A New Hope: The One Last Chance to Save Your SSD Data

Conference:  BlackHat EU 2020



The presentation discusses the analysis and restoration of overwritten data on SSDs affected by ransomware attacks.
  • SSDs have hardware-based security encoders that encrypt data to ensure confidentiality.
  • Overwrite-type ransomware can make it impossible to recover encrypted data.
  • Old FPL restoration can be used to recover overwritten data by restoring the physical route of the data.
  • The presentation provides a step-by-step guide on how to restore overwritten data using old FPL restoration.
  • The work will be expanded to cover other SSD vendors and NVMe types.
  • Further study on the relation between the French translation layer and security is needed.
The presentation demonstrated a simple demo of overwritten data restoration on a test file. The file was first encrypted by ransomware, and the plain text and encrypted data were shown. The RPM value of the file was changed after the ransomware overwrote the same API. The old FPL restoration was then used to restore the file's previous data by replacing the current FPM with the old APN. The file was then read again, and the previous data was decrypted properly.


There are some reasons why vendors keep their details of controller and flash chip information confidential. One of the reasons is that their unique management techniques are deployed differently, that is relevant to SSD capacity and speed, such as TRIM, Garbage Collection, and Wear Leveling are preserved code on flash. Despite these techniques being used by vendors, we show that SSD do not erase all the stored physical data because it might wear lifespan sooner.We figured out that SSD still leaves sensitive data when overwritten to the same logical block, so they do not overwrite to fixed physical block, they only grab other empty physical block and write over that, so they leave the erased data. For these analyses, we perform extract the Nand chip data with only internal controller PBA manipulation because logical block address cannot be used anymore in normal. In the case of SSD used to crypto engine built into the SSD's controller encrypt every block data stored on the flash memory, we recover old LPN which used before erased/overwritten to be decrypted naturally in the controller.As a practical case, we study how to recover data after a Ransomware attack even if prior L2P table's value has changed with new one. We also analyze that feasibility to recover data depending on the number of overwrites on same physical block.