secret war: data security attack and defense of flash memory products

Posted by santillano at 2020-04-02

*The original author of this article: tgfreebuf, a freebuf original award program, is prohibited to reprint without permission

We can often see that the intelligence agencies recover the fragment data from the storage destroyed by terrorists in spy war dramas, and carry out the next capture action accordingly. Of course, that's the plot of the movie. However, with the increasing popularity of flash memory products, the security discussion around its recovery and destruction is also increasing. In this paper, we try to analyze it.

1. Flash data recovery

Currently, common NAND flash data recovery products include


Ace Lab

Soft Center

In this article, we take the pc-3000 series products of ACE lab as an example to explain

1.1 pc-3000 flash recovery is available for single flash chip

First of all, flash and solder (pictures in the article are from pc-3000 support blog unless otherwise specified)

After that, restore on pc-3000 flash

1.2 for SSD, pc-3000 SSD can be used for recovery

In the following, we take an Intel SSD as an example. Because the firmware module of the disk is damaged, the data has been inaccessible. We try to extract the data through the repair operation of establishing the mapping table.

Enter the fix and select Intel

Selection series

Confirm to enter the extended technology mode

Menu select Create mapping table

Setting up the module part when building the mapping table

Establishment and completion

Modify the reading setting (the previous reading method is the technical instruction method. When the mapping relationship is established normally, the reading method should be changed to the mapping table, so as to enter the de extraction data later), and then enter the de extraction data (data extractor, De is a software product used with pc-3000 products. With the de function, users can recover data from SSD and extract electronic evidence)

2. Flash data destruction

Generally speaking, there are two types of data destroyed by flash memory products (here, take the large capacity SSD disk as an example):

One is logical destruction, which only destroys data without damaging physical chips;

Logical destruction can be divided into several categories: one is the rapid removal of data. Generally, the flash data can be erased efficiently after the hardware clears the foot short circuit through the external switch; the other is data coverage and filling, which is relatively time-consuming. There are still some risks in the actual operation of fast cleaning, but in the emergency (such as when the destruction of data is urgently needed in the movie plot), fast cleaning still has its necessity.

Photo source: Genesis official website

Photo source: Genesis official website

The other is physical destruction, that is, physical destruction of the chip, there is no possibility of repair. Methods include: crushing of heavy objects; destruction of chemical solution; blasting destruction; high voltage breakdown of chips, etc.

Yuanke military standard solid state disk - red button high voltage destroys chip, hardware is not available; green button logic destroys, hardware is still available (picture source: Yuanke official website)

3. conclusion

In a movie, if the data is completely destroyed, the story may be another ending, of course, it's just a movie. In reality, the attack and defense of data security is the high-tech competition, which is the competition of attack and defense capabilities at both ends. We can achieve security in the dynamic balance only by constantly focusing on the growth and decline of attack and defense.

*The original author of this article: tgfreebuf, a freebuf original award program, is prohibited to reprint without permission