Abstract
Imaging SSDs is problematic due to TRIM commands and garbage collectors that make the SSD behave inconsistently over time. It is this inconsistency that can cause a difference between images taken of the SSD. These differences result in unmatched hash number generation and would normally be attributed to contamination or spoliation of digital evidence. DaP is a proposed method that ensures all images taken of the SSD are consistent and removes the volatility normally associated with these devices. DaP is not focused with the recoverability of deleted data, however DaP does stabilise the device to prevent unintentional contamination due to garbage collection. Experiments show that the DaP method works on a range of devices and consistently produces the hash-identical images. The conclusions are to consider DaP as a new Standard Operating Procedure (SOP) when imaging SSDs.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Association of Chief Police Officers (ACPO): Good practice guide for digital evidence (ver. 5), March 2012. https://www.7safe.com/research-and-insight/acpo-guidelines
Beebe, N.L., Clark, J.G.: A hierarchical, objectives-based framework for the digital investigations process. Digit. Invest. 2(2), 147–167 (2005)
Bell, G.B., Boddington, R.: Solid state drives: the beginning of the end for current practice in digital forensic recovery? J. Digit. Forensics Secur. Law 5(3), 1–20 (2010)
Carrier, B., Spafford, E.H.: An event-based digital forensic investigation framework. In: Digital Forensic Research Workshop, pp. 11–13 (2004)
King, C., Vidas, T.: Empirical analysis of solid state disk data retention when used with contemporary operating systems. J. Digit. Invest. 8, S111–S117 (2011)
McKemmish, R.: What is Forensic Computing? Trends and Issues in Crime and Criminal Justice, no. 118 (1999)
MSAB: XRY – Android basics: debugging and extractions (2015). XRY Certification Course
Nisbet, A., Lawrence, S., Ruff, M.: A forensic analysis and comparison of solid state drive data retention with trim enabled file systems. In: Australian Digital Forensics Conference, pp. 103–111 (2013)
Redgrave, J.M.: The Sedona Principles: Best Practices, Recommendations & Principles for Addressing Electronic Document Production. Pike & Fischer-A BNA Company (2007)
Rogaway, P., Shrimpton, T.: Cryptographic hash-function basics: definitions, implications, and separations for preimage resistance, second-preimage resistance, and collision resistance. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 371–388. Springer, Heidelberg (2004). doi:10.1007/978-3-540-25937-4_24
Scientific Working Group on Digital Evidence (SWDGE): Model standard operation procedures for computer forensics (ver. 3). https://www.swgde.org/
Shu, F., Obr, N.: Data set management commands proposal for ATA8-ACS2. Management 2, 1 (2007)
Statista.com: Global shipments of HDDs and SSDs in PCs from 2012 to 2017, June 2016. http://www.statista.com/statistics/285474/hdds-and-ssds-in-pcs-global-shipments-2012-2017/
U.S. Department of Justice: Electronic Crime Scene Investigation: An On-the-Scene Reference for First Responders. National Institute of Justice, November 2009
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Mitchell, I., Anandaraja, T., Hara, S., Hadzhinenov, G., Neilson, D. (2016). Deconstruct and Preserve (DaP): A Method for the Preservation of Digital Evidence on Solid State Drives (SSD). In: Jahankhani, H., et al. Global Security, Safety and Sustainability - The Security Challenges of the Connected World. ICGS3 2017. Communications in Computer and Information Science, vol 630. Springer, Cham. https://doi.org/10.1007/978-3-319-51064-4_1
Download citation
DOI: https://doi.org/10.1007/978-3-319-51064-4_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-51063-7
Online ISBN: 978-3-319-51064-4
eBook Packages: Computer ScienceComputer Science (R0)