Security

Using TRIM to Meet Enhanced Business, Security, and Compliance Needs

This article describes a simple, fast, and proven process improvement program called a TRIM check, which enables businesses to meet enhanced business, security, and compliance needs. We have successfully implemented this program at Devolutions, and highly recommend it.

Patrick Pilotte

Hello! My name is Patrick Pilotte, and I am an Operations Security Specialist. I have been in IT since 2007, and worked in a variety of roles including IT technician, network administrator, technical services coordinator, and IT instructor. My current role on the Devolutions Security Team involves analyzing and designing security strategies, as well as providing security recommendations to our staff. I also analyze, prioritize, and resolve vulnerabilities that affect our services and infrastructure. Plus, I educate our teams about security. Outside of work, I enjoy restoring old arcade games and playing golf. I also love supporting my two girls in their hobbies and interests. I would like everyone in our community to know that they can count on me to always do my best, and strive to ensure that Devolutions’ products, services, and infrastructure is safe and secure. You can reach me directly at ppilotte@devolutions.net.

View more posts

What is TRIM?

TRIM is an ATA-interface command. Whenever you use your reader or modify data, the SSD must ensure that any invalid information is deleted, and that space is available for new information to be entered. Essentially, TRIM tells the SSD what data can be erased.

Why is this necessary? Because due to the manner that SSDs read and write information, data isn't actually deleted at a user’s request (even though it seemingly disappears from their document or device). Rather, the section of the SSD that contains the unwanted data is marked as no longer in use. The TRIM command is needed to confirm that the data can be removed. Once this confirmation is made, final deletion is handled by Active Garbage Collection the next time the computer is inactive.

Verification Process

At Devolutions, we have implemented a streamlined and logical verification workflow that involves our IT Team and our Security Team:

  • Our IT Team handles erasing disks and partitions, and then reinstalling Windows. The disks are then handed over to our Security Team.
  • Our Security Team follows-up with an analysis of the work, and verifies that there is no recoverable data. The disks are then returned to the IT team for a reset.

This workflow minimizes the number of tasks and each team’s workload. This is a great example of how security can optimize the performance of a process, without compromising efficiency and productivity.

Validation Process

To ensure that TRIM is active and that the process is working properly, we have created a PowerShell script that is deployed using our MDM. This script creates a recurring validation task from TRIM. After this, we access the logs obtained by our SIEM for analysis.

Picture1.png

The results of this command can be read as follows:

Description
NTFS DisableDeleteNotify = 0 This specifies that SSDs with NTFS has TRIM already enabled.
NTFS DisableDeleteNotify = 1 If the status displays the Value as 1, it states that SSDs with NTFS has TRIM disabled.
NTFS DisableDeleteNotify is not currently set This status illustrates that TRIM support will automatically get enabled when an SSD with NTFS is connected.
ReFS DisableDeleteNotify = 0 The 0 with ReFS denotes that TRIM support is enabled for SSDs with ReFS.
ReFS DisableDeleteNotify = 1 Here the Value 1 with ReFS signifies that TRIM is disabled for SSDs with ReFs.
ReFS DisableDeleteNotify is not currently set This specific result interprets that TRIM support will itself be enabled when an SSD with ReFS is connected.

PowerShell Script

Here is the PowerShell Script that we created, and which we invite you to use in your company:

# Trim Validation

$scriptblock = { 
    param (
        )
    
        function Write-Log {
            [CmdletBinding()]
            param (
                [Parameter(Mandatory)]
                [String]
                $Message,
                [Parameter(Mandatory)]
                [int32]
                $EventID,
                [Parameter(Mandatory)]
                [String]
                $Type
            )
            Write-EventLog -LogName "Windows PowerShell" -Source "TrimPS1" -EventId $EventID -Message $Message -EntryType $Type
        }
        function Get-TrimConfigurationntfs{
           $trimntfs = fsutil behavior query disabledeletenotify ntfs
           $trimntfsvalue = $trimntfs.substring(27,1)
    
           if ($trimntfsvalue -ne "0"){
            $message = "Trim NTFS is inactive" 
            Write-Log -EventId 2 -Message $message -Type "Warning"
        }
    
        else{
            $message = "Trim NTFS is active"
            Write-Log -EventId 0 -Message $message -Type "Information"
        }
    
        }
        function Get-TrimConfigurationrefs{
            $trimrefs = fsutil behavior query disabledeletenotify refs
            $trimrefsvalue = $trimrefs.substring(27,1)
            if ($trimrefsvalue -ne "0"){
                $message = "Trim REFS is inactive"
                Write-Log -EventId 2 -Message $message -Type "Warning"
            }
    
            else{
                $message = "Trim REFS is active"
                Write-Log -EventId 0 -Message $message -Type "Information"
            }
         }
    
        Get-TrimConfigurationntfs
        Get-TrimConfigurationrefs

}
    
##### Section opérationnelle du script #####
function Write-Log {
    [CmdletBinding()]
    param (
        [Parameter(Mandatory)]
        [String]
        $Message,
        [Parameter(Mandatory)]
        [int32]
        $EventID,
        [Parameter(Mandatory)]
        [String]
        $Type
    )
    Write-EventLog -LogName "Windows PowerShell" -Source "TrimPS1" -EventId $EventID -Message $Message -EntryType $Type
}

$jobname = "Trim-Verification";
$accountId = "SYSTEM";
$task = Get-ScheduledJob -Name $jobname  -ErrorAction SilentlyContinue
New-EventLog -LogName 'Windows PowerShell' -Source 'TrimPS1' -ErrorAction Ignore
if ($null -ne $task){
    Unregister-ScheduledJob $task  -Confirm:$false;
}

try {
    $trigger = New-JobTrigger -Weekly -DaysOfWeek Monday, Tuesday, Wednesday, Thursday, Friday -At "11:00" -WeeksInterval 1 # Vérification du Lundi au Vendredi à 11h
    $options = New-ScheduledJobOption -ContinueIfGoingOnBattery -StartIfOnBattery -RequireNetwork -RunElevated;

    Register-ScheduledJob -Name $jobname -ScriptBlock $scriptblock -ScheduledJobOption $options -Trigger $trigger;

    $principal = New-ScheduledTaskPrincipal -UserID $accountId -LogonType ServiceAccount -RunLevel Highest;
    $psJobsPathInScheduler = "\Microsoft\Windows\PowerShell\ScheduledJobs";
    $someResult = Set-ScheduledTask -TaskPath $psJobsPathInScheduler -TaskName $jobname  -Principal $principal;   

    $message = "Scheduled job ok"
    Write-Log -EventId 65000 -Message $message -type "Information"
}
catch {
    $message = "Unable to setup scheduled job. This is an error"

    Write-Log -EventId 65001 -Message $message -type "Warning"
    
    $task = Get-ScheduledJob -Name $jobname  -ErrorAction SilentlyContinue
    if ($null -ne $task){
        Unregister-ScheduledJob $task  -Confirm:$false;
    }
    exit 1
}

If you use this PowerShell script, then here are the EventIDs to watch for:

  • EventID 0 if the TRIM is active
    • Type information
    • Message TRIM (NTFS/REFS) in active
  • EventID 2 if the TRIM is inactive
    • Type warning
    • Message TRIM (NTFS/REFS) in inactive

Final Thoughts

In our experience, TRIM is an efficient and reliable solution for reducing the number of steps involved in handling hardware for redistribution or sale. Credible third parties also endorse this process. For example:

  • In a YouTube video, data recovery company Data Rescue Labs has stated companies claiming to sell special software for recovering data from SSD that has undergone TRIM are “lying,” and that such claims are “laughable.”
  • R-studio Data Recovery, whose software is well known and specialized in restoring data, has stated: “Data recovery from SSD devices when the TRIM command is used is extremely difficult, and in most cases impossible.’’

Lastly, although we use and endorse TRIM, we nevertheless recommend that you conduct your own research to confirm that this process suits your requirements and goals.

Related Posts

Read more Security posts