Hello,
is there any software that does not only try to recover files from FAT but also from the underlying file system used on memory sticks? Is wear levelling on flash drives an advantage for forensic analysis?
Regards,
Charles
FAT *is* the underlying file system.
What is "wear levelling"?
Wear levelling is the technique that some flash drive makers use to spread the wear on the storage more uniformally. It appears that there is a limit to the number of cycles flash memory can be toggled. Like floppies or tape, a flash drive without levelling would wear out in the first few sectors. Levelling (I believe) uses in internal set of tables to remap how the data would be laid out.
www sandisk com/Assets/File/OEM/WhitePapersAndBrochures/RS-MMC/WPaperWearLevelv1.0.pdf
From your reputation, I'm sure you must know it under a different name.
Wear leveling, or wear distribution, is distributing usage of the blocks on a device to prevent too many program/erase cycles on one block from rendering that block useless (main use being flash memory) while there are many other less frequently used blocks that could hold the data instead.
Edit Beaten to it, his sentence sounds a lot better, so listen to him.
This is good information. We're beginning to see more forensic acquisitions from USB flash drives in our environment.
Edit Beaten to it, his sentence sounds a lot better, so listen to him.
oops Thanks.
Take a look at
From your reputation, I'm sure you must know it under a different name.
Maybe he does - but the one thing I know for sure is that no-one knows everything in forensics! wink
Levelling (I believe) uses in internal set of tables to remap how the data would be laid out.
This is called a "flash translation layer" (FTL). The FTL hides/remaps bad blocks, and provides wear leveling so that frequently rewritten sectors (like parts of the FAT) wind up on "fresh" blocks instead of being constantly erased and rewritten in-place. It also works around the other limitations of the flash device pages can only be written N times, erasures must happen 16k/128k at a time, etc.
A brute-force method for extracting the raw flash data could involve opening the thumbdrive, desoldering the flash device, and dumping it out with a programmer. USB thumbdrives tend to use off-the-shelf NAND flash parts from Samsung or other major vendors. So datasheets are available and the protocol is well-known. Many of the ICs I have seen are SOIC form factor so a competent technician could desolder them with no special equipment.
There is probably a way to do this through software as well, although it may vary from vendor to vendor. You can start by reading the USB Mass Storage spec and looking for clues.
Once you have a raw dump, Linux does have at least two FTL drivers that might match the format used by your thumbdrive. Although what might be even more interesting is to look at the raw contents to see a history of what was in the "overwritten" sectors.
Wear levelling may cause the affect 'bit toggle' to occur that alters the assigned status of 'saved' data to be assigned as 'deleted' when data are being shifted to different block areas.
Additionally, when you power up devices that use sensitive data handling maintenance, like wear levelling, it maybe that the maintenance program, so to speak, kicks in at power up and data are shift that may completely or partially cover remnants of previous deleted data that are located there.