Forensic Data Analysis
Write an essay on the topic “Challenges of Forensic Data Acquisition on Solid-State Storage Media”.
Introduction
The concepts of Solid-State Storage media and its TRIM, self-corrosion and garbage collection were very little explored and understood poorly phenomenon till recent days, while compression and encryption of the SSD controllers is almost uncommon relatively. However, the situation is changed from 2014. There have been many cases that are involved in the SSD drives usage and gathered considerable and potential statistical data from the same (Kind, Tobias 2009). There has been a lot known regarding the exclusions from self-corrosion of SSD that allow obtaining better and potential information by the forensic specialists from the SSD drives.
Forensic Data Analysis
Forensic Data Analysis is one of the Digital forensics branches, which is conducted to examine the structured data, based on the financial crime incidents. FDS is performed with an objective of analysing the fraudulent activities ( Odagiri, et al., 2010).
Structured Data
Data from the databases of the application systems and the direct application system is called structured data.
Unstructured Data
The data, which is taken from the mobile devices or office applications or taken from communication, is called unstructured data ( Odagiri, et al., 2010). The unstructured data does not consist of overarching structure and the analysis of the same, which indicates the application of mapping communication patterns and keywords. When this unstructured data is analysed, it would be called as computer forensics.
Solid State Drives
Solid-state drives, which is also called as storage state storage is one kind of computer storage, which is a kind of non-volatile. It can store and retrieve the information with the help of the electronic circuits, with no involvement of the parts that are mechanical (Kind, Tobias 2009). This concept stands completely different from the concept of electromechanical storage, which is the traditional electromechanical storage, which enables the recording of the data with the help of the media that moves linearly or rotating and coated with the magnetic material.
The solid state storage devices store the information with the help of non-volatile flash memory that can be programmable electrically, though some of these devices make used of the volatile RAM that is backed by the battery. Eventually, solid state storage is proven to be operating much faster than the traditional electromechanical storage, since there are no mechanical moving parts existing. it satisfies many requirements and so many applications of the appliance and computer systems (Kind, Tobias 2009). so, they come in several kinds, several sizes of storage space, form factors and interfacing options.
The existence of the Solid State Drives has introduced several changes to the computer forensic principles, dramatically. Forensic computer acquisition that is well equipped with the storage of SSD would be quite different of how the PCs were acquired, with the help of the magnetic media, which is a traditional media ( Odagiri, et al., 2010). The suspect would attempt to destroy the evidence, instead of highly possible and predictable recovery of information. It is a situation of entering the stochastic forensics muddy water, where it would not be possible to assume as the given one.
Stochastic Forensics
The way the drives of the SSD exist today, show and the way of operation allow quite little space for the assumptions to be in positive side. The SSD drives allow us only to assume the an forensic investigator can attempt to access the information that can be existing and stored over the disk. When the suspect attempts to destroy the data, through disk formatting, even with the mode of Quick format, would end up in losing the data forever, in just a few minutes of time. In addition to that if the computer it powered off, after attempt and completion of the Quick format, the data can be hardly gathered back as it prevents the process of recovery of the data from the disk, even after the system is powered on immediately ( Odagiri, et al., 2010). The situation becomes like Schordinger’s cat, which indicates that it is never known, if the cat stays alive or not, before the box is opened.
Challenges of FDA on SSD
Solid State Drives (SSD) shot many challenges to the specialists of the digital forensics. Eventually, the computers’ forensic acquisition, which is equipped with the storage of the SSD has resulted in much variation compared to the traditional hard drive acquisition. Instead of predictable straightforward recovery of evidence, it is now in stochastic forensic waters with the drives of SSD, where there can be nothing to be assumed and found. Unfortunately the common language has been limiting with the misconception that extraction cannot be done for the deleted evidence, using SSD drives that are enabled with SSD drives, because of the background garbage collection operation (Kind, Tobias 2009).
Another major disadvantage or challenge of the SSD is that it is expensive comparatively. One of its anther challenges is that it suffers from the phenomenon called write amplification.
Write Amplification
Write amplification is one of the phenomenon that is undesirable related to the Solid-State Drives. Here, the actual physical information written would be in multiples of many amount that is logical and which is to be intended for writing (Hu, et al., 2009). The multiplicity of the logical writing would effect in terms of increasing the total number of writings needed for the SSD life. It shorten the overall life of the SSD, which would make the operation to be unreliable as the time passes. Hence, over the period of time, the operation and function of the SSD would be ineffective, and may not function as it intended to. Eventually the operation may not be useful for the processes of forensic data analysis, after any compromise or hacking is happened. The life of reliable operation would become smaller than the other conventional and traditional storage media.
There are many challenges and exceptions and sometimes these exceptions become rules, themselves. TRIM would not engage in the most of the environments of RAID or on the SSD drives that are externally attached, through USB enclosure or sometimes is connected through a port called FireWire. however, the function of the TRIM does not work with a NAS. TRIM is not supported by the older versions of the Windows. TRIM is usually engaged with the NTFS file system, but not the other kinds of file systems (Kind, Tobias 2009). There are considerations, which are specific for the volumes that are encrypted and stored on the drives of SSD, because the SSD TRIM commands are implemented vastly through several handling methods for the same. The challenges are further shot for the slack space, which has got a newly defined meaning, when SSD is considered and the data that has got stored in the attributes of the NTFS MFT.
Various SSD drives tend to handle after various ways of TRIM reads. Another challenge of the SSD drives and storage is the malware. It greatly affects the recoverability of the evidence. However, the TRIM command would not be issued and eventually, there would no occurrence of the garbage collection, in the data corruption cases. For example, if the partition tables or the boot sectors are wiped off physically, this challenge would be severe. However, the SSD drives’ self-encryption needs an approach that is completely different, while the compressing controllers, used by the SSD drives cannot be imaged practically, with the hardware of the off-chip acquisition (Odagiri, et al., 2010). The new research is being conducted actively, by the researchers to cover many such areas, where it would be possible to recover the evidence, through TRIM enabled SSD drives of today.
Garbage Collection
The data is written in the form of pages as units, which is made from many cells. But, erasing the memory is done in the form of blocks, which are larger units, which are made from multiple pages. If the data containing in the pages, present in the block are needed any longer, these pages are called stale pages. The pages that have only good data in the units of blocks would be rewritten and read into the empty block that is erased previously. Then the left pages that are free, without moving the stale data would be made available for the newly placing data. This entire process is named as GC or Garbage Collection (Hu, et al., 2009). All the SSDs have this process of garbage collection, but it varies in the way of how fast and when the process is performed. It is a larger part for the SSD’s write amplification.
Almost all of the SSD drives have been equipped with the technology called background garbage technology and also had recognized the command, TRIM, in the year 2012 and the situation has not been changed in 2014.
SSD Self-Corrosion
The SSD media operating principle is quite different and in fact opposite to the operating principle of the traditional storage that is flash-based. It allows access to the information that exists, like the folders, files, etc. that are stored in the specific disk. The data that is attempted to be destroyed by the suspect would be deleted permanently and it would be lost forever, in just a matter of a few minutes. If the system is powered off after the attempt of the destruction and powered on back, even the drive of the SSD does continue the process of content wiping and tends to clear all of the content just by itself, even if it has been installed into an imaging device with write-blocking . Once the process of self-destruction is started, there would be no way that the data can be recovered and accessed back to the original status. There is an exception to this condition that the there is some evidence that is extremely important and in such cases, if the disk gets accompanied with an order from a court, could possibly sent for the hardware-specific and low-level recovery back to the manufacturer.
the process of the self-destruction for the evidence could be triggered with the command, called TRIM, which is issued to the SSD controller, by the operating system during the point of deleting the files, deletes a partition or formats the disk, by the user. This operation of the TRIM can be integrated completely with the volume-level and partition-level commands (Kind, Tobias 2009). This would include both deletion of the partition or formatting of the partition. It also includes the file system commands that would be accountable to compress data, truncating and the operations like system restore or volume snapshot.
the process of destruction can be triggered only with the TRIM command and it only the operating system can issue that. However, the command TRIM would not be issued, in several cases. There are certain challenges in the exclusions that allow the investigators to improve the understanding of the condition or situation in a better way, when the data that has been deleted can be recovered still rom the drive of the SSD. The analysis can be performed for the SSD, only if it is installed in the computer, which is done during the analysis of the live box (Hu, et al., 2009). In case the SDD drive gets moved to another system, the results produced by the commands, such as TRIM would not be relevant to the system that is affected.
Conclusion
Solid-state drives are also called as solid-state storage. This is a non-volatile memory. it is similar to the traditional electromagnetic memory devices, in serving the purpose but differ in the way that there are no mechanical parts and movements involved. The SSD, having the write amplification drawback, it would eventually, becomes a challenge for the forensic data analysis. in addition to the write amplification, there are other challenges associated with the self-corrosion and garbage collection. these challenges are to be overcome, to ensure that the forensic data analysis would be more viable and achieve its objective of the recovery of information, rather than destroy of the information by the suspect.
References
Bagley, Jim. Over-provisioning: a winning strategy or a retreat?. StorageStrategies, 2009.
Burke, Barry. 1.040: efd – what’s in a name? The Storage Anarchist, 2009.
Drossel, Gary. Methodologies for Calculating SSD Useable Life. Storage Developer Conference, 2009.
Drossel, Gary. Solid-state drives meet military storage security requirements . Military Embedded Systems, 2007.
Geoff Gasior. SSD prices in steady, substantial decline: A look at the cost of the current generation. The Tech Report, 2012.
Hu, and Eleftheriou, Haas, Iliadis, and Pletka. Write Amplification Analysis in Flash-Based Solid State Drives. IBM. CiteSeerX, 2009.
Jansen, Ng. Micron Announces World’s First Native 6Gbps SATA Solid State Drive. DailyTech, 2009.
Kind, Tobias. RAMDISK Benchmarks . Davis: University of California, 2009.
Lucas Mearian. SSD prices plummet again, close in on HDDs: Computerworld, 2016.
Odagiri, Hiroyuki, Goto, Akira, Sunami, Atsushi, Nelson, Richard. Intellectual Property Rights, Development, and Catch Up: An International Comparative Study. Oxford University Press, 2010.
Ruth, Gene. SSD: Dump the hard disk form factor. Burton Group, 2010.
Smith, Kent. Benchmarking SSDs: The Devil is in the Preconditioning Details. SandForce, 2009.
Thatcher, Jonatha. NAND Flash Solid State Storage Performance and Capability – an In-depth Look. SNIA, 2009.
Vamsee Kasavajhala. SSD vs HDD Price and Performance Study, a Dell technical white paper. Dell PowerVault Technical Marketing, 2011.
Waurzyniak, Patrick, Battery-Powered Mass Storage System Offered. InfoWorld Media Group, 1986.
Whittaker, Zack. Solid-state disk prices falling, still more costly than hard disks: Between the Lines. ZDNet.
BoomGrades.com is
a name in assignment writing services that
students trust. We offer our assignment writing services for a wide variety
of assignment including essays, dissertations, case studies and more. Students can place
their order with us anytime as we function 24×7, and get their copies at
unbeatable prices. We guarantee that all of our solutions are plagiarism-free.