Digital Investigation 12 (2015) 77e87
Contents lists available at ScienceDirect
Digital Investigation journal homepage: www.elsevier.com/locate/diin
Descrambling data on solid-state disks by reverseengineering the firmware Li Zhang a, b, Shen-gang Hao a, *, Jun Zheng b, c, Yu-an Tan b, c, Quan-xin Zhang b, c, Yuan-zhang Li b, c a
Department of Computer and Information Technology, Nanyang Normal University, Nanyang, PR China School of Computer Science and Technology, Beijing Institute of Technology, Beijing, PR China c Beijing Engineering Research Center of High Volume Language Information Processing and Cloud Computing Application, Beijing Institute of Technology, Beijing, PR China b
a r t i c l e i n f o
a b s t r a c t
Article history: Received 19 December 2012 Received in revised form 8 December 2014 Accepted 17 December 2014 Available online 23 February 2015
Data recovery is an important component of digital forensic research. Although recovering data from hard drives or small-scale mobile devices has been well studied, solid-state disks (SSDs) have a very different internal architecture and some additional functions, and it is not clear whether these differences will have an effect on data recovery. Data scrambling is an additional function of an SSD controller which can improve data reliability, but makes data recovery difficult. In this research, the dedicated flash software was first introduced that can acquire the physical image of an SSD without destroying the device hardware. Based on the software, a validation experiment was presented to evaluate the effect of data scrambling on data recovery and the causes of the effect were analyzed. Then two approaches to descrambling the data in the flash chips were proposed and their advantages and disadvantages discussed. After that, a procedure to identify the scrambling seeds that are used to descramble the scrambled data was described. Finally, descrambling software was implemented based on the second descrambling method. The experiment shows that this software can successfully descramble the data from an SSD flash drive regardless of the internal structure of the scrambler in the SSD controller and can generate an unscrambled physical image on which most existing data-recovery techniques can be effective. © 2015 Elsevier Ltd. All rights reserved.
Keywords: Solid-state disks Digital forensics Data scrambling Physical image Data recovery
Introduction Data recovery is an important issue in the field of digital forensic. With the proliferation of NAND flash memory devices such as USB flash drives, mobile phones, and media players, data recovery from flash memories has been a hot topic in forensics research. Compared with small-scale digital devices such as USB flash drives and mobile phones, solid-state disks (SSDs) have higher density and
* Corresponding author. E-mail address:
[email protected] (S.-g. Hao). http://dx.doi.org/10.1016/j.diin.2014.12.003 1742-2876/© 2015 Elsevier Ltd. All rights reserved.
more complex data organization of flash memory (Gray and Fitzgerald, 2008), so the existing methods of data recovery from small-scale flash memory devices (Breeuwsma et al., 2007; Luck and Stokes, 2008; Klaver, 2010) do not apply to SSDs. However, there are only a few papers in the literature that have discussed data recovery research on SSDs. For example, King and Vidas (2011) discussed problems with SSDs that may be encountered by forensic investigators and experimentally analyzed the effect of the ATA8 TRIM command on data recovery from an SSD. The results showed that most data were not recoverable from SSDs with TRIM because the TRIM command can sanitize deleted files. Another related study (Wei et al., 2011)
78
L. Zhang et al. / Digital Investigation 12 (2015) 77e87
experimentally tested common whole-drive sanitization and single-file sanitization techniques on SSDs. His findings showed that it is possible to recover data from SSDs using sanitization techniques because of the complexity of SSD FTLs. SSDs depend on NAND flash memory chips to store data. However, NAND flash memory has an unfortunate property called cell-to-cell interference (Robert, 2012), which means that programming and reading a cell can disturb the contents of neighboring cells (see Fig. 1). This leads to random bit errors in stored data. With increasing SSD storage capability, smaller-dimension NAND flash memories (
