I am a second year student currently on a bachelors degree with focus on forensics. I am currently preparing to write a research based assignment paper about a forensic related topic.
I was intending to write about data recovery of solid state disks and flash memory, in particular focused on NAND flash-based memory.
Initially, I was meaning to write about the fact that the current forensics software only recover data on a logical level, where they handle logical block addresses (LBA).
I conjectured that I might find established forensic software that is already able to extract and carve data on a physical level (pages and erase blocks). I was hoping that I could, in some way or another, compare physical based and logical based forensic software in an attempt to prove that extraction at a logical level is not as effective as physical level extraction of NAND flash, and to suggest that there is a need for a shift towards physical NAND memory extraction.
Having said that, I have found one specific research paper, titled "Forensic Data Recovery from Flash Memory" (http//
Consequently, I was wondering anyone has any personal experience or knowlege with relation to physical, block and page-based NAND flash data recovery? What kind of software do you use in practice. Is there anything more convenient than having to delve into "scary" hardware specifics that you could suggest, which I could then use in my paper. If I don't find anything, I feel forced to change my topic.
Any help would be greatly appreciated.
You have a hit large, and potentially interesting topic.
Flash memory is almost always hidden by a flash controller. The physical memory chips are reasonably standard, but the way they re controlled is very varied. My investigations so far have come across different variations for every chip combination. The simplest is simple data inversion, but some chips place a 'random' XOR pattern over the data which I presume helps reduce long sequences of zeros or ones and so help reduce data wearing.
The mapping of physical to logical adressing seems different on every chip combination. ECC is also very important. To understand a NAND chip ideally you will need to isolate the data areas and interleaved service areas.
One standard tool is PC-3000 flash, but my personal experience with it is that it only covers a small range of possible variations. It may be I have not discovered how to use it correctly, but I typically end up having to write a decode routine for many chips I see. There are other packages, and I am sure other members of this forum may have views on/expence of.
With hard drives, there are many standards because the medium has be transportable. A flash memory chip is never designed to moved anywhere, and so there are no standards. Each manufacturer will work on ways to get the performance they want, in a way they want.
Flash memory will replace rotating magnetic media, in the way disks have moved tape into a niche (although important) market
Have you had a look at soft centre?
http//
If you were looking into Blackberry Nand images, Cellebrite Physical Analyzer works with these very well! Including FTL translation