 Okay, so everybody ready to go? All right, you guys hear me in the back? How many people saw my speech this morning? All right. So this morning, I did a couple of seconds of animation and then a whole thing of PowerPoint. In this one, I'm going to do exactly the opposite. I'm going to switch from PowerPoint to animation in about one minute. Okay. So basically the story is I am a computer forensic sky. That is my day job. I also run a data recovery shop. We do a lot of data recovery, a lot of rebuilds. We run side by side. And basically some of the same people move back and forth between whatever we're doing. So one second I'm working on a data recovery. The other second I'm working on forensics, depending on what type of case. And some data recoveries are forensics. Sometimes we have to handle them, put them in a safe, lock them up, do what we need to do to actually to protect chain of custody in a data recovery for a case that's ongoing that may not be my case. So at least from that realm, we're doing a lot of different types of stuff. And what kind of spurned me to do this particular speech? I've been working on this speech for almost two years. I started on it about a year and a half to two years ago because I ran into a solid state hard drive in the middle of a case. And it looks completely different when I was looking at the content. So I wanted to kind of show you and represent that to you. But at the same time, I did about a year's worth of research in solid state as to why it looks different and what's physically different about it. And when I mean solid state, I don't usually mean the little flash memory stick that you have in your pocket that you plug into your computer. And the reason I separate the two, even though they're solid state, is because there's fundamentally some differences in how they handle some of their content. So I'll show you that. But one of the first things I wanted to show you is this is just, and you probably can't see this so I'll zoom in in a second, but sometimes you may realize that this is an FDK imager, basically a free program. You can actually just look at stuff that was easy to do for this. And if you look, you'll see, I bought a solid state hard drive, put it in a laptop and used it for a month, did some testing. And this is the result of what I keep running into, is that even after things have been deleted, just over normal usage, nothing astronomical, nothing happening to it, it looks like to any forensics guy, it's been wiped. If you look, you got zeros there. You go down the list of things that you would normally actually see remnants or things there in unallocated space and slack space, and it's deleted. So here's another one. This is in another directory. And so you'll see another directory with pictures where just through normal use, things start appearing to disappear. This is a separate one with a different type of file. And then again, it's zeroed out. There's nothing there. So I'm going through this process to try to show you the things that I found to be different about a hard drive. And then from some of the people that I've actually talked to, I've gotten some proprietary information. And that proprietary information, my goal is not to actually show you any proprietary information itself. It is to use all the things that are different amongst all the vendors who are doing content to show you what is the same amongst all of the types of drives. So you can get a pretty good feel for it. So while I know some, that's not my point. So I'm not trying to like rip on a sand disk or anybody like that. So I'm going to try to show you what I at least have discovered to be the same for most of the content. So here we go. So my disclaimer here is the fact that for hard drives, we basically had for 30, 40 years now, different manufacturers buying up each other until there's almost nothing left. There's only a handful of vendors now that we can reliably rely on to deliver hard drives. Others come and go depending on what day of the week. But for the most part, they bought each other up and they all own some of the same property now, or they've all come to some of the same conclusions. So hard drives, while they may have some fundamental things that are different vendor to vendor, there's a majority of things that are exactly the same. And that you could say the same thing, whether it's a SATA drive, a two and a half inch drive, a three and a half inch hard drive, whatever. But at least from that standpoint in doing data recoveries and my 2,000 speeches I've already done in the last three or four years that are published online that you guys can already go and see 25 movies out there that go through data recovery step by step, even some trade secrets and things that you can actually do to take apart platters and move them to another drive, it's all out there. So you can go see all that. I'm going to use a minute or two of it at the end of this one. But ultimately, it's all pretty much the same. You can do a couple of things different per vendor. But in solid state disks, that is not true. Solid state disks, they're all using some of the same components. But now we're talking about code that's actually running physically on a device for solid state. So they may be completely different. So whatever SanDisk is using may be different than somebody else at Tishiba or somebody else is using. Some of them get each other's IP property and actually license the code from them. So for instance, SanDisk owns something like 12% of the market and Samsung owns something like 40% of the market. But Samsung rents their IP property from SanDisk at least through maybe the end of this year or sometime pretty close to renegotiating right now or something. So at least from that standpoint, you now have a lot of vendors using some of the same code, some of the same processes may take place. But you get a lot of different things that are implied. So I just want to let you know that that's what my disclaimer is all about. So basically, I want to talk about what a solid state disk is. So most people are just saying, okay, that flash disk, that memory stick, is a solid state disk. And sure, it is a solid state disk. But kind of like routers and gateway terms have become kind of reliant upon each other. That's what we're dealing with now with solid state. Typically now when you say solid state, you mean an actual physical device that when you plug it into your computer is not technically using a driver that wasn't designed for this particular thing. So in other words, it's using an IDE driver as opposed to a mass storage driver or something else that's been custom written. So it emulates what the other device was doing. And that's what I mean when I say solid state disk. So yes, I know that some systems have everything in them from accelerometers to keep this from happening, but I guarantee you it still happens. We still see drives like this in that when they hit the ground or whatever has happened to them, whether they hit with a hammer or something else, they physically are damaged. And especially obviously, three and a half inch disk where they may flip off the edge of the table. Because now people are making hard drives in these towers that look really cool like a free agent disk or a max store disk that stands on its end. And people all put it on the corner of the table and it goes... That's exactly what you're going to see here. It's pretty bad news most of the time. Pretty unreparable. It really depends on what type of problem you have. Some of the newer drives, the actual whole spindle is just falling out of the entire assembly. So it's getting pretty bad. But what if this was a solid state hard disk and your girlfriend threw your porn machine out the window? Time machine right here. So if that was a solid state disk, you'd still have a party going on on your chips. So they would be running just fine. They'd be happy. They'd be passing stuff. As long as that didn't crack, if it didn't hit that corner and actually cause a crack across one of the boards or something, you may still have everything just fine. It'll be happy days. And when you put that back in your computer... So... You have all you need. So I'm going to go over just a couple of fluffy reasons. This will be about three minutes of fluff of why you might want to get a solid state hard disk. So one of the first things that I kind of want to point out is reliability. In this particular case, and I've described this in other speeches before, hard drives do not write zeros and ones to the platter. A lot of people think it does, but there is a preamp that is physically on the hard drive. It encodes a signal and inserts null space, and it really writes something that looks a lot more like a wave file to the platters themselves. So it's not a zero and one. It has to decode that content on its way back out. But physically on solid state, you actually are writing a zero or one. You're actually putting an electron in a cell, and it's actually charging it, and you're either getting a zero or one based on where that electron is or not. Then you also have location and dependent speed, because this is kind of ridiculous too. I see all these tests all the time that say, well, let's compare the solid state and they're doing a read test or something that actually has to do something with the heads. Well, you have no heads, and because of location and dependent stuff, they're really not like comparing apples and oranges. So you're actually not doing justice to a solid state disk when you're doing a comparison like that, but at least you have a difference in speed. Then you have your difference in power consumption, and before anybody goes and rips on me about Tom's hardware, little thing about solid state hard drives sucking down more power or something, I'm not going to rip on them either. I don't know exactly what's going on, but in real world, in testing and doing these things, there is a difference, and I am seeing a lot larger span of battery life by using solid state disks, and even just doing the math, some of what I've seen on Tom's hardware doesn't seem to make much sense. So I don't know all the details, but I would tell you from real world use, I get about an hour and a half, two hours longer battery life by having a solid state disk than I would if I had a spinning disk in the same laptop. And then you have noise and vibration, and that makes a real big difference. And I'll tell you, a silent machine, that really makes a big difference, especially in a laptop that you're carrying around, you can't hear anything. I mean, it is as silent as you can get. And typically because of less power consumption and things like that, you're not actually kicking in the fans as much on your laptop either. And then you have a big difference in temperature. So for people who don't have a Mac, that's it on the left. So you don't put that in your lap, and you need like all kinds of other, because they say it's not a laptop, it's actually for a table still. But that's what you're dealing with. So at least from a temperature standpoint, it makes a great difference. I'm very happy about having a solid state disk. And then you have a real big difference in weight, because your parts really are a lot. Metal is going to weigh a lot more. And obviously these days with the price of metal going up, who knows what's going to happen with hard drives in the long term. So now I just kind of want to give you a heads up on what the solid state disks are. So because physically when people have been talking about solid state, we've had this particular one that's a DRAM solid state for like 30 years. This is physically used like in banking, in military installations, things like that where you actually have to do hundreds of thousands of transactions a second. And we physically have no moving parts. And this works a lot more like an actual machine and that when power is lost, it suspends it to an external unit, another hard drive or something, and it physically has tons of backup and things. But it's been around for a long time. So we've had solid state disks. This might be something like you might find at Wacovia or something, dealing with all your transactions from a banking standpoint. But I'm not going to talk about those. Physically, there's two other types, NAND and NOR. And I'm not going to crucify this guy's name, so I'm just going to call him Dr. M. So Dr. M has developed both of those types of memory. So physically, they've been around since 1984 to 1986. We're just now starting to get where we're starting to use Flash, which would be the NAND as opposed to the NOR chip, because the NOR chip is more what you would see in like a bias on your motherboard. And Intel actually started using some of these back in 1986. So from a standpoint of what you're used to, NOR would normally be able to write to it maybe 10 times before it starts to get destroyed and bad things happen to it. So it's really good for things that don't change often and that you have a developer who's going to release a lot of changes to their code over time. And some of them may have migrated now to actual Flash, but from a standpoint of the way it existed for 20 years, this was more likely what you were using most of the time. NAND is what we're using in solid state disks. This is what we're using that we know as our memory sticks and what's physically emulating your hard drive. So these are the ones that we're going to talk about. Now I've got to tell you, I have taken some liberties with some artistry here as to the representation of what a gate is. So you guys really, if I'm not going to, you know, again, if there's any double E's in the audience, I apologize. So you can go look it up and find out exactly what it looks like as opposed to using my diagram. So I've got a paint can with some plastic over the top and then I have a gate at the top and the bottom. So a transistor and a floating gate are basically the same thing. And then what we're going to do is we're going to change the state from 1 to 0. And this is done through something called electron injection. So basically, physically when the floating gate is powered, it will shove an electron through the oxide layer and store it. And then there's a transistor at the bottom that's detecting whether or not there's content physically stored in that cell. So, and you'll see that now while it has an electron in it, it's state is 0. When it doesn't have an electron stored in it, it's a state of 1. So it's exactly the opposite of what we would expect as we are storing content. So that's what it looks like or would look like. We still have some of the same things that we're dealing with with NAN that we're used to dealing with with hard drives and other stuff. We still physically have content that we're going to have to keep track of. And in this case, I'm trying to step aside what I showed you a second ago is actually called a single layer chip. It was one row of chips. This is some new technology that's basically coming about in the last couple of years to try to start controlling our costs a little bit. This is called a multi-layer chip and basically the multi-layer chip says I'm just going to store electrons on top of each other and I have to check them all at the same time and I have to store content in all of them at the same time. So if I stack them too high, I've got to shove 2 through a hot electron injection into there or if I want to release them, I've also got to release them all at the same time. So that's what, when you see MLC, this is what it means and we have MLC chips now that are up to four layers. What you have to understand about MLC versus SLC chips is that if it's SLC, it's faster. It's going to be somewhere in the neighborhood of maybe 30 to 40% faster than it's going to be if it's an MLC chip. So when you start seeing costs coming down and you start seeing really big gigabytes of stuff in there, just know that that's not going to be as fast as an SLC if you're looking for performance or something along those lines unless they've made some modifications to it to improve speed. But you have plenty of combinations there now of data the way you can store it. So we still have the same size things that we want to deal with like we do with anything else. So you're still dealing with a byte and you still actually have your physical bits stored in there for your byte. But we can't talk directly to a byte. So the way it works physically in a NAND chip is things are stored in a grid and the grid actually has to initialize what's called the word line. So you get 16 bits in a word line. So physically, anytime something's talked to on this grid, it has to basically electrify, do the hot electron injection through the word line. But it's still not the smallest size that we can talk to. Physically, the smallest size that we can write content in is a sector. And traditionally, a sector to us is normally going to be 512 bytes. That's what we're used to seeing on hard drives. Hard drives are typically all 512 bytes. So when you write something through a hard drive it's going to write the sector at 512 bytes. If you're going to erase a sector, you're going to write 512 bytes. And if a block goes bad, you're going to have 512 bytes of bad data. That is not true on solid state disks at all. We have a variation in size now. I'm going to get to that piece in a minute, but this is basically a 512 byte sector. Now, we actually have sectors that are of a varying size. We actually have a different size sector on a solid state disk than we do on a hard drive. For the first time in 50 years we've varied this size from that standpoint. So you can have, and it's again the choice of the manufacturer, they can choose what size they want to write and how they're going to write it. But traditionally, 256 megs and less is storing it in 512 bytes. 256 megs, there's a line where they can choose at 256 whether or not they're going to do 512 or 2K. So basically 2048 is what we're going to store now in a sector. So now we have a size that's different than what we used to deal with. Forensics, even knowing that you have a difference in the size of the sector that you're going to read is going to make a difference. But one of the biggest problems we have is that we can't erase a sector. We have to erase things in a block. Now, again, some liberties have been taken here because this is not how it happens inside your chip. You don't have a little lids popping off of your plastic gate arrays or anything like that. So these are divided up into blocks and I am trying to signify that what happens and Dr. M, again, is one of the people who actually named him and one of his other friends, Dr. S, have named this flash because when they were electrifying and letting the electrons go, Dr. S noticed it looked like a camera flash from a Kodak camera. So he said, wow, that looks like flash. Let's call it flash memory. And it stuck with that and it's been the same way now for 25 years. So that's where that came from. And so I'm just signifying that similar to what it might have looked like. Now, this is where I'm varying and I'm not talking about physically what happens inside the NAND chips itself and what the manufacturer is buying. I'm now talking about where they're changing the source code and what the source code is physically doing on this chip to do something called wear leveling. Our problem is, is that over time the cells will wear out and they will die and there's some controversy as to how long this chip is going to be. But each cell will wear out and it will die sooner or later. So what they decided to do was, well, let's try to keep the number of cells every time that they're erased and every time something happens about the same all the time. Because normally what would happen is you have like a fat table and if it's sitting in the same location you write a file, it would change the fat table. If it was always in the same location it would just wear that chip down by faster than the rest of the chip. So now they move everything around. Basically they're saying anything inside the chip that changes. If something hasn't changed within say five write cycles we're going to automatically move it around using software. Using our own firmware, our own code, our own things. So that's what's happening here. So what I'm going to describe now is basically and this I'm burying a little bit too. I'm going to use a file as the nomenclature but it's not really a file. So this file or PDF hasn't changed. The files are changing. So it moves the file to a new location and then puts that file someplace else and puts the one that it left that it took and moved into a garbage collection routine. And the garbage collection routine runs basically like a queue. It's a list and it stores this list and it keeps this list indefinitely until they're all erased. So if you unplug the drive or you power it off when you power it back on it looks at the garbage collection routine even though there may be something new added to the garbage collection routine during this cycle while you've booted and run it. It's not going to happen in that order. It's going to happen in the order of the queue and how it stored it. So that's physically the function of ware leveling to try to keep the chip from being destroyed in the process of using it. So this is what it looks like on a hard drive. If I had a hard drive and I opened up a file and I added to this file and this doesn't always happen so if it replaces the file then it does something else with it. But I can write to that sector. I could physically touch that sector write something back. And in forensics we basically do that all the time. We go and we say I want sector 125 give me one sector 125 and go look at it and write something or change something or do whatever you want to do. So in a hard drive we have that ability. But in a solid state disk now because we can't do cells that have already been written if we open a file and we modify it it can't write it back to the same location. It cannot put it in its same location. So it will take the content when you make a save or a change and now it's virtualizing what it's doing it's actually writing the content to a new location a new set of sectors that you didn't know about and you have no control over. And you can't go look at them or do something to them make a change or write something to them. So physically it's going to take the file to a new location. Then it's going to take the block that the content came from put it in a garbage collection routine and eventually it's going to get around to clearing that block. It's got to wait till every sector in the block that is defined is released because an entire block has to be released not just a sector. So you're going to see that in a second. So this is what we're talking about and why we're trying to protect the chip and basically not destroy it every time that something is written into it it physically is starting to destroy the silicon physically in the cell over time. And the discussion seems to be how many times is that going to take? Sometimes some vendors are saying it's going to take 100,000 writes. 100,000 writes before it dies is the typical answer. But some of them are now saying a million some of them are saying 10 million before it actually dies. And how many of them do you think they really know? Zero. They don't know when it's going to die. They knew that and they could do a better job of predicting what was going to happen here. So they don't know but as they're starting to change materials and use different materials they may have a better lifespan but traditionally right now up to now what you've been buying has pretty much been all the same stuff. And so they're just guessing how long it's going to last. So basically what they have to do is they have to add spare sectors in so that they can add some lifespan to it. So when you buy, if you were to buy 64 meg it might be 128 but they just call it 64 and they use the extra space for spare sectoring. Same thing for gigabyte sticks or anything else. So when you get beyond a certain number physically there's some extra sectoring there for them to be able to use it. So I found this interesting I have this manufacturer's quote that I got right off of their webpage so you can hunt it down. I'm not going to put who the manufacturer is but you can find it. So physically when flash memory wafers are tested and probed the distribution of bad and weak and strong dyes are identified across the waiver. Bad cells are marked and the remaining cells are sorted into consumer and industrial quality flash and then consumer grave flash is what makes it into the mass marketed devices through retail chains. So basically they're telling you that they're selling you crap. That's what they're saying. They're saying we tested all these things and here's the crappy ones to maybe Cisco or somebody else and we're going to sell the bad ones to fries or something like that with a generic name on it or Micro Center with a generic name on it. So I'm not picking on them. I'm just saying that's what you're buying and most of the time that's how you get a $6 memory stick as opposed to the $40 memory stick that might be a better buy. So how many people have bought a Micro Center memory stick? How many people have returned them and got one replaced under lifetime warranty or threw them away? So a few of you. But have you also noticed that maybe those sticks are a little bit slower than the other sticks? No? Okay, well maybe you should do some timing tests because you'll find out they're about four times slower than some of the other memory sticks. But anyway, so that's ultimately what you're talking about. Again, you know you're buying a cheap one so it's not like a big surprise to you as opposed to buying like a SanDisk memory stick or something that's a higher quality that has better code or something like that. But anyway, so that's what you're dealing with. You're buying some crap. So this is the breakdown of all the stuff I was just talking about. I wanted to give you kind of an overhead view of what we're looking at because this is different than what we're used to dealing with with a hard drive. Physically, you have your smallest unit as we go down through a cell and then we go to a byte. We get to our smallest writable unit which is a sector. Now these numbers mean the 512 plus 16 is there 16 extra sectors for flags, for things that can change. And so for every 512 there's always going to be 16. But only for 256 meg sticks and below do you have 512. So everything that's above 256 megs is going to be 2048 plus 64 bytes and that's going to be called a page. And that's physically the smallest writable unit we have on a cell state disk. But our smallest erasable unit is a block. So we can't erase a sector and we can't erase those however many sectors we've written a file to. So they're still on our disk even after we've deleted our file and it's gone. If the garbage collection routine hasn't run it still physically sits there indefinitely maybe. So our smallest erasable unit is a block and what that means is the manufacturer can choose the size of a block. It's either going to be 16, 32 or 64 times the amount of sectors that it is. So typically the answer is 64. So most of the time it's going to be 64 times 2048 which means you basically have 128k that has to be erased every time a block is released. So that's what you're calculating out. If you've got to erase something it's 128k. So this is a comparison to what we're used to seeing from a hard drive versus solid state. So on the left-hand side basically your smallest writable unit is still a sector 512 bytes smallest erasable unit is 512 bytes and your smallest bad block is 512 bytes. But NAND your smallest writable unit is a sector so it's usually going to be the 2k and then your smallest erasable one is going to be 64 times 2k for 128k but at the same time if you have a bad block even one single bad cell in the entire section it marks that entire block as bad. So you immediately lose 128k. So as you start looking at your size of your disk you will actually see over time as sectors go bad if there's not enough spare sectors the size of your memory stick will start to shrink you'll actually start using and that's true of hard drives too eventually as you fill that up and you've used all your bad blocks physically what's going to happen is the size of the hard drive may shrink as time goes on. I'm glad one of you's got it together so what happened to the rest of you anyway so physically this is the type of content that's kind of hard to find it's not something that's easy to find is when you look at a hard drive and you look at one single sector the code that's actually writing that encoding the content and writing this way file that's what it looks like this is one single sector on the left hand side for a hard drive it's pretty complicated there's some legacy stuff in there there's some stuff for calculations and what you're going to store and you'll also see a large quantity of null bytes and that's because when you're writing with a hard drive and the head physically reads a one or a zero from a standpoint of a high or a low value physically if it's always high and there is no break it never can tell where it ended so it can never say oh I got a one I got a one I got a one it can't do that so they have to physically put some null space and break to say okay here's one move on and there's another one so that's where all this null space and all this extra garbage comes from on the left hand side and basically we've gotten rid of in solid state a lot of that legacy stuff we don't have some of the same stuff carrying forward so we have a lot smaller amount of space we have to keep track of so you have your data which is the 512 bytes or the 2048 from that particular and then you have your 16 bits of data so you're 16 bytes of data you'll have your service flags you'll have your bad block status flag and this was kind of smart actually that basically what they did was they said well we never stored anything in the cell that's actually at this particular number which is like 517 bytes into the disk or something like that where the block status flag is it has no cell that has ever been used and physically it still sits there as an open cell and if I want to say it's bad and that's the only way the only thing you have to do is write an electron into it and then bam you're done it's now marked as a bad sector so at least from that standpoint you've actually got a bad block right off the bat and then you have some proprietary data and then you have a small amount of error correction data because the amount of data that we're trying to keep track of is smaller than what it would be in a hard drive we have less ECC data so we actually have a smaller amount that we actually have to store there instead of this encoded string that actually shows up here on the left hand side for a hard drive so there's quite a bit of differences so physically when you're looking at flash memory sticks versus solid state disks what you've got is if this is your memory stick let's kind of compare the differences between the two so now on your memory stick basically you have something that's kind of like a control chip basically this is the device that you're going to talk to you're going to tell it what you're going to do with it and you're basically going to pass commands to it kind of like a standard controller or something you might deal with and there's a lot of fluff and stuff that happens inside of how you're going to communicate with this chip and what you're going to do with it but ultimately the point becomes when you plug it into your computer it has no processor on the device it has no way of calculating anything it has to use a driver on your system so when you plug in a memory stick you get like the mass storage driver starts up and at that point in time the mass storage driver basically takes over and has to do all the fundamental work for what's happening on the memory stick and it's using your host processor to do that because it has no processor of its own all the content for ECC or changes or bad blocks or ware leveling all has to physically be done inside your computer using your processor passing it back and taking care of the chips itself because it has no way of doing that so fundamentally this is what it would look like from some of the operating systems this is part of TrueFS which is a sand disk so basically it's pretty dumb from that standpoint you're only going to make some changes to it but on a solid state disk it's got a whole different set of commands of what it has to deal with one of the things is that it has to be it has to be responsible for all the NAND functions it has to be responsible for all the bad device blocks everything that happens on this chip physically has to happen because there's no direct driver dealing with that it's making an IDE call or a SATA call to it and physically conforming to one of the ATA standards and then physically the drive itself has to kind of virtualize the functions that are going to happen below it and it divides you from what's actually happening on the chip so physically if this is happening in forensics if I'm requesting the sector for one to five and I go to one to five and I do that say two or three times in a row and something else has been going on even an amount of time has passed sector one to five may no longer be the same sector it may not be in the same location it's going to virtualize a table and it's going to make some changes to the content and it's going to shuffle it around during some of its ware leveling schemes and as you can see if all of this is happening physically in this device here and you're doing ware leveling your bad block management all your array cycles your start locations your ECC management and you ignore write protect calls and when I say ignore write protect calls I don't mean the same thing as I take a write blocker in forensics and I put a write blocker on my device before it talks to the hard drive to the solid state disk what I mean is that each one of these chips has its own protect on it and so some of you can see that if you look at physically like the disk that you put in your camera there's a little switch on the side you can lock and unlock it actually is physically wired to the chip itself and it can lock and unlock and what it's basically saying here is it's going to ignore all of those types of things so that it can bind all the memory together and virtualize it as one and then ignore that write protect call or any of the extra calls that it's going to have to apply power being applied to this device it is completely plausible that under certain pieces of code running it can actually still be swapping content around doing its garbage collection routines and erasing content just because it's powered so it doesn't matter if you have a write blocker in front of it if you're doing forensics and you've powered this device so that you can do a copy of it garbage collection is running and you can't stop it at least currently right now I don't know a way to stop it but people can reverse engineer some chips make some changes to some code or something but at least at this point that may affect us and it may cause us some major problems and the longer it's plugged in you leave it overnight and you come back tomorrow it may be done with its garbage collection routine and it erased more data than you thought it was going to erase during that time span even though it's going to be fairly quick actually erasing that data because it has its own processor so I just want to make sure that's clear to people that are dealing with forensics so one of the other things is that because a sector has to be erased before a new sector can be written to it that gets rid of slack space because if you think about it slack space basically is if you have a sector and it's 512 bytes and I write 400 bytes to that sector I have that extra amount that's left out there that hasn't been written and our hard drives are really lazy they don't really do functions when they're not asked to do them because it takes processor power another time so you have this extra amount of data that's left out there well in solid state disks it's got to erase it and move the content there so you're going to get a measurably smaller amount of slack space some of it's going to be because of the way that content is divided up inside the hard drives with clusters and things like that but generally you're not going to get the quantity of data that you had before you're also going to be missing a lot of the unallocated space unallocated space is going to become zeros so but this is the major functions that are different between that SSD control chip so I want to just talk a little bit about what happens in hard drives in hard drives when you have a bad hard drive you go through all these functions you can physically talk to the SA area I've covered all this in other speeches so you can actually go in detail and look at some of this content but physically on a hard drive you have this SA area that stores content that with the right equipment you can go and look at what you make changes to but that's not true of solid state physically in solid state we can't talk to all these things they've changed some of the legacy things that we can talk to now and we don't know how to request these tables and look at these tables we're not the developers and the developers are physically because say Sandisk is trying to kind of be the king of the market or something like that they may not be releasing any of their IP property to other vendors so that they can study or do something about it so that they can use this code unless somebody is going to reverse engineer it so physically right now we're looking at content that's changing and we have no idea what's changing also in hard drives we have this division of content that's divided up into what's called utility block addressing basically what they do is they take like a bad block list and they say on one drive I might have a bad block list that is going to need three sectors to write to but on a different size hard drive a 250 compared to 100 meg maybe I need a bigger bad block list so now I'm going to have five sectors that comprise what the bad block list is and so to do that they didn't want to call it something different every time so basically they came up with utility block addressing so you may have a utility block addressing for your bad block list be number one and that's physically what you've gotten for a breakdown again we don't know that content in solid state it doesn't look anything like that at all physically this is generally what you're looking at in solid state disks you have a device area and you'll notice the very first thing is only the first block is guaranteed to be good the first block is the only thing that they're going to try to say is a high enough quality chip that it wasn't sold to fries or somebody else's memory stick they use a good portion of that for the very first block so that they can write tables and pointers and things too so that that block doesn't go bad telling you where all your content is it doesn't move that piece around but it does move all the other content around then you have your header list and then you have a transition basically from what your LBA blocks are to PBAs so your LBA block, your logical block addressing is now translated to the physical block addressing we don't have that in hard drives we don't have it in that fashion typically there's still a translation going on but it's sectors and heads from that standpoint not where our LBA block is you can still go find that know exactly where it is access to you can't talk to at all and then you have your free list with your bad block list basically when the device powers up and it goes through its initialization process it does build a list of the good sectors that content can be written to so it gets there faster for things that are free so physically it's actually initializing and building that list and again you don't have access to that list you have no idea what's going on there the only one you have access to at all that's where your data is stored but if you see kind of in the highlight behind this there may be a set of chips there may be 16 chips that are now linked together and virtualized for the amount of space that you need to make up 32 gigs or 64 gigs and so it's spread across all of those chips so you don't even know where physically your content is stored if you want to start trying to break this down again reverse engineering is the only way that you're going to be able to try to break down where this content exists where these tables are and how to reverse them and what this particular piece of code is doing that's different than everybody else's code so you're going to have to do it for every single device that you have to try to understand better and better over time until somebody is a winner and we only have four manufacturers or something again like we have with hard drives so when you're dealing with recovery or forensics options and things like that what can you deal with well this is physically addressing some of the hardware stuff because with computers physically whenever we're working on a hard drive we're like mechanics physically when I do a data recovery I can move platters physically I would need this tool to move multiple platters because data is stored in a cylinder which means right on the top of a platter on the next part of a platter and so on and so on down through the cylinder so if I turn the platters I actually have no way of recovering that data so you need a special tool like this to actually do a replacement a platter replacement or even a head replacement in some cases so again kind of like a mechanic versus what we're used to dealing with with maybe solid state then we also have we also have head replacements where you can actually do something physically with the head assembly without moving a platter this is simple to do in single platters simple may be the wrong word you can do it in about 45 minutes if you know what you're doing takes a person who's never tried it before a couple hours and we also have PCB board replacements where we can do them not only live but we can also do them physically to repair stuff or unsolder a chip and move a chip and get that done but in a flash disk it's going to be it's a little simpler because you can unsolder maybe just one or two chips and move them to another exact device and use this fancy soldering gun because I bet everybody's got one of those you just solder your stuff back on it's kind of hard because some of the legs are obviously pretty small from that standpoint there's not a lot you can do with them it's a lot of work and you usually have to have something like a chip quick or something like that that blows hot air on a chip to remove it but the hardest part is obviously finding an exact manufacturer exactly the same way the exact same chip specifications the whole thing so you can have an exact duplicate a donor to take the chips off of to put them onto so you can repair and move them on of these memory sticks or some other thing yes sir basically what you're saying is like image the memory chip instead there's some complications there we have done it actually John Mushhammer one of the guys who has actually done a talk at Shmoocon he and I have basically gone back and forth over some chips and I set some up did some things he did some images as we went back and forth. The hard part was all this virtualization of some of the stuff that's custom that actually the control chip is doing, you don't know the layout of the content. So you don't know where these tables are and what's actually happening. It doesn't represent it like text, like something you would just find strings and you can do something with. So it's not the same and not as easy as it sounds. And if there's multiple chips, you don't know how that content is divided up either from that standpoint. So there is some more complicated things, but obviously it gets a lot harder when you're dealing with a solid state disk as you will see here in a second. So physically on a solid state disk, you got a couple of simple things that are just like hard drives that you can do. You may actually just have something that's burned out that you can just solder on to the board and physically repair the drive and keep it going. It's not very often. I can tell you that that's a pretty rare event, but it does happen. It happens a lot in hard drives, but not so much in solid state. Then you also have this number of chips that you would basically have to unsolder and resolder. So now it becomes infinitely more complicated than it was before. So getting one or two chips, maybe you can get those right, but it's pretty easy to mess up if you got 20 to do or 15 or something like that. It gets to be, and there's one other complication, which is you still need a donor drive. You still need one that is exactly the same one as the one you have because you're gonna rip it apart so that you can take all these chips and move it to it so you can repair whatever's broken piece by piece. So we've now become less of a mechanic in trying to fix a mechanical problem and more of an electrical engineer and having to have some other skills that we didn't have before. So this makes our job infinitely harder, both for forensics and for data recovery because from a recovery standpoint, I do get drives in from a forensic standpoint to repair, but that's not gonna be so easy here. You may have a lot more reliability because you may have less failure. I don't know that we have a solid state disk around long enough to actually know that yet to know how bad the impact's gonna be, but over time, physically, that's what we're gonna be dealing with is now doing that. So that's pretty much it. I just wanna make sure that everybody's clear, at least from a solid state standpoint, the impact it's gonna have from forensics. When you're looking at it, you will actually start to see things that look like they're wiped.