Live forensics method for acquisition on the Solid State Drive (SSD) NVMe TRIM function

Abstract

SSD currently has a new storage media technology namely Solid State Drive Non-volatile Memory Express (SSD NVMe). In addition, SSD has a feature called TRIM. The TRIM feature allows the operating system to tell SSDs which blocks are not used. TRIM removes blocks that have been marked for removal by the operating system. However, the TRIM function has a negative effect for the digital forensics specifically related to data recovery. This study aimed to compare the TRIM disable and enable functions to determine the ability of forensics tools and recovery tools to restore digital evidence on the NVMe SSD TRIM function. The operating system used in this study was Windows 10 professional with NTFS file system. Typically, acquisition is conducted by using traditional or static techniques. Therefore, there was a need of a technique to acquire SSD by using the live forensics method without shutting down the running operating system. The live forensics method was applied to acquire SSD NVMe directly to the TRIM disable and enable functions. The tools used for live acquisition and recovery were FTK Imager Portable. The inspection and analysis phases used Sleutkit Autopsy and Belkasoft Evidence Center. This research found that in the recovery process of TRIM disabled and enabled, TRIM disabled could find evidence while maintaining the integrity of evidence. It was indicated by the same hash value of the original file and the recovery file. Conversely, when TRIM is enabled, the files were damaged and could not be recovered. The files were also not identical to the original so the integrity of evidence was not guaranteed.