually. TRIM functions below the OS level and will result in blocks of zeroes, or ones, appearing in the encrypted disk. – user10216038 Oct 16 '20 at 17:05

1 Answers1

1

TRIM is handled internally by the SSD controller. There aren't any standard ATA commands to obtain this information, and if there are vendor specific commands it's unlikely they are documented.

A simplified example of TRIM:

  1. The OS writes some data to the disk at location 0. At this point, the OS can read the data back whenever it needs to.
  2. The OS no longer needs this sector, so it marks it as unused with the TRIM command. The OS can no longer read the data back, the drive controller won't return it.
  3. If you were able to inspect the memory chips (and make sense of their contents) the data would still be present at this point.
  4. The drive is now free to erase the data as part of internal maintenance. This process is slow, and can only be done a limited number of times.
  5. If you were able to inspect the memory chips this information would now be gone.

Control of step 4 is entirely internal to the disk. It may happen nearly immediately, it may be some minutes (or longer) until the drive conducts background operations. This will be vendor and likely drive specific. However, from the operating system the data is unavailable immediately after step 2.

It's important to note that TRIM is a block level command and does not relate to files. The OS doesn't delete one file using TRIM, it deletes an entire disk block. When this happens will depend on the type of filesystem and the OS. Depending on how the filesystem stores data it may take considerable time before a whole block is ready to be erased. Therefore it's still possible to obtain fragments of files, deleted files, old versions of data from an SSD.

The OS could of course read all sectors starting at 0, ending at the last one. However, only current data will be read. Any sectors that have been released to the disk with TRIM will not be returned and are effectively lost.

Does this mean disk forensics is dead? Absolutely not. There is still plenty of useful evidence in file system structures, sectors which have not been overwritten etc.

David
  • 714
  • 3
  • 11
  • You are mixing the concepts of unallocated, i.e. deleted, files that have been wiped by the TRIM function, with the concept of SSD Wear Leveling. The two concepts are entirely different. – user10216038 Oct 16 '20 at 04:33
  • Thanks @user10216038, I have simplified the answer to only talk about TRIM as per the question. – David Oct 16 '20 at 08:01