Ubuntu 14.04 did not work, and I saw that behavior that has been described in the beginning of the post...
No necessarily. Most SSDs support block discard (also known as trim). If your kernel mounts the device with "discard" set, the underlying storage may zero out the discarded blocks.
Some VMs implement "thin provisioning" and use block discard (trim) as a way of recovering deleted space. So you could see all zeros on deleted blocks under a VM.
For example:
# mount
/dev/mapper/root_vg-root_lv on / type ext4 (rw,noatime,barrier=1,discard)
and:
# dmesg | egrep -i "discard|trim"
[ 2.075455] ata1.00: Enabling discard_zeroes_data
[ 2.083786] ata1.00: Enabling discard_zeroes_data
[ 2.092122] ata1.00: Enabling discard_zeroes_data
[ 9.450814] EXT4-fs (dm-0): re-mounted. Opts: barrier=1,discard
Correct me if im wrong but trim zeros out the bits in the data blocks on the disk. Right? This enables faster writes next time data needs to be written to that block. What I am seeing is that when a file get deleted the pointer to the data block get zeroed.
Yes, if block discard (trim) is enabled the storage can discard sectors containing a file's data on delete. This helps flash drives maintain performance and longevity (through improved wear levelling). It's also useful for space reclamation in thin provisioned storage (and VM virtual "thin" storage). The downside is deleted data can never be recovered.
But, what you're saying is the inode meta-data is being zero'd? That's probably a question for filesystem gurus.
This thread from the past might be relevant. Ext2 zeros inode in directory entry when deleting files.
I'd also ask in the "ext3-users" or "ext4 developers" mailing list: https://ext4.wiki.kernel.org/index.php/Mailinglists
Also, beware of using tools like SleuthKit on a mounted filesystem (or filesystem image). The kernel caches meta-data for mounted filesystems, so reading behind its back with other tools may give strange results. What I'm really saying is you should unmount the fs after creating the test file but before doing forensics, and again unmount it after deleting the test file. This is the only way to ensure what you're reading is consistent.
Anyway, good luck! Sounds like an interesting project!