•  
  •  
 

Prior Publisher

The Association of Digital Forensics, Security and Law (ADFSL)

Abstract

Digital evidence is increasingly relied upon in computer forensic examinations and legal proceedings in the modern courtroom. The primary storage technology used for digital information has remained constant over the last two decades, in the form of the magnetic disc. Consequently, investigative, forensic, and judicial procedures are well-established for magnetic disc storage devices (Carrier, 2005). However, a paradigm shift has taken place in technology storage and complex, transistor-based devices for primary storage are now increasingly common. Most people are aware of the transition from portable magnetic floppy discs to portable USB transistor flash devices, yet the transition from magnetic hard drives to solid-state drives inside modern computers has so far attracted very little attention from the research community. Here we show that it is imprudent and potentially reckless to rely on existing evidence collection processes and procedures, and we demonstrate that conventional assumptions about the behaviour of storage media are no longer valid. In particular, we demonstrate that modern storage devices can operate under their own volition in the absence of computer instructions. Such operations are highly destructive of traditionally recoverable data. This can contaminate evidence; can obfuscate and make validation of digital evidence reports difficult; can complicate the process of live and dead analysis recovery; and can complicate and frustrate the post recovery forensic analysis. Our experimental findings demonstrate that solid-state drives (SSDs) have the capacity to destroy evidence catastrophically under their own volition, in the absence of specific instructions to do so from a computer.

References

Ashcroft, J. (2001). Electronic crime scene investigation: A guide for first responders. Washington: U.S. Department of Justice.

Beeler, B. (2010). Seagate Momentus XT Review. Storage Review, May 24, 2010. http://www.storagereview.com/seagate_momentus_xt_review

Berg, E. C. (2000). Legal ramifications of digital imaging in law enforcement. Forensic Science Communications, 2(4).

Boddington, R., Hobbs, V. J., & Mann, G. (2008). Validating digital evidence for legal argument. Paper presented at the SECAU Security Conferences: The 6th Australian Digital Forensics Conference, Perth, WA.

Caloyannides, M. A. (2001). Computer forensics and privacy. Norwood, Minnesota: Artech House.

Carrier, B. (2005). File system forensic analysis. Upper Saddle River, New Jersey: Addison-Wesley.

Carrier, B., & Spafford, E. H. (2003). Getting physical with the digital investigation process. International Journal of Digital Evidence.

Carlton, G. H., & Worthley, R. (2009). An evaluation of agreement and conflict among computer forensics experts. Proceedings of the 42nd Hawaii International Conference on System Sciences.

Chen, F., Koufaty, D. A., & Zhang, X. (2009). Understanding intrinsic characteristics and system implications of flash memory based solid state drives. In Proceedings of SIGMETRICS '09 (Seattle, WA, USA, June 15 - 19, 2009).

Drossel, G. (2007) Solid-state drives meet military storage security requirements. Military Embedded Systems, White Paper, OpenSystems Publishing, 2007.

Edwards, K. (2005). Ten things about DNA contamination that lawyers should know. Criminal Law Journal, 29(2), 71 - 93.

Ekker, N., Coughlin, T., & Handy, J. (2009). Solid State Storage 101 – An introduction to Solid State Storage, SNIA White Paper, January 2009. http://www.snia.org/apps/group_public/download.php/35796/SSSI%20Wht%20Paper%20Final.pdf

Etter, B. (2001). The forensic challenges of e-crime. Australasian Centre for Policing Research, 3(10), 1-8.

Flusche, K. J. (2001). Computer forensic case study: Espionage, Part 1 Just finding the file is not enough! Information Security Journal, 10(1), 1 - 10.

Ghosh, A. (2004). Guidelines for the management of IT evidence. Paper presented at the APEC Telecommunications and Information Working Group 29th Meeting. From http://unpan1.un.org/intradoc/groups/public/documents/APCITY/UNPAN016411.pdf

Hughes, G. F. (2002, 7 November 2002). Wise drives. Spectrum, 39, 37 - 41.

Janes, S. (2000). The role of technology in computer forensic investigations. Information Security Technical Report, 5(2), 43 - 50.

Kenneally, E. E., & Brown, C. L.T. (2005). Risk sensitive digital evidence collection. Digital Investigation, 2(2), 101 - 119.

Losavio, M., Adams. J., & Rogers, M. (2006). Gap Analysis: Judicial experience and perception of electronic evidence. Journal of Digital Forensic Practice, 1, 13 - 17.

Odagiri, H., Goto, A., Sunami, A., & Nelson, R. R. (2010). Intellectual Property Rights, Development, and Catch Up: An International Comparative Study. Oxford University Press. pp. 224–227. ISBN 0199574758.

Olson, A. R., & Langlois, D. J. (2008) Solid State Drives (SSD) Data Reliability and Lifetime. National Media Lab White Paper April 2008. http://www.imation.com/PageFiles/1189/SSD_Gov_DataReliability_WP.pdf Samsung Electronics. (2010).

Samsung Introduces High-speed 512GB SSD Utilizing New Toggle-mode DDR NAND Memory, Samsung Electronics. Jun 17, 2010. http://www.samsung.com/us/aboutsamsung/news/newsIrRead.do?&news_ctgry=irpublicdisclosure&news_ seq=19483&page=1

Stevens, C. E. (2010). TRIM – DRAT / RZAT clarifications for ATA8-ACS2 (Draft). Working Draft Project American National Standard. http://t13.org/Documents/UploadedDocuments/docs2010/e09158r2-Trim_Clarifications.pdf

Yasinsac, A., Erbacher, R. F., Marks, D. G., Pollitt, M. M., & Sommer, P. M. (2003). Computer forensics education. IEEE Security & Privacy, 1(4), 15 - 23.

Share

COinS
 
 

To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.