Solid State Drive: New Challenge for Forensic Investigation

There has been a tremendous increase in the usage of electronic devices day by day. With the increase in usage of electronic devices, technology keeps on emerging. Due to the emergence of new technologies, there has always been a scope for the hackers to cash the loopholes that are available which resulted in a hefty increase in cyber crimes. Consequently, the number of investigations that require digital forensic expertise have been resulting in a huge evidence backlogs that are being encountered by the law enforcement agencies all over the world. It is anticipated that the number of cases that would require digital forensics is likely to be increased in future. The primary storage technology used for digital information has remained constant over the last two decades in the form of the magnetic disc. For decades, Hard drives have been dominating the market due to their cost and capacity. However, things are being developed and manufactured to be faster and smaller but there are few changes that truly turned to be technological revolutionary. Solid states drive familiarly known as SSD have crept up on us as they arrive under cover of the previously known technology. This paper demonstrated that the assumptions about the behavior of a storage media are no longer valid, how modern storage devices will operate under their own volition without any computer instructions. These operations are highly destructive of traditionally recoverable data. This would contaminate evidence, can make validation of digital evidence reports difficult, it can complicate the process of live and dead analysis recovery and can also complicate and frustrate the post recovery forensic analysis. This paper compared the key evidence that were identified in an HDD and SSD and discussed the key features that make SSD self-Destructive and cause difficulties for Forensic Investigations

Forensic Research on Solid State Drives using Trim Analysis

There has been a tremendous change in the way we store data for the past decade. Hard Disk Drives, which were one of the major sources of storing data, are being replaced with Solid State Drives considering the higher efficiency and portability. Digital forensics has been very successful in recovering data from Hard Disk Drives in the past couple of years and has been very well established with Hard Disk Drives. The evolution of Solid State Drives over Hard Drive Drives is posing a lot of challenges to digital forensics as there are many crucial factors to be considering the architecture and the way data is stored in Solid State Drives. This paper gives a very detailed picture of the evolution of Solid State Drives over Hard Disk Drives. We understand the differences in their architecture and the ways to extract data from them. We further discuss in detail the various challenges Solid State Drives pose to the field of digital forensics, and we try to answer contradictory beliefs those are 1) Would data be permanently deleted in a Solid State Drives destroying the forensic evidence required to solve a case? 2) Can data be restored in a Solid State Drives by using proper techniques and still can be used as evidence in digital forensics? In this paper, we talk about the introduction of concepts such as the TRIM Command and Garbage collection, their importance, and we set up an experimental scenario where we implement the TRIM command and try extracting data from different types of Solid State Drives. We compare and evaluate the results obtained through the experiment and try to analyze the uses of the TRIM command and its performance over various Solid State Drives. The paper also discusses future work to make the role of Solid State Drives more efficient in digital forensics

Analyzing the Trimming Activity of Solid-State Drives in Digital Forensics

The primary source for storing digital information has been remained constant for the last two decades, in the form of magnetic disks. However, a sudden shift has taken place in the data storage technology during the recent years where the transistor-based devices are being used as primary storage devices for storing complex data. There are many reasons due to which the manufacturers are shifting their platform from magnetic disks to solid state drives which uses transistor chips and this change is creating problems for the forensic investigators to investigate on the digital evidence. The deleted information can be easily retrieved from the hard disks by following specific guidelines, where as in solid state drives it is almost impossible to retrieve the lost data when TRIM command is enabled. SSDs can sometimes sanitize data all by themselves even if they are not connected to any interface. This paper gives an overview of the hard disks and solid-state drives for data recovery and mainly focuses on the functioning of TRIM command in solid state drives

Forensic Aspects of Various Flash Memory Devices

Flash memory devices provide high storage volume with low power consumption and faster read-write operations when compared to HDD. This makes FLASH memory devices to be considered as an efficient storage unit thus bringing huge demand for the usage of FLASH memory devices. One of the major problems faced by forensic investigators is extracting deleted data from flash memory devices, as some of the flash memory devices prevent extraction of deleted data using the standard forensic techniques. This paper focuses on exploring forensic opportunities for various flash-based memory devices. This is done by a thorough study of physics of flash memory, the development of flash transition layers, and the file systems that support these devices. It then conducts forensic experiments on various types of flash-based storage media and summarizes the results of each media. This paper also tries to explore various practices to be applied on flash storage media thus enabling them to retrieve deleted information with the use of standard forensic techniques

Forensic acquisition of file systems with parallel processing of digital artifacts to generate an early case assessment report

A evolução da maneira como os seres humanos interagem e realizam tarefas rotineiras mudou nas últimas décadas e uma longa lista de atividades agora somente são possíveis com o uso de tecnologias da informação – entre essas pode-se destacar a aquisição de bens e serviços, gestão e operações de negócios e comunicações. Essas transformações são visíveis também em outras atividades menos legítimas, permitindo que crimes sejam cometidos através de meios digitais. Em linhas gerais, investigadores forenses trabalham buscando por indícios de ações criminais realizadas por meio de dispositivos digitais para finalmente, tentar identificar os autores, o nível do dano causado e a história atrás que possibilitou o crime. Na sua essência, essa atividade deve seguir normas estritas para garantir que as provas sejam admitidas em tribunal, mas quanto maior o número de novos artefatos e maior o volume de dispositivos de armazenamento disponíveis, maior o tempo necessário entre a identificação de um dispositivo de um suspeito e o momento em que o investigador começa a navegar no mar de informações alojadas no dispositivo. Esta pesquisa, tem como objetivo antecipar algumas etapas do EDRM através do uso do processamento em paralelo adjacente nas unidades de processamento (CPU) atuais para para traduzir multiplos artefactos forenses do sistema operativo Windows 10 e gerar um relatório com as informações mais cruciais sobre o dispositivo adquirido. Permitindo uma análise antecipada do caso (ECA) ao mesmo tempo em que uma aquisição completa do disco está em curso, desse modo causando um impacto mínimo no tempo geral de aquisição

Высокоэффективные импульсные электромеханические и электромагнитные устройства уничтожения информации на цифровых накопителях

Разработан комплекс высокоэффективных автономных импульсных электромеханических и электромагнитных устройств уничтожения информации на цифровых накопителях. Указанные устройства при ограниченных массогабаритных показателях возбуждают мощные механические или магнитные импульсы. Рассмотрены электромеханические устройства индукционно-динамического типа, с аккумулированием механической энергии и устройства комбинированного действия, использующие индукционно-динамические, электродинамические и электромагнитные силы. Предложены конструкции устройств, предназначенных для уничтожения информации на USB флешнакопителях и твердотельных SSD накопителях. Предложена конструкция импульсного магнитно-механического устройства, в котором уничтожение информации осуществляется механическим и магнитным импульсами одновременно.Розроблено комплекс високоефективних автономних імпульсних електромеханічних та електромагнітних пристроїв знешкодження інформації на цифрових носіях. Зазначені пристрої при обмежених масогабаритних показниках збуджують потужні механічні та магнітні імпульси. Розглянуті електромеханічні пристрої індукційно-динамічного типу, з акумулюванням механічної енергії та пристрої комбінованої дії, що використовують індукційно-динамічні, електродинамічні та електромагнітні сили. Запропоновані конструкції пристроїв, що призначені для знешкодження інформації на USB флеш-накопичувачах та твердотільних SSD накопичувачах. Запропонована конструкція імпульсного магнітно-механічного пристрою, в якому знешкодження інформації здійснюється механічним та магнітним імпульсами одночасно.It is shown that the most promising way to mechanical destruction of digital information storage is using a pulsed electromechanical and magnetic device and method. The highly efficient autonomous electromechanical and electromagnetic pulse devices destruction of information on digital storage devices are designed. The aim of the paper is the development of designs and advanced technical solutions for highly efficient pulsed electromechanical and magnetic systems of information protection. The excitation source of the inductor is using a capacitive energy storage. This may be implemented by running or the computer turned off for a very short period of time when the signal of unauthorized access. Implement the task can only be provided using mathematical modeling of electromagnetic and mechanical processes, experimental research and development of new technical solutions. These devices with limited weight and overall dimensions excite powerful mechanical or magnetic pulses. Considered electromechanical devices of inductiondynamic type, with accumulation of mechanical energy and the combined action of the device, using an induction-dynamic electrodynamic and electromagnetic forces. Proposed design of devices is intended to destroy information on USB flash drives and solid state drives SSD. The design of pulsed magneticmechanical device in which the destruction of information is carried out by mechanical and magnetic pulses simultaneously. Based on the performed works classification of destruction of information devices digital drives is proposed

Assessment of Waste Recording Media with the Data Security Approach

Bu çalışmada yapılarında kayıt ortamı bulunduran cihazların, atık konumuna geçtikten sonra veri güvenliğiaçısından değerlendirilmesi amaçlanmıştır. İçinde bulunduğumuz çağın özelliklerine bağlı olarak günümüzinsanları, büyük ölçüde teknoloji odaklı yaşamaktadır. Bilgisayar, akıllı telefon, tablet, internet vs. artık yaşamınayrılmaz parçaları olarak, hemen hemen tüm faaliyetlerin merkezinde bulunmaktadır. Günümüz teknolojisinin enönemli özelliği çok kısa sürede kendini yenilemesi, geliştirmesi, değiştirmesidir. Bu durum teknoloji temellicihazların kullanım ömürlerinin, her geçen gün daha da kısalmasına neden olmaktadır. Gerek cihazların depolamakapasiteleri, gerekse aktivitelerin çoğunlukla bu cihazlar üzerinden gerçekleştirilmesi, söz konusu cihazlardaönemli miktarda bilginin toplanması ve depolanması anlamına gelmektedir. Cihazların kullanım süreleri dikkatealındığında bu durum, veri güvenliği açısından ciddi endişelere yol açmaktadır. Verilerin kalıcı şekildesilinmesinin, teknik bilgi gerektiren oldukça karmaşık bir süreç olması bu endişelerin başlıca nedenidir. Çoğudurumda kullanıcıların teknik bilgilerini aşan silme işlemi, veri yönetiminin en az verilerin saklanması kadarönemli bir diğer alanıdır. Bu yaklaşım her durum ve her ortamdaki veri için geçerlidir. Özellikle atık kayıtortamlarındaki verilerin bu kapsamda değerlendirilmesi gizlilik ve güvenlik açısından son derece önemlidir.In this study it is aimed to assess devices that contain recording media in their structures after they become waste in terms of data security. Based on the characteristics of the era we are in, today’s people are living in a largely technology-focused way. Computers, smartphones, tablets, the internet, etc. are now at the center of almost all activities as indispensable parts of life. The most important characteristic of today’s technology is that it renews, improves and changes itself in a very short time. This situation means increasingly shortened usage lifespans of technology-based devices. Not only the storage capacities of the devices but also the fact that activities are carried out mostly over these devices indicate collection and storage of a significant amount of information on the devices in question. Considering the usage times of devices, this situation leads to serious concerns in terms of data security. The fact that permanently deleting data is a highly complicated process that requires technical knowledge is the main reason for these concerns. The operation of data wiping, which mostly exceeds the technical knowledge of users, it another field of data management which is at least as important as data storage. This approach is valid for every situation and data on every medium. Assessment of especially data on waste recording media in this context is highly important in terms of privacy and security

Atık Kayıt Ortamlarının Veri Güvenliği Yaklaşımı ile Değerlendirilmesi

Bu çalışmada yapılarında kayıt ortamı bulunduran cihazların, atık konumuna geçtikten sonra veri güvenliği açısından değerlendirilmesi amaçlanmıştır. İçinde bulunduğumuz çağın özelliklerine bağlı olarak günümüz insanları, büyük ölçüde teknoloji odaklı yaşamaktadır. Bilgisayar, akıllı telefon, tablet, internet vs. artık yaşamın ayrılmaz parçaları olarak, hemen hemen tüm faaliyetlerin merkezinde bulunmaktadır. Günümüz teknolojisinin en önemli özelliği çok kısa sürede kendini yenilemesi, geliştirmesi, değiştirmesidir. Bu durum teknoloji temelli cihazların kullanım ömürlerinin, her geçen gün daha da kısalmasına neden olmaktadır. Gerek cihazların depolama kapasiteleri, gerekse aktivitelerin çoğunlukla bu cihazlar üzerinden gerçekleştirilmesi, söz konusu cihazlarda önemli miktarda bilginin toplanması ve depolanması anlamına gelmektedir. Cihazların kullanım süreleri dikkate alındığında bu durum, veri güvenliği açısından ciddi endişelere yol açmaktadır. Verilerin kalıcı şekilde silinmesinin, teknik bilgi gerektiren oldukça karmaşık bir süreç olması bu endişelerin başlıca nedenidir. Çoğu durumda kullanıcıların teknik bilgilerini aşan silme işlemi, veri yönetiminin en az verilerin saklanması kadar önemli bir diğer alanıdır. Bu yaklaşım her durum ve her ortamdaki veri için geçerlidir. Özellikle atık kayıt ortamlarındaki verilerin bu kapsamda değerlendirilmesi gizlilik ve güvenlik açısından son derece önemlidir

Automating Disk Image Redaction

In order to comply with best preservation and curation practices, collecting institutions must ensure that private and sensitive information contained in born-digital materials has been properly redacted before the materials are made available. Institutions receiving donor media in the form of hard disks, USB flash drives, compact disks, floppy disks, and even entire computers, are increasingly creating bit-identical copies called disk images. Redacting data from within a disk image currently is a manual, time-consuming task. In this project, I demonstrate the feasibility of automating disk image redaction using open-source, forensic software. I discuss the problems encountered when redacting disk images using automated methods and ways to improve future disk image redaction tools.Master of Science in Information Scienc

Electronic waste in Ontario: Case study of a primary processing facility

Electronic waste (e-waste) is one of the fastest expanding, and valuable waste streams due to its content of precious, critical, and base metals. E-waste is comprised of electronic devices operated below 10,000 volts that have reached their end of useful life. While global production and consumption of electronic goods is increasing, in Ontario the electronic waste treatment program has reported decreasing collection under the provincial regulation. This raises questions of efficacy and function of the collection system and the electronic waste primary processors within Ontario. This research employed both qualitative and quantitative methods to analyze material flows through an Ontario e-waste primary processor. Annual data for inputs and outputs provided three years of facility data from 2016 to 2018. At a more granular level, two days of material flow accounting were conducted at the primary processor, resulting in a single average “model day” of operation for the summer season. For this daily operation, the facility processed 25.3 Mg of input products, producing 23.3 Mg of outputs, the remaining 2 Mg entering facility stock. The main inputs for the primary processor were printers and peripheral devices, refurbishable flatscreen displays, cathode ray tube (CRT) televisions, small household appliances and complete desktop computers. The main outputs were leaded-glass from CRT, sorted shredded plastics, various pure and mixed copper-bearing materials, refurbished goods like flatscreen displays, clean shredded steel and clean shredded aluminum. For the facility, the daily operations’ map of material flow describes the processes used to extract and sort materials, the relative flows of materials, the processing capacity of a single day, and provides a base for the representation of a day of sales. The resulting model of sales is presented and indicates the high comparative value of refurbished items to bulk shredded materials. The annual data indicates that, while CRT displays are both being displaced in the economy and sold or traded by the primary processor, for flat-screen displays, substantial outputs of low to negative value materials are still produced from the CRT processing on site. These materials include leaded glass, thin-film plastics, and low-quality black plastics. From 2016 to 2018, the composition of inputs indicated that CRT displays fell from 30% to 18%, printers and peripheral devices fell from 28% to 24%, flatscreen displays rose from 4% to 10%, and printed circuit board and computer components increased from 2.5% to 6%. The output composition regarding the desired processed material changed considerably as well, with steel increasing from 20% to 31%, copper falling from 18% to 10%, and glass remaining somewhat stable at 14% to 18%. Results indicate that the primary processor is adapting to shifts in e-waste streams as electronic product composition changes. The processor is implementing new technologies to shred and sort large quantities of material, and making changes including downsizing printer cartridge refurbishment capacity, the installation of a flat-screen display shredder, and an expanded shredding line, with enough processing capacity to replace personnel and therefore reduce operating costs. More broadly, the adaptations at the primary processor are a reaction to the 2020 regulation changes that are expected to significantly increase inputs to the facility. The implementation of an extended producer responsibility regulatory system in 2020 is the cause of the expected increase in material flow at primary processors, and investments at such firms. This is through stricter reporting and a broadened categorization of e-waste in Ontario. The 2002 – 2016 regulatory implementation had serious issues regarding private industry self-governance and competition, and a restricted scope on e-waste categories resulting in falling overall collection of e-waste covered under that program from 2013 to 2018. This research provides a case study of the primary processor entity in Ontario, situating it in a regulatory atmosphere that is in the process of major systematic change. This work provides knowledge that will aid in the understanding of the future of e-waste in Ontario as regulations change. It provides a point of reference for future work to indicate changes in processing methods, the targeting of materials and products at the firm, and the quantity and categories of materials processed at the primary processor entity