Recovering data from erased or formated SD and USB media
We’ve noticed many newer Secure Digital (SD) and USB Flash drives are implementing garbage collection routines similar to solid state drives. Specifically to speed up write operations the controller will write information to a pre-allocated list of erased blocks or pages instead of immediately erasing the original data. Simply put when you perform a full format or delete a file it’s not immediately erased from the physical memory chip.
Recently we had three accidental full format cases, two SD cards and one USB flash drive. The media was fully functional however running traditional data recovery applications on the media yielded no data, there was no user data only zero’s.
Reading the NAND memory chips showed a different story. We found all the user data. Essentially two file systems, one current and one latent. The current file system contained no data however the latent file system was completely intact.[pullquote style=”left” quote=”dark”]We found all the user data. Essentially two file systems, one current and one latent. The current file system contained no data however the latent file system was completely intact.[/pullquote]
How can two file systems exist? When the controller writes data to NAND memory it will typically write block mapping information to each page, meaning, block x belongs to LBA address y. The latent file system had conflicting block mapping information, two blocks with the same address. By separating the two file systems we were able to recover the data.
This mythology doesn’t occur on all flash devices, and is a relatively new behavior, say early 2011, previous generations of devices would simply read a data block into internal memory, modify it, write it to another block, and erase the previous block. This method was very slow compared to modern designs because it required many operations to update a single piece of information.
Is this good or bad? from a forensics standpoint it’s another case where erasing data doesn’t mean it’s erased. If a full format was done with pseudo random numbers the majority of latent blocks would be erased.[pullquote style=”right” quote=”dark”] If a full format was done with pseudo random numbers the majority of latent blocks would be erased.[/pullquote] From an end user standpoint it’s great because data is still recoverable either in full format or file deletion case as long as the media isn’t used after the erasure occurs.
Either way, still pretty cool stuff. Silicon Motion and Phison seem to be doing some interesting optimizations to minimize wear damage on devices using a FAT32 file system, perhaps that’s an article for another day but I think this behavior is linked to these optimizations.