Flash memory: problems for computer forensics
At the end of 2010, Graeme Bell and Richard Boddington published “Solid State Drives: The Solid State Drives: The Beginning of the End to Existing Forensic Data Recovery Techniques?” online communities. And although the feature of the work of solid-state drives discussed in this article was first announced in 2008 at the DEFCON 16 conference , investigated by Microsoft and presented at the conference of developers of computer storage media in 2009 [1, 6th slide] and even mentioned in Russian seminars in 2010 [2, slides 10 and 11], recognition of the problem and a serious discussion of these features in the forensic community took place in March 2011.
In this article I will try to tell about the features of the work of storage media based on the use of flash memory through the prism of computer forensics.
The main focus of computer forensics is the study of computer-readable media with the aim of generating forensic evidence (conducting forensic computer and computer technical expertise) and collecting operational information that is not used as evidence in court. Conventionally, computerized forensic science may also include related areas in which the study of computer information has an important role: the investigation of information security incidents in organizations, the study of information carriers for military (combat) purposes, etc.
Since a forensic investigation of machine-readable media in a large number of cases is carried out to obtain forensic evidence, the method of conducting such investigations should ensure verification of the results by repeated research (this requirement is fixed in article 57 of the Criminal Procedure Code of the Russian Federation: “the expert does not have the right ... to conduct permissions of the inquiry officer, investigator, trial of the investigation, which may entail complete or partial destruction of objects or changes in their appearance or basic properties " ). With regard to the study of computer information requirements for repeatability of results are expressed in ensuring the immutability of information (although some scientists prefer to use the term "integrity of information" ) by various means:
The development of forensic computer research methods can be identified by the following trends:
It is not difficult to understand that the development of computer forensic science is influenced by the static nature of the contents of computer-readable media, which can be expressed in the form of a simple principle: “the data is changed only by a command” . This principle applies to floppy disks, hard disk drives and other “traditional” media types, and changing the contents of these media without a command should be regarded as a malfunction (the appearance of bad sectors).
')
Of course, changing service data (SMART parameters) is not a serious problem, since such service information is rarely used in forensic science to solve any problems (and changing it is not considered critically, unlike changing file systems).
The massive use of flash memory in removable and non-removable computer storage media was made possible by solving the problem of wear of flash memory cells, which limits the number of possible cleaning cycles (rewriting) of individual memory blocks and significantly reduces flash memory resource due to uneven data recording in common file systems (some parts of the data are overwritten more often than others).
To solve this problem, flash memory manufacturers began to use the wear leveling method, which consists in moving data from the most worn-out memory areas to less worn-out ones. This process can be performed at the file system level or at the controller level: in the first case, the data is redistributed by the driver of the special file system, in the second case, the data is redistributed by the controller of the information carrier transparently to the operating system (the controller provides the necessary byte order when reading, that is, it recreates the original data structure due to the use of the correspondence table of logical memory addresses to the physical position of the memory cells).
Flash memory, for leveling the wear of which you need to install an additional driver into the system and use a special file system, was not widely used among ordinary users, and the controller most commonly used are wear leveling algorithms.
Thus, even when working with flash memory in “read only” mode, there is a constant redistribution of data by the controller. However, this process is completely transparent to the operating system and readers, therefore, there is no particular difficulty in conducting forensic studies of flash memory (although at the physical level, the data are redistributed, but at the logical level, they are static) if it were not for the two large BUT :
The first “but” leads to the fact that when reading the unrecorded parts of the USB Flash drives, random data (noise) is returned , which, as it should be expected, changes with each reading.
The second “but” leads manufacturers of solid-state drives (SSD) to the problem of (already solved) the definition and use of free (unoccupied) parts of these file systems for equalizing wear.
These features are a serious violation of the “data change only on command” principle, on which modern computer forensics is based. Moreover, the use of free (unoccupied) portions of file systems that contain deleted files and data from previous file systems to equalize the wear and tear results in serious data recovery problems (since the controller cleans it before using the free data portion, i.e. there is a destruction of deleted data, inherently similar to the overwriting of files with special programs).
The simplified work algorithm can be described in several lines:
Flash memory cells that correspond (at the logical level) to data sections not used by the file system to store information in an explicit form are cleared, references to them are deleted (i.e., the operating system can no longer read the contents of these cells by reading the corresponding sections data), then cells are used to reallocate data at the physical level. If at the time of cleaning the cells contained fragments of deleted files or previous file systems, then these data are deleted irretrievably (overwritten).
In this case, the most interesting are the ways for the flash drive controller to detect the free portions of these file systems:
It should be noted that this method of wear leveling is not used in modern USB Flash drives, but is used only in solid-state drives.
From the above principles of flash wear leveling, we can draw two conclusions:
And form the following general principles of forensic work with flash memory:
In this article I will try to tell about the features of the work of storage media based on the use of flash memory through the prism of computer forensics.
Briefly about computer forensics
The main focus of computer forensics is the study of computer-readable media with the aim of generating forensic evidence (conducting forensic computer and computer technical expertise) and collecting operational information that is not used as evidence in court. Conventionally, computerized forensic science may also include related areas in which the study of computer information has an important role: the investigation of information security incidents in organizations, the study of information carriers for military (combat) purposes, etc.
Since a forensic investigation of machine-readable media in a large number of cases is carried out to obtain forensic evidence, the method of conducting such investigations should ensure verification of the results by repeated research (this requirement is fixed in article 57 of the Criminal Procedure Code of the Russian Federation: “the expert does not have the right ... to conduct permissions of the inquiry officer, investigator, trial of the investigation, which may entail complete or partial destruction of objects or changes in their appearance or basic properties " ). With regard to the study of computer information requirements for repeatability of results are expressed in ensuring the immutability of information (although some scientists prefer to use the term "integrity of information" ) by various means:
- software write locks that block any write commands sent to the examined storage medium by the operating system (on Linux, the software write lock can be feedback devices created in read-only mode using the “ mount -o ro, loop / dev / <device > <mount point> " );
- hardware recording blockers that perform the same functions, but do not require the installation of any software (in simpler words: intermediary devices between computers and storage media, filtering transmitted commands);
- specialized operating systems that, in the process of loading and working, do not send write commands to connected media.
The development of computer forensics in the initial stage
The development of forensic computer research methods can be identified by the following trends:
- confirmation of the immutability (integrity) of the studied data by cryptographic hash functions;
- ensuring the immutability of the studied data by compulsory use of recording blockers or by researching forensic copies of information carriers created by copying the contents of one medium to another (sometimes such copies are called bitwise or sector-by-sector );
- popularization of the indicated tendencies, their fixation in the methods of conducting judicial research.
It is not difficult to understand that the development of computer forensic science is influenced by the static nature of the contents of computer-readable media, which can be expressed in the form of a simple principle: “the data is changed only by a command” . This principle applies to floppy disks, hard disk drives and other “traditional” media types, and changing the contents of these media without a command should be regarded as a malfunction (the appearance of bad sectors).
')
Of course, changing service data (SMART parameters) is not a serious problem, since such service information is rarely used in forensic science to solve any problems (and changing it is not considered critically, unlike changing file systems).
The development of flash memory through the prism of criminology
The massive use of flash memory in removable and non-removable computer storage media was made possible by solving the problem of wear of flash memory cells, which limits the number of possible cleaning cycles (rewriting) of individual memory blocks and significantly reduces flash memory resource due to uneven data recording in common file systems (some parts of the data are overwritten more often than others).
To solve this problem, flash memory manufacturers began to use the wear leveling method, which consists in moving data from the most worn-out memory areas to less worn-out ones. This process can be performed at the file system level or at the controller level: in the first case, the data is redistributed by the driver of the special file system, in the second case, the data is redistributed by the controller of the information carrier transparently to the operating system (the controller provides the necessary byte order when reading, that is, it recreates the original data structure due to the use of the correspondence table of logical memory addresses to the physical position of the memory cells).
Flash memory, for leveling the wear of which you need to install an additional driver into the system and use a special file system, was not widely used among ordinary users, and the controller most commonly used are wear leveling algorithms.
Thus, even when working with flash memory in “read only” mode, there is a constant redistribution of data by the controller. However, this process is completely transparent to the operating system and readers, therefore, there is no particular difficulty in conducting forensic studies of flash memory (although at the physical level, the data are redistributed, but at the logical level, they are static) if it were not for the two large BUT :
- USB flash drives sometimes do not electrically connect blocks of memory cells until the first write command to these blocks [4];
- effective wear leveling requires the presence of additional (backup) memory areas, as which it is advisable to use free (unoccupied) parts of these file systems.
The first “but” leads to the fact that when reading the unrecorded parts of the USB Flash drives, random data (noise) is returned , which, as it should be expected, changes with each reading.
The second “but” leads manufacturers of solid-state drives (SSD) to the problem of (already solved) the definition and use of free (unoccupied) parts of these file systems for equalizing wear.
These features are a serious violation of the “data change only on command” principle, on which modern computer forensics is based. Moreover, the use of free (unoccupied) portions of file systems that contain deleted files and data from previous file systems to equalize the wear and tear results in serious data recovery problems (since the controller cleans it before using the free data portion, i.e. there is a destruction of deleted data, inherently similar to the overwriting of files with special programs).
How does flash wear leveling work using unallocated filesystem space?
The simplified work algorithm can be described in several lines:
Flash memory cells that correspond (at the logical level) to data sections not used by the file system to store information in an explicit form are cleared, references to them are deleted (i.e., the operating system can no longer read the contents of these cells by reading the corresponding sections data), then cells are used to reallocate data at the physical level. If at the time of cleaning the cells contained fragments of deleted files or previous file systems, then these data are deleted irretrievably (overwritten).
In this case, the most interesting are the ways for the flash drive controller to detect the free portions of these file systems:
- Trim ATA Detection [3]: The operating system that supports this ATA command automatically sends information about unused data to the controller when you delete files or formatting that you can use to level out wear;
- detection by processing file system structures by a flash drive controller: the controller reads the stored data without the operating system, processes the structures of the most common file systems (for example: FAT), and identifies unallocated data that can be cleaned and used to smooth out wear.
It should be noted that this method of wear leveling is not used in modern USB Flash drives, but is used only in solid-state drives.
And how does this threaten computer forensics?
From the above principles of flash wear leveling, we can draw two conclusions:
- the contents of flash memory can be changed on a logical level even when connecting storage media using write blockers or when mounting file systems in read-only mode;
- solid-state drives, self-identifying and using free (unallocated) space of file systems, lead to the rapid destruction of deleted data.
And form the following general principles of forensic work with flash memory:
- you cannot use hash functions to confirm the immutability (integrity) of the contents of flash drives;
- the use of software and hardware write blockers does not ensure the immutability (integrity) of the studied data when working with flash drives;
- recovering deleted data from SSDs can be difficult;
- the only way to guarantee the immutability of the contents of flash memory during the study is to evaporate the memory modules and read them, followed by software data reconstruction using special software and hardware data recovery complexes.
Links
Source: https://habr.com/ru/post/115384/
All Articles