A New Hope: The One Last Chance to Save Your SSD Data presented at BlackHatEurope 2020

by Taehyun Kim, Taewon Kim, Hanjun Chung, Seungjoon Lee, Kwonyoup Kim,

Summary : There are some reasons why vendors keep their details of controller and flash chip information confidential. One of the reasons is that their unique management techniques are deployed differently, that is relevant to SSD capacity and speed, such as TRIM, Garbage Collection, and Wear Leveling are preserved code on flash. Despite these techniques being used by vendors, we show that SSD do not erase all the stored physical data because it might wear lifespan sooner.We figured out that SSD still leaves sensitive data when overwritten to the same logical block, so they do not overwrite to fixed physical block, they only grab other empty physical block and write over that, so they leave the erased data. For these analyses, we perform extract the Nand chip data with only internal controller PBA manipulation because logical block address cannot be used anymore in normal. In the case of SSD used to crypto engine built into the SSD's controller encrypt every block data stored on the flash memory, we recover old LPN which used before erased/overwritten to be decrypted naturally in the controller.As a practical case, we study how to recover data after a Ransomware attack even if prior L2P table's value has changed with new one. We also analyze that feasibility to recover data depending on the number of overwrites on same physical block.