Abstract
Human error is often a cause of contamination of potential digital evidence and can jeopardise an entire case. One of the biggest problems is the data acquisition stage that requires the Digital Forensic Analyst to make bit-for-bit copies of the device seized. This procedure, despite using write-blockers, can go wrong. The proposed Deconstruct and Preserve for all (DaP∀) aims at mitigating the risk involved in exposing any data to these procedures and ensures that third parties get an exact match; the process works on SSDs, GPT formatted devices, and other traditional formats, e.g. HDD. The results show a GPT TRIM enabled SSD imaged multiple times produces verification of matched hashes. With these results, it is proposed that DaP∀ should be considered as a Standard Operating Procedure (SOP) when completing data acquisition.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
Depending on the operating system, the drive should be unmounted, e.g. Kali in Forensic mode.
- 2.
Include HDD, Flash drives, SSD and similar storage devices.
References
180-1, F.I.P.S.F. (1996). Secure hash standard.
Bell, G. B., & Boddington, R. (2010). Solid state drives: The beginning of the end for current practice in digital forensic recovery? Journal of Digital Forensics, Security and Law, 5(3), 1–20.
Carrier, B. (2005). File system: Forensic analysis. Boston: Addison-Wesley.
Carrier, B. (2011). The sleuth kit. TSK – sleuthkit.org.
DCFLDD 1.3.4-1. (2013). Test results for digital data aquisition tool (Technical report), Homeland Security.
Forensic Science Regulator (FSR). (2017). Codes of practice and conduct for forensic science providers and practitioners in the criminal justice system (Technical report), UK Govt, Birmingham.
Harbour, N. (2002). dcfldd. Defense Computer Forensics Lab. http:/dcfldd.sourceforge.net 5(5.2), 1.
King, C., & Vidas, T. (2011). Empirical analysis of solid state disk data retention when used with contemporary operating systems. Journal of Digital Investigation, 8, S111–S117.
Krishna Mylavarapu, S., Choudhuri, S., Shrivastava, A., Lee, J., Givargis, T. (2009). Fsaf: File system aware flash translation layer for nand flash memories. In: Design, Automation & Test in Europe Conference & Exhibition, 2009. DATE’09 (pp. 399–404). IEEE.
Ligh, M. H., Case, A., Levy, J., & Walters, A. (2014). The art of memory forensics. Indianapolis: Wiley.
McKemmish, R. (1999). What is forensic computing? (Trends and issues in crime and criminal justice, Vol. 118). Canberra: Australian Institute of Criminology.
Mitchell, I., Anandaraja, T., Hadzhinenov, G., Hara, S., & Neilson, D. (2017). Deconstruct and preserve (DaP): A method for the preservation of digital evidence on solid state drives (SSD). In Global Security, Safety and Sustainability – The Security Challenges of the Connected World
MSAB. (2015). XRY – Android basics: Debugging and extractions, available on XRY certification course.
Nikkel, B. (2009). Forensic analysis of GPT disks and guid partition tables. Digital Investigation, 6, 39–47.
Nisbet, A., Lawrence, S., & Ruff, M. (2013). A forensic analysis and comparison of solid state drive data retention with trim enabled file systems. In: Australian Digital Forensics Conference (pp. 103–11).
Scientific Working Group on Digital Evidence (SWDGE): Model standard operation procedures for computer forensics (ver. 3). https://www.swgde.org/.
Shu, F., & Obr, N. (2007). Data set management commands proposal for ata8-acs2. Management, 2, 1.
Statista.com. (2016). Global shipments of HDDs and SSDs in PCs from 2012 to 2017. http://www.statista.com/statistics/285474/hdds-and-ssds-in-pcs-global-shipments-2012-2017/. Accessed June 2016.
Subramani, R., Swapnil, H., Thakur, N., Radhakrishnan, B., & Puttaiah, K. (2013). Garbage collection algorithms for nand flash memory devices–An overview. In 2013 European Modelling Symposium (EMS) (pp. 81–86). IEEE.
Sylve, J., Case, A., Marziale, L., Richard, G. G. (2012). Acquisition and analysis of volatile memory from android devices. Digital Investigations, 8, 1–10.
Tableau sata/ide bridge (March 2018). https://www.guidancesoftware.com/tableau/hardware//t35u.
U.S. Department of Justice. (2009). Electronic crime scene investigation: An on-the-scene reference for first responders. National Institute of Justice, November 2009.
Williams, J. (2012). Good practice guide for digital evidence (Technical report), Association of Chief Police Officers (ACPO). http://library.college.police.uk/docs/acpo/digital-evidence-2012.pdf. Accessed March 2018.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this chapter
Cite this chapter
Mitchell, I., Ferriera, J., Anandaraja, T., Hara, S. (2018). DaP∀: Deconstruct and Preserve for All: A Procedure for the Preservation of Digital Evidence on Solid State Drives and Traditional Storage Media. In: Jahankhani, H. (eds) Cyber Criminology. Advanced Sciences and Technologies for Security Applications. Springer, Cham. https://doi.org/10.1007/978-3-319-97181-0_13
Download citation
DOI: https://doi.org/10.1007/978-3-319-97181-0_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-97180-3
Online ISBN: 978-3-319-97181-0
eBook Packages: Law and CriminologyLaw and Criminology (R0)