This Sunday we will unearth one more hidden truth that when a forensics tool shows that there is no data on the storage media, is it telling you the actual truth. As per me, it is NOT.
We all see all ‘0’s in the Hex editor and we think that there is no data. Most of us as forensic analysts would have close this case. But let’s go behind the truth. Firstly I will explain a few concepts.
Nowadays most of the storage media are made of Solid State Devices (SSDs) as referred to as Flash Memory Devices rather than the traditional storage devices with are rotating parts and read-write heads. The solid-state device is a new technology and not an evolution of traditional hard drives.
Most of the forensic can retrieve deleted contents. When content is deleted the operating system deletes the pointer to the physical address on the storage media. Health the content still exists on the storage media and hence can be retrieved easily by the forensic tools by the method of carving.
Read/Write. In solid-state devices for read/write in memory, the concept of pages and blocks is followed. While writing to the storage first it is written to the pages and a group of pages is considered as a block. While deletion takes place of the whole block and not independent pages. This is controlled by the SSD Controller.
In case of SSDs, the host operating system cannot directly access the physical block area and hence does not know the actual location of the content that is stored. The operating system points to the logical block address which in turn points to the physical block address and all this is called done by the SSD controller (Refer Diagram Below)
Wear Leveling. To extend the life of SSDs, a process termed as Wear Leveling is used. Data is stored in blocks in SSDs and each block can tolerate a limited number of erase cycles before becoming unreliable. For example, SLC NAND flash is typically rated at about 100,000 programs/erase cycles. In Wear leveling, data is arranged so that the write/erase cycles are evenly distributed among all the blocks in the storage device. Wear leveling is controlled by the flash controller on the device and utilizes a wear-leveling algorithm to determine which physical block is to be used each time data is programmed. Wear leveling algorithms to distribute writing operations randomly in order to minimize the impact of cell aging.
Garbage Collection. The TRIM command (Equivalent to Delete) is issued to the SSD controller by the operating system as the user deletes a file or goes for formatting the storage medium. This background garbage collection procedure occurs at the hardware level within the SSD itself and is called “Self-Corrosion”.
The Forensics software tools we use in our labs ONLY understand at the top layer. No tool either FTK, Encase, Nuix, Autopsy, Caine, etc, and look beneath the Application layer. As mentioned in the above diagram in the case of Flash Memory we have the Flash Translation Layer (FTL) which actually shows us how the data looks to the user. Until Wear Leveling/ Garbage Collection happens or the data is overwritten, the data is still there on the Flash Memory although the forensic tools show that there is no data.
In spite of the forensic tools showing us that there is no data, we can still retrieve the data from the device either by Chip Off or directly reading NAND/NOR Memory. The data retrieved needs to be reconstructed to get the actual contents you are looking for.
There is a catch here. To retrieve data we have to power on the device and once the power on the device the wear leveling/garbage collection processes start and there is the destruction of data. So giving it a power source for imaging is a bad idea and hence the best way is to do a JTAG/ISP/Chip Off.
Chip off is the last thing you do while carrying out digital forensics. It is a tedious process and time consuming too. It might also damage the chip and you may lose all the data that you’re looking for. Therefore it should be the last resort for the forensic analyst.
What I tried to tell you today is that there are few things beyond the forensic tools which should be known to the forensic analyst.
This writeup was inspired by a talk given by Cindy Murphy at Digital Forensics Truths That Turn Out To Be Wrong – SANS DFIR Summit 2018