Improving the reliability of chip-off forensic analysis of NAND flash memory devices

Aya Fukami, Saugata Ghose, Yixin Luo, Yu Cai, Onur Mutlu

Research output: Contribution to conferencePaperpeer-review

Abstract

Digital forensic investigators often need to extract data from a seized device that contains NAND flash memory. Many such devices are physically damaged, preventing investigators from using automated techniques to extract the data stored within the device. Instead, investigators turn to chip-off analysis, where they use a thermal-based procedure to physically remove the NAND flash memory chip from the device, and access the chip directly to extract the raw data stored on the chip. We perform an analysis of the errors introduced into multi-level cell (MLC) NAND flash memory chips after the device has been seized. We make two major observations. First, between the time that a device is seized and the time digital forensic investigators perform data extraction, a large number of errors can be introduced as a result of charge leakage from the cells of the NAND flash memory (known as data retention errors). Second, when thermal-based chip removal is performed, the number of errors in the data stored within NAND flash memory can increase by two or more orders of magnitude, as the high temperature applied to the chip greatly accelerates charge leakage. We demonstrate that the chip-off analysis based forensic data recovery procedure is quite destructive, and can often render most of the data within NAND flash memory uncorrectable, and, thus, unrecoverable. To mitigate the errors introduced during the forensic recovery process, we explore a new hardware-based approach. We exploit a fine-grained read reference voltage control mechanism implemented in modern NAND flash memory chips, called read-retry, which can compensate for the charge leakage that occurs due to (1) retention loss and (2) thermal-based chip removal. The read-retry mechanism successfully reduces the number of errors, such that the original data can be fully recovered in our tested chips as long as the chips were not heavily used prior to seizure. We conclude that the read-retry mechanism should be adopted as part of the forensic data recovery process.

Original languageEnglish (US)
PagesS1-S11
DOIs
StatePublished - 2017
Externally publishedYes
Event4th Annual DFRWS Europe, DFRWS 2017 EU - Lake Constance, Germany
Duration: Mar 21 2017Mar 23 2017

Conference

Conference4th Annual DFRWS Europe, DFRWS 2017 EU
Country/TerritoryGermany
CityLake Constance
Period3/21/173/23/17

Keywords

  • Chip-off analysis
  • Digital forensics
  • Memory errors
  • Memory reliability
  • NAND flash memory analysis
  • Read-retry

ASJC Scopus subject areas

  • Information Systems

Fingerprint

Dive into the research topics of 'Improving the reliability of chip-off forensic analysis of NAND flash memory devices'. Together they form a unique fingerprint.

Cite this