2. Digital Forensics is the scientific process
and analysis of electronic data/devices as
evidence for use in a court of law.
3. Roles of digital devices in a crime
Contraband material
- Selling a company computer
- Illegal downloads
Tool for the crime
- Modifying a company balance sheet
Incidental to the crime
- Drug dealer storing his buyers/sellers on a
phone
6. Acquisition - Traditional hard drives
Suspect Write
Drive Blocker
Your
System
Imaging a Your
drive Forensic
Drive
7. Authentication
Your
Suspect
Forensic
Drive
Drive
Matching md5 hash
8. SSD
• SSD are masked by the SSD Controller to look like a
traditional hard drive
SSD
Flash Memory
Controller
SATA
+ Power
Flash Memory
9. SSD
• SSD are masked by the SSD Controller to look like a
traditional hard drive
• Unreliable 1's and 0's
o All "not in use" blocks must be erased before being
used again
0
New data
Old Data
1
10. SSD
• SSD are masked by the SSD Controller to look like a
traditional hard drive
• Unreliable 1's and 0's
o All "not in use" blocks must be erased before being
used again
• Garbage Collection - background process
11. Problems with SSD
Once the power is connected to the SSD, the
garbage collection process physically begins
to erase blocks marked as "not in use".
14. Authentication
Your
Suspect
Forensic
Drive
Drive
Different md5 hash
15. Problems with SSD
Once the power is connected to the SSD, the
garbage collection process physically begins
to erase blocks marked as "not in use".
• Different md5 hashes
• Evidence that the suspect tried to delete
may be removed because of garbage
collection