Wednesday, August 3, 2011

SSD - TRIM, Encryption, Formating and Fragmentation

Operating System identify Solid State Drives by querying the hard drive for its rotational speed. To be precise it is done by identification of nominal rotation rate as described in AT Attachment – 8 ATA/ATAPI Command Set (ATA8-ACS).
Word 217
0000h -
rate not reported
0001h -
Non-rotating media (SSD)
0002h-0400h -
Reserved
0401h-FFFEh -
Nominal media rotation rate in rotations per min (rpm)
7200rpm = 1c20h 5000rpm = 1388h 10 000rpm 2710h
FFFFh
Reserved

If 0001h value is returned, Windows 7 for example turns on TRIM support and disables defragmentation. Furthermore, to reduce the frequency of writes and flushes, Windows 7 in addition to boot and application launch prefetching also disables services such as ReadyBoost and Superfetch. As far as I am aware Windows XP or Windows Vista cannot differentiate SSDs from hard drives. The following file systems are known to be TRIM supported by its respective Operating Systems: NTFS, HFS+, EXT4, Btrfs. Here I should mention that modern Linux and Apple OSX support TRIM commands as well. TRIM functionality can also be implemented independently of the operating system. The O&O Defrag for example enables TRIM operations for FAT32 and exFAT formatted SSD’s.

I know that many forensic folks are still wondering how OS’s, file systems and SSD controllers talk to each other to make TRIM work. Louis Gerbarg did an excellent job of explaining and demystifying the process.

It should be noted that Windows 7 sends the TRIM command to the SSD not only when file gets deleted or partition gets formatted, but in several other instances as described in Support and Q&A for Solid-State Drives blog post.

"The Trim operation is fully integrated with partition- and volume-level commands like Format and Delete, with file system commands relating to truncate and compression, and with the System Restore (aka Volume Snapshot) feature."

A quick format is all that is required to trigger the TRIM command on SSD and all data will be erased (zeroed out). Speaking about formatting, there has been not much difference between the Quick and Full format options in pre-Vista Windows machines. The only difference between the two was that full format also scanned for bad sectors.  The data could still be recovered from formatted drives. Since Windows Vista a full format erases all data and writes zeros and completely destroying the old data. The same applies to Windows 7 and my tests confirmed this. 

TRIM can be enabled and disabled manually. In Windows 7 to check TRIM status, as Administrator in the command prompt window, enter the following:

fsutil behavior query disabledeletenotify

Output:
DisableDeleteNotify = 1 Windows TRIM commands are disabled
DisableDeleteNotify = 0 Windows TRIM commands are enabled

The following command enables TRIM fsutil behavior set disabledeletenotify 0 and fsutil behavior set disabledeletenotify 1 disables it.

To my knowledge TRIM is not yet supported in RAID volumes. Recently there has been some confusing on this topic in relation to Intel Rapid Storage Technology supporting TRIM for RAID volumes. Intel had to publish a correction that TRIM is only supported in AHCI and RAID modes for drives that are not part of a RAID volume.

Not all SSD’s support the TRIM command; some manufacturers do not even recommend enabling TRIM. Sandforce and OCZ recommend against enabling TRIM in the Mac OS (due to Apple's implementation of TRIM) and discourage using TRIM on controllers with internal low-level compression (due to the way they operate/built).

TRIM + Encryption, a topic worth its own cookbook, so I am going to only lightly touch on it. In my previous post I have mentioned that Apple OS X Lion “FileVault 2” enables whole-disk encryption. It is certainly a big step forward compared to “FileVault 1”; however this needs to be clarified a bit. “FileVault 2” is VOLUME based encryption.  For example NTFS, FAT/FAT32 or exFAT partitions located on the same drive will not be encrypted. A recovery partitions also cannot be encrypted by “FileVault 2”. TRIM is believed to be supported on “FileVault 2” encrypted drive. The TRIM command also works on NTFS file system encrypted with Bitlocker and TrueCrypt . TrueCrypt has issued several security warnings in relation to Wear-levelling security issues and the TRIM command revealing information about which blocks are in use and which are not. (Trim Operation Link & Wear-Leveling Link) PGP WDE doesn’t support TRIM, but I remember someone has mentioned that with CLI is possible to encrypt only used sectors. It is likely that the same security issue would arise as in case of TrueCrypt.