DriveSavers Data RecoveryTitle:

ESI Recovery from Solid State TechnologyESI Recovery from Solid State TechnologyNew Challenges for eDiscovery

Presented by:Presented by:Chris BrossSenior Enterprise Recovery Engineer

Survey

How many of you own a Solid State Device?y ySmart Phone, Camera, Tablet, Ultrabook?

NAND flash

Who is DriveSavers?

Corporate ProfilePi d th d t i d t 27Pioneered the data recovery industry 27 years agoGlobal leader in secure data recovery services

Who We ServeDi d L fi fi i l i ti F t 500 ieDiscovery and Law firms, financial organizations, Fortune 500 companies,

healthcare institutions, government agencies, universities and consumersCompliance and security dependent clients

CapabilitiesCapabilitiesFastest, most reliable, and most secure providerAll storage devices — All OS supportedForensic imaging, eDiscovery and Data Sanitization

Data Recovery & Imaging Defined

SoftwareUser and professional tools availableIneffective with hardware failure

Professional Data Recovery ServiceReverse engineering laboratory and clean roomsResolve hardware and more complicated failuresp

Forensic ImagingData as evidenceAcquisition, analysis and reporting process

The Data Storage Market

Hard Disk Drive History and market dominanceCurrent and projected growth

Solid State DrivesGrowth in Ultrabooks, MacBooks, premium laptopsIn the Enterprise and in the Cloudp

Smart Devices2007 birth of the iPhoneExplosive global growth

Solid State Storage Defined

Solid State Storage Defined

Data Storage on (NVM) Non-Volatile Memoryg ( ) ySemiconductor chip based cellular data storage

NAND flash TechnologyMost common NVM todayCosts decreasing, capacity increasingScalability, density and reliability challengesy y y g

Advantages over traditional hard disk drivesNo mechanical points of failurePerformance, reliability, power efficiency, security

Reliability of Solid State Devices

Reliability Expectationsy pNo mechanical failures, no moving partsHigher MTBF and lower AFR

Reality in the Data Recovery LabFailure does occur, volume increasing with installed baseRecovery can be more challenging than with HDDy g g

Storage Industry & Technology EvolvingEach generation more reliableIntel as an example

Why Data Recovery from SSD?

Physical & Environmental IssuesyImpact or physical trauma to deviceEnvironmental or liquid exposure

Device FailureElectro-logical failureController/firmware or NAND flash

User Fault or Malicious AttackData deletion, accidental formatEncryption issues

The Issue: Imaging of ESI from SSD

Hard Disk Drive (HDD)( )Data stored magnetically on plattersLong data retention, proven imaging methods

Solid State Drive (SSD)Data stored electronically in cells, within pages, on chipsShorter data retention, more imaging challengesg g g

Data Lost Due to Self Maintenance of SSDRoutines like TRIM and garbage collection can result in automatic destruction of data

The Story: Mat Honan @ Wired

Photo: Ariel Zambelich/Wired. Illustration: Ross Patton/Wired

Data in Cloud and Solid State

The Challenges in this Case

Secure Remote Wipe via iCloud hack of 3 DevicespPhysical layer overwrite of all dataAll storage devices were solid state, no magnetic HDD

iOS Devices Not RecoverableRemote secure wipe was completedApple iOS and hardware encryption complicationpp yp p

MacBook Air w SSD Successful Recovery“Perfect Storm” of eventsComplications of image and recovery processdue to SSD self maintenance

Challenges in Forensic Imaging

Challenges in Forensic Imaging

Proprietary Technologies From OEMp y gHighly protected trade secrets may prevent data accessRapid competitive technology advances

EncryptionDefault built in to SSD hardware controllerCorporate software encryption deployments p yp p y

TRIM & Garbage CollectionSelf maintenance and performance routinesDetrimental to recovery and forensic imaging

Encryption

In SoftwareCommon in large corporate or government deploymentsNo imaging issues if keys/credentials are providedPhysical failure can produce partial corrupt imagePhysical failure can produce partial corrupt image

In HardwareController or firmware failure can prevent imagingp g gEncryption key unknown to user Firmware reload can trigger key regenerationLinked via TPM to software encryptionLinked via TPM to software encryption

TRIM

TRIM definedOperating system command to remove data at device level

TRIM supportMust be enabled in hardware and supported in softwareCurrent Windows, MacOS and Linux full implementation

O ti d R ltOperation and ResultsRuns immediately upon empty of recycle binResets (programs) cells to 1 (erased)Data is unrecoverable

Garbage Collection

Background Garbage Collection (BGC) definedg g ( )Automatic controller function for maintenance

BGC supportAll current SSDs support in hardwareOS independent operation

O ti d R ltOperation and ResultsRuns indeterminately and quickly in the backgroundDefragments and optimizes saved dataResets (programs) cells to 1 (erased)Prior data is unrecoverable

Process in the Recovery Lab

Process in the Recovery Lab

Capture & Acquire Image ASAPp q gSource is a moving target that may degrade/purge dataDisabling BGC impossible without help from OEMUsing a write-blocker DOES NOT stop these processesUsing a write blocker DOES NOT stop these processes

Image Access Via Controller & Data InterfaceIdeal to work with device intact and functionalImperative for encrypting devices

NAND Chip Extraction and ImagingOnly on non-encrypting devicesComplicated reverse engineering of write algorithm

Advantages at DriveSavers Lab

Engineering and Experienceg g pHundreds of thousands of cases completedSpecialized SSD and NAND engineers

Strategic Industry AlliancesTrusted exchange of field failure analysisDevelopment of OEM specific toolsp p

R&DNon-stop commitment to new tools and techActing as “thought leaders” for the industry

Forensic and eDiscovery Services

Data Collection

Data Processing

Data Exportp

Data Review and Hosting

Expert Witness TestimonyExpert Witness Testimony

Litigation Management

Data Analytics

Best Practices To Follow

Understand the Differences of HDD vs SSD Imagingg gFirst chance may be only chanceUnderstand the limitations of the technology

Litigation Hold LettersConsider specific instructions for SSD ESI requestsRequire immediate imaging of devicesq g g

If Unable to Image SSDSTOP, power off and engage a professional labESI will potentially degrade with any attempts

Looking Forward

Greater Market Adoption of Solid State Storagep gEverything mobile, corporate and enterprise

Solid State now in the Cloud!SandForce/LSI example

New Technologies = New ChallengesMore security, encryption & “secret sauce”Compression, de-duplication, FTLSanitization of SSD

Imaging and Recovery Challenges Continue

DriveSavers Data RecoveryQ&A

DriveSavers Data RecoveryThank You!

Chris BrossSenior Enterprise Recovery Engineerchris bross@drivesavers comchris.bross@drivesavers.com