DOCSLIB.ORG

Establishing Professional Guidelines for Ssd Forensics: a Case Study

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Establishing Professional Guidelines for Ssd Forensics: a Case Study ESTABLISHING PROFESSIONAL GUIDELINES FOR SSD FORENSICS: A CASE STUDY JAY JUNICHIRO UCHIYAMA (B.Bus) A thesis submitted to the graduate Faculty of Design and Creative Technologies Auckland University of Technology in partial fulfilment of the requirements for the degree of Master of Forensic Information Technology School of Computer and Mathematical Sciences Auckland, New Zealand 2014 ii Declaration I hereby declare that this submission is my own work and that, to the best of my knowledge and belief, it contains no material previously published or written by another person nor material which, to a substantial extent, has been accepted for the qualification of any other degree or diploma of a University or other institution of higher learning, except where due acknowledgement is made in the acknowledgements. .......................................... Jay Junichiro Uchiyama iii Acknowledgements This thesis was carried out during the year of 2013 at the Faculty of Design and Creative Technologies in the School of Computing and Mathematical Sciences at Auckland University of Technology, New Zealand. Support was received from many people throughout my postgraduate education. It is a pleasure to thank those who made this thesis possible, I would like to acknowledge the significant support and encouragement provided by my family during the course of conducting this research as well as throughout my entire postgraduate study. I owe my deepest gratitude to my supervisor, Prof. Brian Cusack. Without Dr. Cusack’s continuous optimism concerning this project, inspiration, and guidance this thesis would hardly have been completed. I am deeply grateful to my employer PricewaterhouseCoopers and Forensic Services Director, Campbell Mckenzie for always being a motivational influence in all aspects of my study and research. Mr Mckenzie has shared advanced knowledge and commercial insights of digital forensic procedures, and allowed my access to numerous forensic tools. Lastly, I am indebted to many of my colleagues, especially Alain Homewood, Roman Ammann, Craig Calderwood, Shubham Sharma, New Zealand Police Electronic Crime Laboratory Digital Forensic Analysts Mark Simms and Ben Knight who have been supportive and provided inspiration in all manners for my chosen field of study. Also thanks to the proof reader whom has profoundly improved the composition of this thesis. iv Abstract The aim of this thesis is to investigate and examine the present status of solid state drive (SSD) forensics, and to establish a professional guideline for forensic investigators who are required to preserve and recover data stored on SSD in a forensically acceptable manner. In the first part, results of a literature review of computer storage devices, data recovery methods, and forensic guidelines were presented. The literature review determined how SSD is architecturally different from a magnetic hard disk drive (HDD), but existing forensic guidelines and procedures were developed based mainly on HDD technology. SSD is widely accepted by consumers but not well integrated into the forensic guidelines, despite several automated evidence- destruction functions, which were embedded for performance enhancement purposes, have been explicitly discussed by forensic and data recovery experts. The thesis then identifies the gaps amongst well repute forensic guidelines and further outlines the structure of a compound guideline which recognises issues raised by SSD to maximise the chance of data recovery. Specific processes were identified and data recovery rate was measured for testing. In conclusion, the thesis argues that existing forensic techniques and guidelines are incapable of suppressing the SSD’s self-destructive behaviour and alternative method of SSD data preservation must be developed. v Table of Contents Declaration ..............................................................................................................ii Acknowledgements ................................................................................................iii Abstract .................................................................................................................. iv Table of Contents .................................................................................................... v List of Tables........................................................................................................... x List of Figures .......................................................................................................xii Chapter 1 – Introduction 1.0 Establishing the importance of the topic....................................................... 1 1.1 Highlighting a problem in the field of study................................................. 2 1.2 Research focus and objective........................................................................ 3 1.3 Thesis structure ............................................................................................. 4 Chapter 2 – Literature Review 2.0 Introduction................................................................................................... 6 2.1 Hard Disk Drive............................................................................................ 7 2.1.1 HDD Background............................................................................... 8 2.1.2 HDD Mechanism ............................................................................... 9 2.1.3 HDD Components............................................................................ 10 2.1.3.1 Disk platters ..................................................................................... 10 2.1.3.2 Read/write heads .............................................................................. 13 2.1.3.3 Head sliders...................................................................................... 17 2.1.3.4 Head actuator mechanism ................................................................ 18 2.1.3.5 Air filter............................................................................................ 19 2.1.3.6 Spindle motor................................................................................... 22 2.1.3.7 Logic board ...................................................................................... 23 2.1.3.8 Cables and connectors...................................................................... 24 2.1.3.9 Mounting chassis.............................................................................. 25 2.1.3.10 Configuration items.......................................................................... 26 2.2 Solid State Drive......................................................................................... 26 2.2.1 SSD Components ............................................................................. 26 2.2.2 Non-Volatile Flash Memory ............................................................ 27 2.2.3 NAND Array.................................................................................... 28 2.2.4 NAND controller.............................................................................. 30 vi 2.2.4.1 Wear levelling .................................................................................. 32 2.2.4.2 Bad Block Management................................................................... 32 2.2.4.3 Garbage Collection........................................................................... 33 2.3 Data Recovery Methods.............................................................................. 33 2.3.1 Read/Write Process .......................................................................... 33 2.3.2 Data Erasion and Recovery.............................................................. 35 2.3.3 SSD Data Recovery.......................................................................... 38 2.4 Digital Forensics ......................................................................................... 42 2.4.1 Forensic Imaging.............................................................................. 42 2.4.2 Storage Device Preservation ............................................................ 45 2.4.3 Digital Forensic Guidelines.............................................................. 47 2.4.3.1 Scientific Working Group on Digital Evidence (SWGDE) - Best Practices for Computer Forensics .................................................................. 48 2.4.3.2 Association of Chief Police Officers (ACPO) - Good Practice Guide for Computer-Based Electronic ..................................................................... 49 2.4.3.3 National Institute of Justice (NIJ) - Electronic Crime Scene Investigation: A Guide for First Responders, Second Edition....................... 50 2.4.3.4 National Institute of Standards and Technology (NIST) - Guide to Integrating Forensic Techniques into Incident Response .............................. 51 2.4.3.5 SANS (SysAdmin, Audit, Networking, and Security) Institute – Forensic Plan Guide....................................................................................... 52 2.4.3.6 Computer Emergency Response Team (CERT) - First Responders Guide to Computer Forensics ........................................................................ 53 2.5 Conclusion .................................................................................................. 54 Chapter 3 – Research Methodology 3.0 Introduction................................................................................................
Load more

Recommended publications
  • User Guide Laplink® Diskimage™ 7 Professional
    http://www.laplink.com/contact 1 ™ E-mail us at [email protected] Laplink® DiskImage 7 Professional User Guide Tel (USA): +1 (425) 952-6001 Tel (UK): +44 (0) 870-2410-983 Fax (USA): +1 (425) 952-6002 Fax (UK): +44 (0) 870-2410-984 ™ Laplink® DiskImage 7 Professional Laplink Software, Inc. Customer Service/Technical Support: Web: http://www.laplink.com/contact E-mail: [email protected] Tel (USA): +1 (425) 952-6001 Fax (USA): +1 (425) 952-6002 Tel (UK): +44 (0) 870-2410-983 User Guide Fax (UK): +44 (0) 870-2410-984 Laplink Software, Inc. 600 108th Ave. NE, Suite 610 Bellevue, WA 98004 U.S.A. Copyright / Trademark Notice © Copyright 2013 Laplink Software, Inc. All rights reserved. Laplink, the Laplink logo, Connect Your World, and DiskImage are registered trademarks or trademarks of Laplink Software, Inc. in the United States and/or other countries. Other trademarks, product names, company names, and logos are the property of their respective holder(s). UG-DiskImagePro-EN-7 (REV. 5/2013) http://www.laplink.com/contact 2 ™ E-mail us at [email protected] Laplink® DiskImage 7 Professional User Guide Tel (USA): +1 (425) 952-6001 Tel (UK): +44 (0) 870-2410-983 Fax (USA): +1 (425) 952-6002 Fax (UK): +44 (0) 870-2410-984 Contents Installation and Registration System Requirements . 1 Installing Laplink DiskImage . 1 Registration . 2 Introduction to DiskImage Overview of Important Features . 2 Definitions . 3 Start Laplink DiskImage - Two Methods . 4 Windows Start . .4 Bootable CD . .4 DiskImage Tasks One-Click Imaging: Create an Image of the Entire Computer .
    [Show full text]
  • Vis: Virtualization Enhanced Live Forensics Acquisition for Native System
    Vis: Virtualization Enhanced Live Forensics Acquisition for Native System Miao Yu, Zhengwei Qi, Qian Lin, Xianming Zhong, Bingyu Li, Haibing Guan Shanghai Key Laboratory of Scalable Computing and Systems Shanghai Jiao Tong University f superymk, qizhwei, linqian, zhongxianming, justasmallfish, hbguan g @ sjtu.edu.cn Abstract Focusing on obtaining in-memory evidence, current live acquisition efforts either fail to provide accurate native system physical memory acquisition at the given time point or require suspending the machine and altering the execution environment drastically. To address this issue, we propose Vis, a light-weight virtualization approach to provide accurate retrieving of physical memory content while preserving the execution of target native system. Our experimental results indicate that Vis is capable of reliably retrieving an accurate system image. Moreover, Vis accomplishes live acquisition within 97.09∼105.86 seconds, which shows that Vis is much more efficient than previous remote live acquisition tools that take hours and static acquisition that takes days. In average, Vis incurs only 9.62% performance overhead to the target system. Keywords: Vis, Live acquisition, Accuracy, Virtualization 1. Introduction After forensic scopes and medias are determined, a typical computer forensics scenario has three steps: acquisition, analyzing and reporting [47, 9]. Focusing on the stages of acquisition and analyzing, computer forensics pro- poses two key challenges: how to obtain the complete system state and how to analyze the retrieved image effectively [39]. Missing image of memory Preprint submitted to Digital Investigation February 16, 2012 content leads to an incomplete or wrong investigation result, even with an incomparable analyzing technology. Transcending static acquisition strategies, live acquisition extends the information gathering range of forensics examiner, i.e., involving with the volatile data.
    [Show full text]
  • A User Guide for the FRED Family of Forensic Systems Thank You for Your Recent Order
    A User Guide for the FRED Family of Forensic Systems Thank you for your recent order. We hope you like your new FRED! Please do not hesitate to contact us if you have any questions or require any additional information. Although we welcome a phone call anytime, our preferred method of contact is via our website www.digitalintelligence.com . The sales and technical support ticketing system is easy to use and allow us to track all requests and responses. To create your user account click on the User Icon on the top right of the web page banner and click on Sign Up. Here you can register your FRED system as well as track your web order history and support tickets. Please note your system serial number is the unique identifier for your system. It is helpful if you use the system serial number in your correspondence. If you have a sales related question or technical support issue, simply navigate to www.digitalintelligence.com/support A searchable knowledge base, links to other help or informational topics as well as a “Open A Ticket” button link can be found near the bottom of the page. We want to remind you, regardless of your warranty status, we will always be willing to assist with any technical questions you have regarding any Digital Intelligence product. *** Read me first *** Forensic Recovery of Evidence Device This document contains important information about the configuration and operation of your FRED system. FAILURE TO FOLLOW THESE GUIDELINES MAY RESULT IN PHYSICAL DAMAGE TO YOUR EQUIPMENT WHICH IS NOT COVERED UNDER WARRANTY.
    [Show full text]
  • Artificial Intelligence System Introduction to the Smallt Alk-80 System
    USERS Part No. 070-5606-00 TEK MANUAL Product Group 07 4404 ARTIFICIAL INTELLIGENCE SYSTEM INTRODUCTION TO THE SMALLT ALK-80 SYSTEM Please Check at the Rear of this Manual for NOTES and CHANGE INFORMA TION First Printing DEC 1984 Revised AUG 1985 COIIWITTED 10 EXCEL.l.ENCE Copyright © 1985 by Tektronix, Inc., Beaverton, Oregon. Printed in the United States of America. All rights reserved. Contents of this publication may not be reproduced in any form without permission of Tektronix, Inc. TEKTRONIX is a registered trademark of Tektronix, Inc. Smalltalk-80 is a trademark of Xerox Corp. MANUAL REVISION STATUS PRODUCT: 4404 Artificial Intelligence System Smalltalk-80 System This manual supports the following versions of this product: Version T2.1.2 REV DATE DESCRIPTION DEC 1984 Original Issue AUG 1985 Addition of NOTES Section 4404 Smalltalk-80 System User's CONTENTS INTRODUCTION .......................................................................................................... 1 About This Manual ................................................................................................... 1 The 4404 Artificial Intelligence System Documentation .......... ....... ....... ......... .......... 2 The Smalltalk-80 System Reference Books ............................................................... 3 A SMALLTALK-80 SYSTEM OVERVIEW ................................................................ 4 What is The Smalltalk-80 System? ............................................................................ 4 The User Interface: Mouse,
    [Show full text]
  • A Single System Image Java Operating System for Sensor Networks
    A SINGLE SYSTEM IMAGE JAVA OPERATING SYSTEM FOR SENSOR NETWORKS Emin Gun Sirer Rimon Barr John C. Bicket Daniel S. Dantas Computer Science Department Cornell University Ithaca, NY 14853 {egs, barr, bicket, ddantas}@cs.cornell.edu Abstract In this paper we describe the design and implementation of a distributed operating system for sensor net- works. The goal of our system is to extend total system lifetime through power-aware adaptation for sensor networking applications. Our system achieves this goal by providing a single system image of a unified Java virtual machine to applications over an ad hoc collection of heterogeneous sensors. It automatically and transparently partitions applications into components and dynamically finds a placement of these components on nodes within the sensor network to reduce energy consumption and increase system longevity. This paper describes the design and implementation of our system and examines the question of where and when to mi- grate components in a sensor network. We evaluate two practical, power-aware, general-purpose algorithms for object placement, as well as an adaptive scheme for deciding the time granularity of object migration. We demonstrate that our algorithms can increase sensor network longevity by a factor of four to five by effec- tively distributing energy consumption and avoiding hotspots. 1. Introduction able to components at each node, in particular the available power and bandwidth may change over Sensor networks simultaneously promise a radi- time and necessitate the relocation of application cally new class of applications and pose signifi- components. Further, event sources that are being cant challenges for application development.
    [Show full text]
  • Overview of Digital Forensics
    Overview of Digital Forensics Cybersecurity Digital Forensics Cyberincidents are fast moving and increasing in number and severity. When a cyberincident occurs, the attacked enterprise responds with a set of predetermined actions. Applying digital forensics to aid in the recovery and investigation of material on digital media and networks is one of these actions. Digital forensics is the “process of identifying, preserving, analyzing and presenting digital evidence in a manner that is legally acceptable in any legal proceedings (i.e., a court of law).” The purpose of this white paper is to provide an overview of digital forensics as it applies to cybersecurity. www.isaca.org/cyber Overview of Digital Forensics Cybersecurity Digital Forensics Cyberincidents are fast moving and increasing in BRIEF HISTORY OF DIGITAL FORENSICS number and severity. When a cyberincident occurs, Digital forensics is nearly 40 years old, beginning in the late the attacked enterprise responds with a set of 1970s as a response to a demand for service from the law predetermined actions. Applying digital forensics to enforcement community (see figure ).1 Most of the first aid in the recovery and investigation of material on criminal cases that involved computers were for financial digital media and networks is one of these actions. fraud.2 In the 1980s, digital forensics training courses were Digital forensics is the “process of identifying, developed by organizations such as the Association of preserving, analyzing and presenting digital evidence Certified Fraud Examiners, the National Consortium for in a manner that is legally acceptable in any legal Justice Information and Statistics, and the High Technology proceedings (i.e., a court of law).”1 The purpose of Crime Investigation Association (HTCIA); the first digital this white paper is to provide an overview of digital forensics company, Access Data, was formed; and the forensics as it applies to cybersecurity.
    [Show full text]
  • O&O Diskimage 16: GDPR-Compliant Data Backup for Businesses and IT
    Press Release January 27, 2021 - For immediate release O&O DiskImage 16: GDPR-compliant data backup for businesses and IT Service Providers Berlin, January 27, 2021 Data backup is vital for every enterprise. When data is lost, it’s not just customers and business data that disappears, commercial relationships can suffer long term damage as well, and this means serious trouble for the business itself. There is enormous pressure on current IT staff to make sure business operations are kept running constantly. O&O DiskImage can backup entire systems as well as individual drives and files while a computer is in operation. The backup can be made in the local network on a server or any other storage device such as a NAS or an external USB. In the process, data can be encrypted in accordance with GDPR requirements. The use of O&O DiskImage will never involve sharing information with servers belonging to any unauthorized third parties. O&O DiskImage 16 with its own recovery partition The new O&O DiskImage 16 now saves the recovery environment on the computer itself, so that in the event of system failure the system can be started directly from there. - including, of course, the last system image. Thanks to the integration into the system, the O&O DiskImage RecoveryPartition can be accessed immediately so that the last system image can be restored directly. If the Windows operating system does not start or faulty drivers must be uninstalled, with the integrated recovery environment, all O&O tools are available to get the system up and running again as easily as possible.
    [Show full text]
  • Providing a Shared File System in the Hare POSIX Multikernel Charles
    Providing a Shared File System in the Hare POSIX Multikernel by Charles Gruenwald III Submitted to the Department of Electrical Engineering and Computer Science in partial fulfillment of the requirements for the degree of Doctor of Philosophy in Computer Science at the MASSACHUSETTS INSTITUTE OF TECHNOLOGY June 2014 c Massachusetts Institute of Technology 2014. All rights reserved. Author.............................................................. Department of Electrical Engineering and Computer Science May 21, 2014 Certified by. Frans Kaashoek Professor Thesis Supervisor Certified by. Nickolai Zeldovich Associate Professor Thesis Supervisor Accepted by . Leslie Kolodziejski Chairman, Department Committee on Graduate Theses 2 Providing a Shared File System in the Hare POSIX Multikernel by Charles Gruenwald III Submitted to the Department of Electrical Engineering and Computer Science on May 21, 2014, in partial fulfillment of the requirements for the degree of Doctor of Philosophy in Computer Science Abstract Hare is a new multikernel operating system that provides a single system image for multicore processors without cache coherence. Hare allows applications on different cores to share files, directories, file descriptors, sockets, and processes. The main challenge in designing Hare is to support shared abstractions faithfully enough to run applications that run on traditional shared-memory operating systems with few modifications, and to do so while scaling with an increasing number of cores. To achieve this goal, Hare must support shared abstractions (e.g., file descriptors shared between processes) that appear consistent to processes running on any core, but without relying on hardware cache coherence between cores. Moreover, Hare must implement these abstractions in a way that scales (e.g., sharded directories across servers to allow concurrent operations in that directory).
    [Show full text]
  • Kong-Quan-Mcsc-CSCI-August-2014.Pdf (988.7Kb)
    SCALABLE REAL-TIME OLAP SYSTEMS FOR THE CLOUD by Quan Kong Submitted in partial fulfillment of the requirements for the degree of Master of Computer Science at Dalhousie University Halifax, Nova Scotia August 2014 c Copyright by Quan Kong, 2014 Table of Contents List of Tables ................................... v List of Figures .................................. vi Abstract ...................................... x List of Abbreviations Used .......................... xi Acknowledgements ............................... xii Chapter 1 Introduction .......................... 1 1.1Contributions............................... 6 1.2Structureofthethesis.......................... 11 Chapter 2 Background: Data Management on the Cloud ..... 12 2.1DataStoreCategorization........................ 12 2.1.1 OLAPStores........................... 13 2.1.2 Key-valueStores......................... 16 2.1.3 DocumentStores......................... 17 2.1.4 Extensible Record Stores ..................... 18 2.2OLAP................................... 19 2.2.1 DimensionHierarchy....................... 21 2.3DataStructuresforOLAP........................ 22 2.3.1 RTree............................... 23 2.3.2 DCTree.............................. 25 2.3.3 PDCTree............................. 28 Chapter 3 Background: Cloud Computing .............. 31 3.1 Cloud Computing ............................. 31 3.1.1 Characteristics.......................... 33 3.1.2 Servicemodels.......................... 34 ii 3.2CommunicationintheCloud....................... 37 3.3SerializationintheCloud.......................
    [Show full text]
  • Course Syllabus
    Distributed and Operating Systems Spring 2013 Prashant Shenoy UMass Computer Science http://lass.cs.umass.edu/~shenoy/courses/677 Computer Science CS677: Distributed OS Lecture 1, page 1 Course Syllabus • CMPSCI 677: Distributed and Operating Systems • Instructor: Prashant Shenoy – Email: [email protected], Phone: (413) 577 0850 – Office hours: Monday 10:20-11:30, CS 336, or by appt • Teaching Asst: Manjunath Narayana – Email: [email protected], Phone: TBD – Office hours: TBD • Course web page: http://lass.cs.umass.edu/~shenoy/courses/677 Computer Science CS677: Distributed OS Lecture 1, page 2 Course Outline • Introduction (today) – What, why, why not? – Basics • Distributed Architectures • Interprocess Communication – RPCs, RMI, message- and stream-oriented communication • Processes and their scheduling – Thread/process scheduling, code/process migration, virtualization • Naming and location management – Entities, addresses, access points Computer Science CS677: Distributed OS Lecture 1, page 3 Course Outline • Canonical problems and solutions – Mutual exclusion, leader election, clock synchronization, … • Resource sharing, replication and consistency – DFS, consistency issues, caching and replication • Fault-tolerance • Security in distributed Systems • Distributed middleware • Advanced topics: web, cloud computing, green computing, multimedia, and mobile systems Computer Science CS677: Distributed OS Lecture 1, page 4 Misc. Course Details • Textbook: Distributed Systems, 2nd ed, by Tannenbaum and Van Steen, Prentice Hall 2007 (recommended) • Grading – 4-5 Homeworks (15%), 3-4 programming assignments (40%) – 1 mid-term and 1 final (40%), class participation + quizzes (5%) • Course mailing list: cs677 @ cs.umass.edu – Spire will automatically add you to this list. • Pre-requisites – Undergrad course in operating systems – Good programming skills in a high-level prog.
    [Show full text]
  • AOMEI® Backupper User Manual User Manual AOMEI Backupper
    AOMEI® Backupper User Manual User Manual AOMEI Backupper Table of Contents 1 Getting Started..............................................................................................................1 1.1 Overview of AOMEI Backupper.............................................................................1 1.2 System Requirements and Supported Operating/File Systems.......................1 1.3 Install and Uninstall AOMEI Backupper............................................................... 2 2 Backup........................................................................................................................... 3 2.1 Files and Folders Backup.......................................................................................3 2.2 System Backup........................................................................................................ 4 2.3 Disk Backup..............................................................................................................5 2.4 Partition and Volume Backup.................................................................................6 2.5 Schedule Backup.....................................................................................................7 2.6 Backup (to) Network Attached Storage (NAS).................................................. 11 2.7 Backup to Cloud Clients....................................................................................... 12 2.8 Backup Management...........................................................................................
    [Show full text]
  • O&O Diskimage 15: Data Backups for Companies
    Press Release March 04, 2020 - For immediate release O&O DiskImage 15: Data Backups for Companies – Made in Germany Berlin, March 04, 2020 Data backups are vital for every company. If data is lost, not only is customer or business data lost but also business relationships are tested and there can be lasting damage to the company. The demands on today's IT employees to ensure that the company operates as uninterrupted as possible are immense. With the latest version, O&O DiskImage offers the right solution for backing up and restoring company PCs and servers. O&O DiskImage actively protects against data loss and downtime, is scalable and helps to save costs and time. O&O DiskImage supports all Windows versions O&O DiskImage15 Server is fully integrated into the current Microsoft operating system Windows Server 2019, but still supports older versions from Windows 2008 onwards. The Server Edition can also be used on all Windows desktop versions from Windows 7 up to Windows 10. The new version has been optimized in particular for low processor and memory usage on older systems, so that the backup of old hardware can be carried out without any additional extensions or changes. Machine independent restore always available The advantage of having a system image lies, above all, in being able to restore the working environment within a very short period of time, including all its programs, settings, and operating system. Restoring the image onto a new computer would normally not work on account of the different hardware. Thanks, however, to the integration of MIR (Machine Independent Restoration), it’s even possible to restore an image onto a computer where the image was not created.
    [Show full text]