Nonvolatile Storage Forensics

Question 1

The retention characteristics of magnetic media have been outlined:

Answer 1

• Storage devices should be considered as networked computer systems in their own right
• Their external interface will provide a purely logical view of their internal organisation of physical on-disk storage

Question 2

Knowledge and the ability to access the low-level interface of the storage device are important where media have been erased or overwritten by the operating system level:

Answer 2

• Such techniques can be employed even where relatively sophisticated counter-forensics mechanisms were used

Question 3

In case of physical damage or where attempts at recovery must be made even for overwritten sectors, physical inspection of the storage medium may be needed:

Answer 3

• Data recovery up to spin stand analysis was described earlier for magnetic media
• Similar approaches can also be undertaken for optical media, here physically destroyed or erased media can also be partly reconstructed

Question 4

Solid-State Memory Type - SRAM:

Answer 4

Static RAM uses bistabile latches to store each but and hence does not need a refresh cycle
• Data will still be lost when power is not applied, but battery-backup may be sufficient
• Speed is similar to dynamic RAM, but significantly more complex
• Used in caches for specialised purposes such as multi-ported Video RAM, displays and printers
• Of particular interest: Configuration memory, buffers

Question 5

Solid-State Memory Type - EPROM:

Answer 5

Mainly of historic interest, programmable ROM based on floating-gate field-effect transistors programmed with higher voltage.
• Programmed data can persist for 10-20 years
• Erasing is accomplished by exposure to UV light

Question 6

Solid-State Memory Type - EEPROM:

Answer 6

Electrically erasable programmable ROMs do not require UV exposure
• Originally a generic term, now used mainly referring to EEPROM that can be erased byte-wise as they have a separate erase transistor
• Used mainly for small configuration memories
• Data is retained for 10+ years

Question 7

Solid-State Memory Type - FeRAM:

Answer 7

Ferroelectric RAM uses ferroelectric material to hold a magnetic charge
• Power is only consumed on reading and writing with similar levels
• Main advantages over e.g. Flash memory is fast write speed and lower power consumption

Question 8

Solid-State Memory Type - MRAM:

Answer 8

Magnetoresistive RAM is also nonvolatile, a resistor has different resistances depending on magnetic layer directions
• While interesting in theory, it is still not deployed at larger scales

Question 9

Ubiquitous variants of EEPROM storage also based on floating-gate transistors:

Answer 9

• Implementation can use standard fabrication equipment and materials
• Floating gates can have more than two voltage levels, allowing multi-level cells
• NAND and NOR variants

Question 10

A NOR gate flash has one end of each cell connected to GND, the other to a bit line, acting as a NOR gate:

Answer 10

Elevating a word line voltage level results in output bit being pulled low by storage transistor

Question 11

Default state for NOR cells is logical 1:

Answer 11

• Setting it to 0 requires elevated voltage to activate channel from source to drain
• Current is sufficiently high for electrons to jump the insulating layer onto the floating gate: Hot electron injection

Question 12

Erasing a cell (setting it to 1) requires larger voltage of opposite polarity between control gate and source:

Answer 12

• Electrons are removed from the floating gate through quantum tunneling
• Unlike programming, this must occur in blocks

Question 13

A NAND gate cell connects transistors in series:

Answer 13

• Only if all word lines are pulled HIGH, the bit lines is pulled low
• Groups are connected externally in array form
• Reading pulls all word lines for a bit high except one; if the bit is set, it is pulled low

Question 14

NAND memory is more dense than NOR memory owing to smaller cell size

Answer 14

• This makes NAND memory preferable for storage

* Density of NAND at present is about 2x that of NOR memory as transistors can be in series, meaning less metal contacts

Question 15

NAND memory has slower read times as cells are stacked:

Answer 15

• Where Flash memory is used for program memory storage, NOR memory is preferred as it has faster access times
• NAND memory always must be read and written in blocks
• NOR memory can be read in a random access pattern

Question 16

NAND overwriting and erasing is generally faster than for NOR Flash memory:

Answer 16

• Both NAND and NOR cells have a limited number of programming and erasure cycles
• Typically around 100k cycles are supported

Question 17

Code execution also differs as it requires random access patterns:

Answer 17

• NOR memory uses execute in place patterns

* NAND relies on Store and Download (SND) access, typically a combination of Dynamic or SDRAM and NAND flash memory

Question 18

Feature sizes of Flash memory have only been shrinking modestly in recent years; instead manufacturers have focused on 3D structures:

Answer 18

• One of the most common problems of NAND memory are retention errors
• Arrhenius’ law shows how high temperature worsens effects: 2 hours at 100C are the equivalent of a year at 25C

Question 19

Flash cells also use multiple voltage levels to store more than one bit per cell:

Answer 19

• This is also affected by temperature, but not every voltage level is affected in the same way
• Even the error behaviours of layers and word lines at higher temperatures differ

Question 20

Naïve implementations of file systems intended for disks suffer from a number of drawbacks:

Answer 20

• Most dramatic is uneven use of storage locations

* Flash storage is also not built up in 512 byte blocks, but significantly larger blocks

Question 21

Impact on File System Architecture:

Answer 21

• Flash storage built up in large blocks, e.g. 128kBytes
• Blocks are further divided into pages, e.g. 64 of 2 kBytes each
• To emulate magnetic disks, pages are further divided into 512-byte sector units
• Each page will have a data area and a spare area for memory management, e.g. 2kBytes and 16 bytes
• The spare area is not accessible directly and is used for error detection and administration

Question 22

The properties of Flash memory require the use of a Flash Translation Layer (FTL):

Answer 22

• This translation can occur in the device itself to make it behave like a conventional magnetic disk, as is typically the case for pen drives
• Particularly for larger SSD and for embedded applications such as mobile phones, adaptation can also occur directly in the file system

Question 23

The main tasks of Flash Translation Layer (FTL):

Answer 23

• Translation of storage area into smaller, virtual sectors/chunks
• Providing the appearance of writing in place despite wear levelling
• Performing wear levelling

Question 24

To avoid the cost of erasing small files…

Answer 24

The file system uses a log structure - uses copy-on-write, with free space in large blocks written sequentially

Question 25

The file system is designed to interact with several FTL architectures…

Answer 25

Choosing allocation and clean-up algorithms accordingly

Question 26

Similar to other log file systems, this implies that old copies are…

Answer 26

Retained deliberately for as long as possible to minimise the cost of cleaning up

Question 27

The cleaning process is triggered on demand or when…

Answer 27

The system is idle, compacting storage based on segment age and number of valid blocks

Question 28

Wear Levelling and Garbage Collection - Updating data in Flash memory cannot occur directly but consists of…

Answer 28

A erase-write cycle over a larger block

Question 29

Wear Levelling and Garbage Collection - After copying and updating…

Answer 29

The new block is marked valid, the previous instance as invalid in the spare area

Question 30

Once the number of dead pages in a block reaches a threshold…

Answer 30

Remaining live pages are re-writeen elsewhere and the block is erased so it can be re-written later

Question 31

To avoid premature failure, blocks are managed so they are…

Answer 31

Written approximately at the same frequency (wear levelling), this can occur under control of the operating system, or in Flash memory firmware

Question 32

TRIM Operation - Deletion Schematic Steps:

Answer 32

1) SSD pages contain no data
2) User writes data to SSD pages
3) User deletes some data. Pages are marked as not in use by the host OS, but data remains on SSD
4) TRIM command tells SSD controller that pages contain invalid data. Pages with invald data are cleaned
5) Data is written back to SSD memory cells. The invalid data has been cleaned and data is able to be written to the pages at full speed

Question 33

As performance is affected significantly by fragmented block allocation, re-allocation and re-claiming is often performed aggressively:

Answer 33

• In case of SSDs or software-controlled FTL, this must be deactivated
• For embedded memory such as pen drives, low-level recovery is possible when bypassing the management layer

Question 34

Garbage collection will continue in the background even if no write operations occur as soon as power is applied to a firmware FTL device:

Answer 34

• Overwritten instances are then irretrievably lost

* The GC collection mechanism effectively causes sself-corrosion of court evidence

Question 35

Securing erasing data on SSDs is not straightforward:

Answer 35

• SEDs are the most reliableapproach: Erasing key material ensures data is not readable
• Otherwise the Secure Erase command specified in the ATA standard may not capture all spare capacity, although some manufacturers will ensure all blocks are overwritten
(whilst faster than magnetic disks, wiping by overwriting would still be time-consuming)

Question 36

Purely software-based wiping is bound to be highly ineffective:

Answer 36

• Not only are write speeds relatively slow, but the FTL activity and remaining spare flash memory would likely leave some memory blocks on the disk still with data
• When relying on overwriting - unlike for hard disks - multiple passes may be required if it is not the whole drive being overwritten

Question 37

Solid state disks will usually rely on the TRIM command supported by all current-generation operating systems:

Answer 37

• The TRIM command informs the SSD that blocks are no longer in use
• The TRIM mechanism duplicates some effects of garbage collection, but causes less wear for the flash cells: The SSD is free to re-use blocks immediately

Question 38

Similar to magnetic disks, Flash memory must apply defect management to ensure continued reliability as devices age - in addition to dynamic error management highlighted earlier:

Answer 38

• Blocks may simply be worn out or have manufacturing defects
• The latter typically occurs when data in a block has non-recoverable ECC errors
(any page producing a error will result in the entire block having to be marked invalid)

Question 39

Blocks will then be skipped (Skip Bad Block or SBB strategy) or replaced logically from a reserved Reserve Block Area (RBA):

Answer 39

• The exact mechanism is vendor-specific and significantly affects device-internal block allocation
• In either case hidden protected areas or bad-block management areas can be mis-used

Question 40

Where bypassing the FTL is required or the SSD is damaged, it may still be possible to recover data:

Answer 40

• Common techniques use JTAG boundary scan features normally used for testing electronic circuits
• Otherwise forensic analysis may need to resort to chip off techniques: De-soldering chips and directly attachment to test equipment

Question 41

Even if the chips themselves are damaged, it may still be possible to extract data by re-connecting damaged chip components:

Answer 41

• Conversely, to truly destroy a flash memory array, individual pages must be destroyed reliably
• For a current (2020) 12nm process, this requires a minimum fragment size of 0.7mm (4kB pages)

Question 42

Particularly for larger SSDs, the speed benefits obtained are derived from parallel writes:

Answer 42

• This implies that a FTL will spread out the contents of a larger file across a potentially large number of flash memory chips
• When bypassing the FTL, e.g. with physical access to individual chips, this will hence give only access to some fragments

Question 43

Implementation of higher-level features will also vary: Many SSDs now implement the Deterministic Read After Trim (DRAT) and Deterministic Zeroes After Trim (DZAT), resulting in…

Answer 43

Returning only zeroes after a TRIM deletion even if the data has not actually been overwritten since