websec.gr logo websec.gr Guides & Defensive Playbooks
Forensics guide

SSD reality: TRIM, carving, and what’s recoverable

Why undelete differs on SSDs, how TRIM changes recovery expectations, and what defenders can still preserve and analyze.

Difficulty: intermediate Time: ~18 min Updated: 2025-12-30

Why SSDs behave differently

SSDs are not “fast HDDs”. They use flash translation layers (FTL), wear levelling, and background garbage collection. That means the blocks you think you are reading are not fixed physical sectors in the same way.

TRIM and garbage collection

TRIM allows the OS to tell the SSD which blocks are no longer in use. The SSD can then erase or recycle them in the background. This improves performance and can improve privacy, but it reduces deep “undelete” capability for forensic recovery.

Forensics implication

If TRIM has run and garbage collection has completed, some deleted data may be unrecoverable, even with advanced tools.

Imaging priority: time matters

On failing SSDs, or when recovery matters, speed matters. The earlier you capture a clean image, the more you can preserve. This is not about bypassing locks. It’s about not letting the hardware erase what might still be present.

Practical steps

  • Stabilize the device and avoid unnecessary writes.
  • Capture an image as early as possible, then work on copies.
  • Document drive health indicators and read errors.
  • Preserve logs that help timelines: OS events, application logs, backups.

What is still recoverable

Recovery depends on many factors: filesystem, encryption state, TRIM usage, wear level, and whether the drive is failing. Even when deleted blocks are gone, other artifacts often remain.

  • Logical recovery: intact files, previous versions, application caches.
  • Backups/snapshots: cloud sync histories, volume snapshots, backup archives.
  • Artifacts: logs, thumbnails, metadata, indices, and document caches.

File carving, realistically

File carving can recover fragments without filesystem metadata, but it is not magic: fragmentation and TRIM can limit results. Treat carving as “best effort”, not guaranteed recovery.

Carving hygiene

  • Carve only on forensic images, not on the original drive.
  • Validate recovered content. Carved files may be partial or misleading.
  • Maintain a clear audit trail: tool version, parameters, outputs.

Common myths

  • Myth: “Deleted always means recoverable.” Reality: on SSDs, often not.
  • Myth: “One tool can recover everything.” Reality: recovery is constrained by physics and firmware.
  • Myth: “TRIM is evil.” Reality: TRIM is good for performance and privacy; it just changes forensic expectations.

References

  • SSD internals: FTL, wear levelling, garbage collection concepts.
  • Forensic methodology: imaging early, analyzing copies, documentation.
  • Backup and snapshot strategy as a recovery multiplier.

Scope note

This guide focuses on defensive hardening and incident readiness. Guidance about hiding wrongdoing, destroying evidence, or evading lawful investigation is intentionally not provided.