Nasir

Memon Polytechnic Institute of NYU

 SSD Drive Technology Overview

SSD Drive Components
NAND FLASH
Microcontroller

SSD Drive Forensics

Challenges

 Overview
SSDs are fairly new to the market
Whereas HDDs are well understood
SSDs propose new challenges to forensics

Purpose

Understand how SSDs function and understand

the challenges of performing a forensics

investigation.

 Will replace HDD Drives

Faster reads
Faster writes
Are small

Use less energy

Create less heat
Are more expensive
The price has been decreasing

Source: http://www.samsung.com

2.5 SATA 3.8Gbps SSD

2.5 SATA 3.8Gbps HDD

Solid NAND Flash based

Mechanism type

Magnetic rotating platters

64GB

Density

80GB

73g

Weight

365g

Read: 100MB/s
Write: 80 MB/s

Performance

Read: 59MB/s
Write: 60MB/s

1W

Active Power Consumption

3.86W

20G (10~2000Hz)

Operating Vibration

0.5G (22~350Hz)

1500G for 0.5ms

Shock Resistance

170G for 0.5ms

0 C 70C

Operating temperature

5C 55C

None

Acoustic Noise

0.3 dB

MTBF > 2M hours

Endurance

MTBF < 0.7M hours

This can be Operating system File System

FAT
NTFS
Journaling File System

Can be implemented in Hardware or Software

SSDs do it in hardware (using Micro controller)
xD Memory Cards (do it in the Driver)
Interface to Hardware through SATA or IDE

Source: https://www.ibm.com/developerworks/linux/library/l-ash-lesystems/

Flash Memory

NOR Flash vs. NAND Flash

MLC vs. SLC
Limited Erase-write cycles
Read accuracy decreases after a certain number of
reads.

Implement techniques to overcome technology

dierences
COPYBACK (Read accuracy), ECC
Wear leveling (Limited Erase-write cycles)

NAND GATE

NOR GATE

SLC NAND Flash

(x8)

MLC NAND FLASH

(x8)

MLC NOR Flash

(x16)

Density

512Mb 4Gb

1Gbit to 16Gbit

16Mbit 1Gbit

Read Speed

24 MB/s

18.6 MB/s

103MB/s

Write Speed

8.0 MB/s

2.4 MB/s

0.47 MB/s

Erase Time

2.0 msec..

2.0 msec.

900 msec.

Interface

I/O indirect access I/O indirect access Random access

Application

Program/Data mass Program/Data mass eXectue In Place

storage
storage
(XIP)

1. http://www.toshiba.com/taec/components/Generic/Memory_Resources/NANDvsNOR.pdf

MLC

SLC

High Density

Lower Cost Per Bit

Higher Endurance

Greater Operating Temperature

Range

Lower Power Consumption

Better Write/Erase Speeds

Better Write/Erase Endurance

Implementation Overview

TSOP 48 PINS

LGA-52 PAD

BGA-100

TSOP 48 is most common in most electronics, such as MP3 Players,

USB sticks, Solid State Drives, Switches, Routers and the like.

 Manufacturers can use any kind of interface

that they want, but a group of companies

created a consortium for NAND to
standardize the industry.
Open NAND Flash Interface Working Group
http://on.org/

ONFI Specication 2.1

http://on.org/wp-content/uploads/2009/02/

on-2_1-gold.pdf

 Form Factor
Memory Addressing
Pin outs
Timing

Command Set
This is good for Forensics Analysis

Pages are basic

programmable
units of ash
512 bytes, but
likely 2048 bytes
16 bytes per 512

bytes for ECC and

management
2048 => 64 bytes

2112 bytes per

page, but only
2048 useable

Blocks are basic

erasable blocks
Generally 64x
pages per block
2048/64 *64
bytes
131072/4096

bytes per block

512 Bytes

16 Bytes

Data Information
Can be addressed by the OS

Management & ECC

Not seen by OS

2048 Bytes

Block:
64 Pages

Block:
64 Pages

64 Bytes

Flash Chip

Block:
64 Pages

Reading
Each read operation introduces a potential error
After several reads to the same location, there is some

chance of error for consecutive reads from that location.

Writing

Two types of operation to facilitate Writing

Set all bits to 1 (Erase)
Set bits from 1 to 0. (Program)
Cannot set bits from 0 to 1, must reset all bits to one (Erase)

To write a block, must erase (set all bits to 1), then

program (set appropriate bits to 0).

To rewrite, must always use the erase program cycle.

Basic Algorithms

Source: Micron TN-29-42: Wear-Leveling Techniques in NAND Flash Devices

 Wear leveling helps reduce premature wear in

NAND Flash devices.

Each Erase operation reduces life of device
and makes it more vulnerable to read decay.
Generally: 10,000 or 100,000 erase cycles
Two primary wear leveling techniques
static
dynamic

 Spread the drive wear across the entire drive

Ensure that all blocks fail at approximately

the same time

Dont allow some of the blocks to fail faster
than others.
Causes Severe Fragmentation
Can dramatically reduce read and write speed
of sequential reads.

LBA

PBA

0x00000000

0x00000000

0x00000001

0x00000001

0x00000002

0x20000002

0x00000003

0x00000003

0x00000004

0x20000004

0x0FFFFFFD

0x2FFFFFFD

0x0FFFFFFE

0x3FF000FE

0x0FFFFFFF

0x4FF000FF

Host

Use Logical Block Addressing (LBA)

Controller

Has Look Up Table

Translates between LBA and PBA

NAND Flash

Uses Physical Block Addressing (PBA)

Dynamic

When allocating blocks, choose a least erased block

from free list

Static

When allocating blocks, choose a least erased block

from free list

Occasionally

Move static non-free blocks with low erase count (below a

threshold) to a block with a high erase count

Hybrid

Allocate a portion of the drive for static wear leveling

Allocate a portion of the drive for dynamic wear

leveling

Method
Static

Advantages
Maximizes device life
Most robust wear-leveling method
Most ecient use of memory array

Dynamic Improves device life vs. no wear leveling

Easier to implement than static wear
leveling
No impact on device performance

Disadvantages
Requires more controller overhead
Can slow WRITE operations
Higher power consumption
More complicated to implement than
dynamic wear leveling
May not optimize device life

 http://www.insidehw.com/Reviews/Storage/

Intel-X25-M-SSD.html
Certied for 25 MB/s read speed and 70 MB/s
write speed.
MLS SSD standard.
10-channel memory controller. Each channel
is responsible for two memory chips.
This controller works like a RAID 0 system but
with ash memory.

Solid State Drive

SATA Data
Interface

Internal Architecture
SPI Flash Cache

Permanent Storage

Microcontroller
Flash Flash Flash Flash Flash Flash Flash Flash Flash Flash
Chip Chip Chip Chip Chip Chip Chip Chip Chip Chip

SATA Power
Interface
NVRAM

IO Microcontroller
Intel PC29AS21AA0

(Unknown Chip Specication)

i0837
Description:
Possibly the Intel 8051 architecture
Possibly 8 bit architecture
Possibly like the SST

Flash Storage

Intel
29F32G08CAMCI

(Suspected Micron MT29F32G08)

i0838I5 (8/4) [front/back]
i0838I7 (2/6) [front/back]
Description:
Single Supply 32Gbx8 NAND Flash
2048 + 64 byte pages (2112)
64 pages per block
32 blocks per chip
(4GB storage with 8-bit access)

SPI Flash Cache

Winbond 25X40AVNIG
Description:
512KB SPI NAND Flash
Serial data access
8x64KB blocks
128x4KB sectors
2048x256B pages
256 pages per block
16 sectors per block

NV RAM
Samsung 843
K4S281632K-UC60
16MB SDRAM

Serial ATA
Serial ATA
Power

Quick Analysis

Microcontroller

Likely based on 8051 architecture by Intel

Probably has Internal ROM

SPI Flash most likely contains either

ROM
Tables for keeping track of Wear Leveling.

Flash Storage

More than likely Intel outsourced from Micron

NVRAM

Likely used for quick writes or writes to the same blocks.

A similar setup is recommended by Micron in one of its
whitepapers.

 IDE interface allows logical data reads, but

hides the internal data structures.

Internals not well understood - may contain
hidden data useful in forensics.
No accepted standards
Every manufacturer does what it wants

Manufacturers protect their implementation

details to prevent data reads.

 Wear leveling algorithms fragment data on

the drive, but in an unpredictable way (non-

standard)
NAND ash technology in SSDs, doesnt
allow for the same forensics tricks to be used
as with HDDs
Drive has spare blocks which cannot be read. X25 - 7% to

8%. Even more in enterprise version.

Mostly no slack space as entire block erased before write
Garbage collection clears blocks marked for deletion
Turn the hard drive o to prevent garbage collection

 As soon as you do a write, a block gets

allocated and always stays allocated.

When you delete a le, it is only "deleted" in
the le system, but the hard drive block stays
allocated.
The trim command is proposed so that the
hard drive microcontroller knows to also
deallocate the block (free it.)

 Once you DISCARD/UNMAP sector X, the

device can return any state on the next read

of that sector, but must continue to return
that data until sector is rewritten
Latest draft:
If TPRZ bit set then the return for an unmapped

block is always zero.

If TPRZ isn't set, it's undened but consistent.

 Hard to read data o chips directly

Even if you do, hard to make sense of it

Requires some very sophisticated carving

technology
Needs to be content based
SmartCarving?

 Recovers multi-fragmented les

Scales to millions of blocks
Keys to success:
Collation
Matching metrics
Linear time heuristics for reassembly

For more www.digital-assembly.com