Establishing Professional Guidelines for Ssd Forensics: a Case Study
Total Page:16
File Type:pdf, Size:1020Kb
ESTABLISHING PROFESSIONAL GUIDELINES FOR SSD FORENSICS: A CASE STUDY JAY JUNICHIRO UCHIYAMA (B.Bus) A thesis submitted to the graduate Faculty of Design and Creative Technologies Auckland University of Technology in partial fulfilment of the requirements for the degree of Master of Forensic Information Technology School of Computer and Mathematical Sciences Auckland, New Zealand 2014 ii Declaration I hereby declare that this submission is my own work and that, to the best of my knowledge and belief, it contains no material previously published or written by another person nor material which, to a substantial extent, has been accepted for the qualification of any other degree or diploma of a University or other institution of higher learning, except where due acknowledgement is made in the acknowledgements. .......................................... Jay Junichiro Uchiyama iii Acknowledgements This thesis was carried out during the year of 2013 at the Faculty of Design and Creative Technologies in the School of Computing and Mathematical Sciences at Auckland University of Technology, New Zealand. Support was received from many people throughout my postgraduate education. It is a pleasure to thank those who made this thesis possible, I would like to acknowledge the significant support and encouragement provided by my family during the course of conducting this research as well as throughout my entire postgraduate study. I owe my deepest gratitude to my supervisor, Prof. Brian Cusack. Without Dr. Cusack’s continuous optimism concerning this project, inspiration, and guidance this thesis would hardly have been completed. I am deeply grateful to my employer PricewaterhouseCoopers and Forensic Services Director, Campbell Mckenzie for always being a motivational influence in all aspects of my study and research. Mr Mckenzie has shared advanced knowledge and commercial insights of digital forensic procedures, and allowed my access to numerous forensic tools. Lastly, I am indebted to many of my colleagues, especially Alain Homewood, Roman Ammann, Craig Calderwood, Shubham Sharma, New Zealand Police Electronic Crime Laboratory Digital Forensic Analysts Mark Simms and Ben Knight who have been supportive and provided inspiration in all manners for my chosen field of study. Also thanks to the proof reader whom has profoundly improved the composition of this thesis. iv Abstract The aim of this thesis is to investigate and examine the present status of solid state drive (SSD) forensics, and to establish a professional guideline for forensic investigators who are required to preserve and recover data stored on SSD in a forensically acceptable manner. In the first part, results of a literature review of computer storage devices, data recovery methods, and forensic guidelines were presented. The literature review determined how SSD is architecturally different from a magnetic hard disk drive (HDD), but existing forensic guidelines and procedures were developed based mainly on HDD technology. SSD is widely accepted by consumers but not well integrated into the forensic guidelines, despite several automated evidence- destruction functions, which were embedded for performance enhancement purposes, have been explicitly discussed by forensic and data recovery experts. The thesis then identifies the gaps amongst well repute forensic guidelines and further outlines the structure of a compound guideline which recognises issues raised by SSD to maximise the chance of data recovery. Specific processes were identified and data recovery rate was measured for testing. In conclusion, the thesis argues that existing forensic techniques and guidelines are incapable of suppressing the SSD’s self-destructive behaviour and alternative method of SSD data preservation must be developed. v Table of Contents Declaration ..............................................................................................................ii Acknowledgements ................................................................................................iii Abstract .................................................................................................................. iv Table of Contents .................................................................................................... v List of Tables........................................................................................................... x List of Figures .......................................................................................................xii Chapter 1 – Introduction 1.0 Establishing the importance of the topic....................................................... 1 1.1 Highlighting a problem in the field of study................................................. 2 1.2 Research focus and objective........................................................................ 3 1.3 Thesis structure ............................................................................................. 4 Chapter 2 – Literature Review 2.0 Introduction................................................................................................... 6 2.1 Hard Disk Drive............................................................................................ 7 2.1.1 HDD Background............................................................................... 8 2.1.2 HDD Mechanism ............................................................................... 9 2.1.3 HDD Components............................................................................ 10 2.1.3.1 Disk platters ..................................................................................... 10 2.1.3.2 Read/write heads .............................................................................. 13 2.1.3.3 Head sliders...................................................................................... 17 2.1.3.4 Head actuator mechanism ................................................................ 18 2.1.3.5 Air filter............................................................................................ 19 2.1.3.6 Spindle motor................................................................................... 22 2.1.3.7 Logic board ...................................................................................... 23 2.1.3.8 Cables and connectors...................................................................... 24 2.1.3.9 Mounting chassis.............................................................................. 25 2.1.3.10 Configuration items.......................................................................... 26 2.2 Solid State Drive......................................................................................... 26 2.2.1 SSD Components ............................................................................. 26 2.2.2 Non-Volatile Flash Memory ............................................................ 27 2.2.3 NAND Array.................................................................................... 28 2.2.4 NAND controller.............................................................................. 30 vi 2.2.4.1 Wear levelling .................................................................................. 32 2.2.4.2 Bad Block Management................................................................... 32 2.2.4.3 Garbage Collection........................................................................... 33 2.3 Data Recovery Methods.............................................................................. 33 2.3.1 Read/Write Process .......................................................................... 33 2.3.2 Data Erasion and Recovery.............................................................. 35 2.3.3 SSD Data Recovery.......................................................................... 38 2.4 Digital Forensics ......................................................................................... 42 2.4.1 Forensic Imaging.............................................................................. 42 2.4.2 Storage Device Preservation ............................................................ 45 2.4.3 Digital Forensic Guidelines.............................................................. 47 2.4.3.1 Scientific Working Group on Digital Evidence (SWGDE) - Best Practices for Computer Forensics .................................................................. 48 2.4.3.2 Association of Chief Police Officers (ACPO) - Good Practice Guide for Computer-Based Electronic ..................................................................... 49 2.4.3.3 National Institute of Justice (NIJ) - Electronic Crime Scene Investigation: A Guide for First Responders, Second Edition....................... 50 2.4.3.4 National Institute of Standards and Technology (NIST) - Guide to Integrating Forensic Techniques into Incident Response .............................. 51 2.4.3.5 SANS (SysAdmin, Audit, Networking, and Security) Institute – Forensic Plan Guide....................................................................................... 52 2.4.3.6 Computer Emergency Response Team (CERT) - First Responders Guide to Computer Forensics ........................................................................ 53 2.5 Conclusion .................................................................................................. 54 Chapter 3 – Research Methodology 3.0 Introduction................................................................................................