Scanning Stations
Once chips are connected in such a way that they can be read by external devices, Flashback brings in its house-built systems for reading the data. The systems are fairly simple except the fact that they have Flashback’s special imagers in them that allow techs to jump around to different sectors, control time-outs, and so forth. If something is reading more slowly than normal, the imager can force drives to jump to the next good sectors and keep going in order to get the most data possible as quickly as possible.
“We can go forward and backward and jump around,” says Chozick. “We can tell it to just scan the MFT of the drive and only image the allocated data instead of trying to get free space, so we can do the job very quickly. Sometimes, you’re fighting against a device still in the process of failing, and sometimes you’ve got a client who just needs one or two things back with absolute haste.”
Stock It—It’s A Socket
In order to connect flash chips to its reading systems, Flashback employs a startling range of chip mountings. Highlighted here are one type of adapter used to read TSOP48 chips as well as a TLGA reader. Within the adapters, each of the socket pins touches one of the pins on the memory chip. The adapter screws into an underlying board with data contacts for connecting with the TSOP socket. The lower board, in turn, features a USB interface for linking into the scanning station systems.
Data Spaghetti
Remember the memory chip pulled off that HTC phone? Here it is again, partially wired up for reading. Flashback had these PCBs custom made for this exact use. They hook up to a USB device programmer. The holes in each corner help secure the chip to an underlying board. With the TSOP adapter shown on the prior page, each of the socket pins touches one of the pins on the memory chip. But in this “spaghetti” shot, all of the chip pads are exposed so that techs can solder right onto them instead of requiring a socket. Since there are so many monoliths and pin-outs, Flashback needs to wire to specific data points and solder directly to the chip.
This is an 8-bit chip, as evidenced by there being eight wires connected to the PCB. If this has been a 16-bit product, there would be twice as many wires.
Reading For Hours
Wiring up monolith chips follows on much the same “spaghetti” approach as seen in the last page. Different devices require different wiring, but the idea stays the same, with each lead connecting to a distinct feature. The lead on the top-right, for example, is 3.3 V power. Examining this process, you begin to appreciate how time-intensive simply extracting data from chips can be.
Welcome To The Jumble
Let’s take a look at what recovery techs have to work with. What you see here are the contents of a raw data dump of an SSD’s master boot record. The data is jumbled up by the algorithms applied by the controller when optimizing read and write speeds, wear leveling, etc…
“Once we’ve read in the chips,” says Chozick, “we simply have a pile of raw data. In this example, the flash memory chip has a 528-byte sector. The first 512 bytes are used for the data. The last 16 bytes are used to store information about what order the data is in and error correction information. We call this the service area. So, when we first look at a flash dump in hex(idecimal code), we need to find known data structures to see how the data is mixed up.“
This and the following page show examples of known data structures in hex.
FAT Under The Microscope
Shown here are a FAT16 file system and a boot sector.
“The MBR is usually sector 0,” says Chozick. “Now, it’s not going to be 0 in the flash dump, but we can at least find where that is and determine the known structure of data. We know where it is, how far it is from the boot sector, and so on. You can see it in the next image. It’s like evidence gathering. We find the MBR, the boot sector, the FAT. Now we can look at these known structures and figure out how to put everything back together.”
Chozick notes that sometimes techs can’t find any of these structures, usually because of some algorithm applied to the device. Some algorithms will invert all of the data bits. If that approach is discovered, techs know to reinvert it back. Some algorithms will join everything by a single byte instead of a whole sector, so every byte will be on a different flash chip. This necessitates rejoining those data by byte rather than by the whole sector. Some algorithms will use ciphers, which makes things, understandably, even harder. For a process driven by computer, recovery often proves very manual.
Come Back Together
Let’s take a closer look at the sector data in a case wherein information is scattered across multiple memory chips. You can see what the first part of each sector looks like.
Hex numbers are supposed to run in this order: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, F, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 1A, 1B, 1C, and so on. On flash chip #1, though, you can see that the hex order is broken twice. First, there’s a jump from 09 to 0E, then there’s another four-sector gap between 11 and 16. What happened to the corresponding data? The answer sits waiting on flash chip #2.
Back In Order
Technicians need to rejoin these separated 2112 bytes (528 bytes per sector * 4). When joined, the result will look as you see it here.
Now imagine if there are 64 flash dumps that have to be combined! Why 64? Because a single chip might not have only one dump. Some could have four—one for each bank within the chip. So take the 16 flash chips you might find on an SSD, multiply by four, and that’s 64 dumps to put back together.
Before And After
It can be difficult to visualize what all of these byte-level gyrations mean at the macro level. An empty cell on a spreadsheet (or a corrupt file, for that matter) doesn't quite capture it.
Flashback supplied this image to illustrate the concept. Some examples will still have their header and part of their data intact, so they may look close, but they could be jumbled up or render as half-pictures with gobs of noise all over them.
Starting with an originally corrupted JPEG, technicians applied ECC correction and block translation to order data and remove bit errors that were handled by the controller. They also reordered and removed the service area from the reassembled data so as to have a clean, continuous data stream.
The End Result
After hours of manipulation and repair, even using algorithms that help automate some of the data restitching, Flashback technicians finally have information that looks like files and folders. Everything is back in order. The burning question remains, though, as to whether the data is sound and in its original form.
In part, such things can be checked by file headers. SD cards and similar media tend to contain a lot of images, and those are pretty easy to check visually for errors. ECC errors in specific files are fairly easy to spot. Other data types can be harder. Utilities can tell technicians by the file header if they think a good file is sound, but they may not flag a bad sector that would be plainly visible to an observer.
“With most customers, we try to be pretty hands-on,” says Chozick. “We ask them what they’re looking for and test files for them if they ask us to. If it ends up being something where we can’t recover the directory structure, we might just have to do it by file header. This is like a raw recovery where we won’t get file names anymore. We’ll pull off data and sometimes get people more than they thought they had, because we might also get deleted information. Sometimes we might find the FAT table is completely damaged, and then we’ll have to do this sort of raw-type recovery.”