digital forensics : Forensic Acquisition Of Solid State Drives

Digital Forensics : Forensic Acquisition Of Solid State Drives With Open Source Tools by Josué Ferreira

Abstract

From a judicial perspective, the integrity of volatile storage devices has always been a reason for great concern and therefore, it is important for a method to forensically acquire data from Solid State Drives (SSD) to be developed. The method in this paper presents a way to preserve potential volatile digital evidence, present on SSDs, and produce forensically sound bit-stream copies. Due to the volatile nature of SSDs, Digital Forensic Analysts are often faced with the challenge of preserving the integrity of digital evidence seized from a crime scene. This paper proposes a method to perform forensic data acquisition from SSDs, while preventing the TRIM function and/or garbage collection from operating without user input, therefore maintaining the integrity of potential digital evidence. The results show the method can and will prevent any unintentional changes, on the disk’s user generated data and unallocated data, from happening prior to and post the forensic acquisition stage.

1. Introduction

The field of computer forensics has been in need of a method to perform forensic data acquisition from Solid State Drives for a long time. For about a decade, due to the lack of standardised operating procedures on how to image SSDs and judicial scepticism over volatile data found on a suspect’s device [1], potential digital evidence has been either lost or dismissed as inadmissible in court. According to R. S. Ieong [2] “when the underlying technology of the target device changes, new procedures are required.” This paper, based on empirical research, presents a new procedure for digital forensic analysts to handle SSDs without risking compromising the integrity of the device, and to create forensically sound bit-stream copies of SSDs using open source tools.

1.1. Contribution

This work contributes to the field of digital forensic investigation by proving that it is possible to forensically acquire data from a Solid State Drive (SSD)*, while preserving the volatile data that would otherwise, using current data acquisition methods, be lost. Current forensic acquisition methods, such as verifying individual files, were developed to image non-volatile storage devices and as a result, when applied to SSDs, can lead to loss of potential digital evidence and inconsistencies during the verification stage. This paper provides a straightforward method to preserve and image SSDs in a forensically sound manner using a write-blocker, Forensic Live CDs and open source tools. Let’s hope that this paper will firstly bring new knowledge, secondly a new perspective on how to perform data acquisition on volatile devices such as SSDs, and lastly, bring hope to the fields of computer forensics and law enforcement.

TRIM

Ref:https://articles.forensicfocus.com/2018/03/13/forensic-acquisition-of-solid-state-drives-with-open-source-tools/  by Josué Ferreira
https://www.extremetech.com/computing/183162-new-method-of-ssd-garbage-collection-can-boost-drive-performance-up-to-300
https://articles.forensicfocus.com/2018/03/13/forensic-acquisition-of-solid-state-drives-with-open-source-tools/
https://belkasoft.com/ssd-2014

Download Slide

หมายเหตุ:เนื้อหาในเว็บไซต์นี้มีขึ้นเพื่อวัตถุประสงค์ในการให้ข้อมูลและเพื่อการศึกษาเท่านั้น

* หากมีข้อมูลข้อผิดพลาดประการใด ขออภัยมา ณ ที่นี้ด้วย  รบกวนแจ้ง Admin เพื่อแก้ไขต่อไป
ขอบคุณครับ

#WindowsForensic #ComputerForensics #dfir #forensics #digitalforensics #computerforensic #investigation #cybercrime #fraud