Chip-Off Forensics

    Chip-off forensics utilizes flash memory chips on devices. Flash memory is non-volatile memory that does not require power to retain data and “can be electrically erased and reprogrammed” (Breeuwsma et al.). This type of memory has many benefits such as “being shock resistant, being small enough for transportation of data to be hardly noticeable, its low power consumption, excellent response rates when it comes to random access time, the non-volatility of the medium and its low cost” (Sansurooah). Flash memory is broken down into two types: NOR and NAND. NOR flash “supports a fast random access speed, but at a very high cost”, while “NAND flash, which is newer and cheaper, [has] the advantage that it carries a larger storage capacity and achieves decent, if not high, execution for large read/write operations” (Sansurooah).

​

    NAND flash memory can be further broken down into Raw and Managed NAND. The flash memory chips within mobile devices explored in this research are under the Managed NAND category. This means that “the FTL (flash translation layer) logic and relative functions are embedded in the NAND” (Fiorillo). The flash translation layer is a mechanism responsible for logical block mapping, wear levelling, garbage collection, and write amplification (Buckel). This is key for the NAND chips.

​

    In regards to the structure of NAND flash memory, it is “divided up into equal-sized units, known as “pages”. A page is the smallest unit of information that can be read from or written to memory, analogous to a sector on a hard disk drive platter” (Murphy). To dive deeper, “flash pages are further comprised of usable area and spare area. The usable area is where user data is stored and the spare area is used for flash metadata. The metadata will contain information regarding the page number, which erase block the page belongs, and will be used to map the physical location of the data back to the logical structures of the flash transition layer” (Regan). With all this information included, “chunks of sequential pages are grouped together into “blocks” (Murphy).

​

    When blocks are erased, they begin to deteriorate, and thus “NAND flash memory blocks have precious few program-erase cycles” (Murphy and Breeuwsma et al.). Specifically, “blocks can be erased between 104 and 106 times before bits in this block start to become inerasable (stay ‘0’). Such a block is then called a ‘bad block’” (Breeuwsma et al.). Wear leveling has been implemented to combat this with the intent “that spreading the wear, caused by erasing a block, as much as possible over the whole capacity of the flash memory will increase the overall lifetime of the memory” (Breeuwsma et al.). With this in place, “new data written to an LBA is practically never stored to the same physical location. Rather, the new data is written wherever the firmware sees fit and the Flash Translation Layer (FTL) is updated with the new physical location” (Murphy). Thus, any “previous data, data overwritten at the LBA level, say by a reformatting event or by writing zeros over all the data on the card, remains in the NAND flash array for an indeterminate amount of time” (Murphy). The amount of time is dependent primarily on the prevalence of garbage collection (Murphy). Due to this scenario, which Cindy Murphy calls “flash memory amnesia”, “data in the invalid blocks or dead pages can store information of interest for the forensic analyst and should be acquired before [garbage collection can] take place” (Murphy and Fiorillo). This can be accomplished using chip-off forensics, by removing and reading NAND flash memory chips.