SlideShare a Scribd company logo

Digital Forensics Guide to SSD Acquisition and Analysis

D
dandb-technology
1 of 16
Digital Forensics SSDs
Digital Forensics is the scientific process and analysis of electronic data/devices as evidence for use in a court of law.
Roles of digital devices in a crime Contraband material - Selling a company computer - Illegal downloads Tool for the crime - Modifying a company balance sheet Incidental to the crime - Drug dealer storing his buyers/sellers on a phone
6 A's of Computer Forensics •  Assessment •  Acquisition •  Authentication •  Analysis •  Articulation •  Archival
6 A's of Computer Forensics •  Assessment •  Acquisition •  Authentication •  Analysis •  Articulation •  Archival
Acquisition - Traditional hard drives Suspect Write Drive Blocker Your System Imaging a Your drive Forensic Drive
Authentication Your Suspect Forensic Drive Drive Matching md5 hash
SSD •  SSD are masked by the SSD Controller to look like a traditional hard drive SSD Flash Memory Controller SATA + Power Flash Memory
SSD •  SSD are masked by the SSD Controller to look like a traditional hard drive •  Unreliable 1's and 0's o  All "not in use" blocks must be erased before being used again 0 New data Old Data 1
SSD •  SSD are masked by the SSD Controller to look like a traditional hard drive •  Unreliable 1's and 0's o  All "not in use" blocks must be erased before being used again •  Garbage Collection - background process
Problems with SSD Once the power is connected to the SSD, the garbage collection process physically begins to erase blocks marked as "not in use".
Acquisition - SSD Suspect Write Drive Blocker Your System Imaging the Your drive Forensic Drive
Acquisition - SSD Suspect Write Drive Blocker Your System Imaging the Your drive Forensic Drive
Authentication Your Suspect Forensic Drive Drive Different md5 hash
Problems with SSD Once the power is connected to the SSD, the garbage collection process physically begins to erase blocks marked as "not in use". •  Different md5 hashes •  Evidence that the suspect tried to delete may be removed because of garbage collection
The End

Recommended

Digital Forensics
Digital ForensicsDigital Forensics
Digital ForensicsMithileysh Sathiyanarayanan
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 
Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic pptSuchita Rawat
 
Network forensic
Network forensicNetwork forensic
Network forensicManjushree Mashal
 
Digital forensics
Digital forensicsDigital forensics
Digital forensicsVidoushi B-Somrah
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic pptPriya Manik
 
Role of Forensic Triage In Cyber Security Trends 2021
Role of Forensic Triage In Cyber Security Trends 2021Role of Forensic Triage In Cyber Security Trends 2021
Role of Forensic Triage In Cyber Security Trends 2021Amrit Chhetri
 
Digital forensics
Digital forensicsDigital forensics
Digital forensicsyash sawarkar
 

Recommended

Digital Forensics
Digital ForensicsDigital Forensics
Digital ForensicsMithileysh Sathiyanarayanan
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 
Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic pptSuchita Rawat
 
Network forensic
Network forensicNetwork forensic
Network forensicManjushree Mashal
 
Digital forensics
Digital forensicsDigital forensics
Digital forensicsVidoushi B-Somrah
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic pptPriya Manik
 
Role of Forensic Triage In Cyber Security Trends 2021
Role of Forensic Triage In Cyber Security Trends 2021Role of Forensic Triage In Cyber Security Trends 2021
Role of Forensic Triage In Cyber Security Trends 2021Amrit Chhetri
 
Digital forensics
Digital forensicsDigital forensics
Digital forensicsyash sawarkar
 
Digital Forensics best practices with the use of open source tools and admiss...
Digital Forensics best practices with the use of open source tools and admiss...Digital Forensics best practices with the use of open source tools and admiss...
Digital Forensics best practices with the use of open source tools and admiss...Sagar Rahurkar
 
Social Media Forensics
Social Media ForensicsSocial Media Forensics
Social Media ForensicsJohn J. Carney, Esq.
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidencerakesh mishra
 
Mobile Forensics
Mobile Forensics Mobile Forensics
Mobile Forensics abdullah roomi
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic toolsParsons Corporation
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeAung Thu Rha Hein
 
Cyber Forensics Overview
Cyber Forensics OverviewCyber Forensics Overview
Cyber Forensics OverviewYansi Keim
 
Lecture #31 : Windows Forensics
Lecture #31 : Windows ForensicsLecture #31 : Windows Forensics
Lecture #31 : Windows ForensicsDr. Ramchandra Mangrulkar
 
Digital forensics
Digital forensics Digital forensics
Digital forensics vishnuv43
 
Computer Forensics ppt
Computer Forensics pptComputer Forensics ppt
Computer Forensics pptOECLIB Odisha Electronics Control Library
 
Computer +forensics
Computer +forensicsComputer +forensics
Computer +forensicsRahul Baghla
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital ForensicsOldsun
 
CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber ForensicsKathirvel Ayyaswamy
 
Processing Crimes and Incident Scenes
Processing Crimes and Incident ScenesProcessing Crimes and Incident Scenes
Processing Crimes and Incident Scenesprimeteacher32
 
Windowsforensics
WindowsforensicsWindowsforensics
WindowsforensicsSantosh Khadsare
 
Computer forensics and Investigation
Computer forensics and InvestigationComputer forensics and Investigation
Computer forensics and InvestigationNeha Raju k
 
Data hiding - Steganography
Data hiding - SteganographyData hiding - Steganography
Data hiding - SteganographyMohamed Talaat
 
04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - NotesKranthi
 
Computer forensics ppt
Computer forensics pptComputer forensics ppt
Computer forensics pptNikhil Mashruwala
 
Linux forensics
Linux forensicsLinux forensics
Linux forensicsSantosh Khadsare
 
Solid state drives
Solid state drivesSolid state drives
Solid state drivesVeronica Alejandro
 
Geek Sync | Taking Control of Your Organization’s SQL Server Sprawl
Geek Sync | Taking Control of Your Organization’s SQL Server SprawlGeek Sync | Taking Control of Your Organization’s SQL Server Sprawl
Geek Sync | Taking Control of Your Organization’s SQL Server SprawlIDERA Software
 

More Related Content

What's hot

Digital Forensics best practices with the use of open source tools and admiss...
Digital Forensics best practices with the use of open source tools and admiss...Digital Forensics best practices with the use of open source tools and admiss...
Digital Forensics best practices with the use of open source tools and admiss...Sagar Rahurkar
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidencerakesh mishra
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeAung Thu Rha Hein
 
Cyber Forensics Overview
Cyber Forensics OverviewCyber Forensics Overview
Cyber Forensics OverviewYansi Keim
 
Digital forensics
Digital forensics Digital forensics
Digital forensics vishnuv43
 
Computer +forensics
Computer +forensicsComputer +forensics
Computer +forensicsRahul Baghla
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital ForensicsOldsun
 
Processing Crimes and Incident Scenes
Processing Crimes and Incident ScenesProcessing Crimes and Incident Scenes
Processing Crimes and Incident Scenesprimeteacher32
 
Computer forensics and Investigation
Computer forensics and InvestigationComputer forensics and Investigation
Computer forensics and InvestigationNeha Raju k
 
Data hiding - Steganography
Data hiding - SteganographyData hiding - Steganography
Data hiding - SteganographyMohamed Talaat
 
04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - NotesKranthi
 

What's hot (20)

Digital Forensics best practices with the use of open source tools and admiss...
Digital Forensics best practices with the use of open source tools and admiss...Digital Forensics best practices with the use of open source tools and admiss...
Digital Forensics best practices with the use of open source tools and admiss...
 
Social Media Forensics
Social Media ForensicsSocial Media Forensics
Social Media Forensics
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidence
 
Mobile Forensics
Mobile Forensics Mobile Forensics
Mobile Forensics
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic tools
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research Challenge
 
Cyber Forensics Overview
Cyber Forensics OverviewCyber Forensics Overview
Cyber Forensics Overview
 
Lecture #31 : Windows Forensics
Lecture #31 : Windows ForensicsLecture #31 : Windows Forensics
Lecture #31 : Windows Forensics
 
Digital forensics
Digital forensics Digital forensics
Digital forensics
 
Computer Forensics ppt
Computer Forensics pptComputer Forensics ppt
Computer Forensics ppt
 
Computer +forensics
Computer +forensicsComputer +forensics
Computer +forensics
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
 
CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber Forensics
 
Processing Crimes and Incident Scenes
Processing Crimes and Incident ScenesProcessing Crimes and Incident Scenes
Processing Crimes and Incident Scenes
 
Windowsforensics
WindowsforensicsWindowsforensics
Windowsforensics
 
Computer forensics and Investigation
Computer forensics and InvestigationComputer forensics and Investigation
Computer forensics and Investigation
 
Data hiding - Steganography
Data hiding - SteganographyData hiding - Steganography
Data hiding - Steganography
 
04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes
 
Computer forensics ppt
Computer forensics pptComputer forensics ppt
Computer forensics ppt
 
Linux forensics
Linux forensicsLinux forensics
Linux forensics
 

Similar to Digital Forensics Guide to SSD Acquisition and Analysis

Geek Sync | Taking Control of Your Organization’s SQL Server Sprawl
Geek Sync | Taking Control of Your Organization’s SQL Server SprawlGeek Sync | Taking Control of Your Organization’s SQL Server Sprawl
Geek Sync | Taking Control of Your Organization’s SQL Server SprawlIDERA Software
 
CNIT 121: 11 Analysis Methodology
CNIT 121: 11 Analysis MethodologyCNIT 121: 11 Analysis Methodology
CNIT 121: 11 Analysis MethodologySam Bowne
 
BSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on WheelsBSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on Wheelsinfodox
 
DataStax Enterprise in the Field – 20160920
DataStax Enterprise in the Field – 20160920DataStax Enterprise in the Field – 20160920
DataStax Enterprise in the Field – 20160920Daniel Cohen
 
Group assignment 1
Group assignment 1Group assignment 1
Group assignment 1bren61
 
Analyst Perspective: SSD Caching or SSD Tiering - Which is Better?
Analyst Perspective: SSD Caching or SSD Tiering - Which is Better?Analyst Perspective: SSD Caching or SSD Tiering - Which is Better?
Analyst Perspective: SSD Caching or SSD Tiering - Which is Better?Dennis Martin
 
Storage (Hard disk drive)
Storage (Hard disk drive)Storage (Hard disk drive)
Storage (Hard disk drive)0949778108
 
Blazing Data With Redis (and LEGOS!)
Blazing Data With Redis (and LEGOS!)Blazing Data With Redis (and LEGOS!)
Blazing Data With Redis (and LEGOS!)Justin Carmony
 
Active directory - an introduction
Active directory - an introductionActive directory - an introduction
Active directory - an introductionpepoluan
 
MongoDB Sharding
MongoDB ShardingMongoDB Sharding
MongoDB ShardingRob Walters
 
VSAN – Architettura e Design
VSAN – Architettura e DesignVSAN – Architettura e Design
VSAN – Architettura e DesignVMUG IT
 
Everything You Need to Know About Docker and Storage by Ryan Wallner, ClusterHQ
Everything You Need to Know About Docker and Storage by Ryan Wallner, ClusterHQ Everything You Need to Know About Docker and Storage by Ryan Wallner, ClusterHQ
Everything You Need to Know About Docker and Storage by Ryan Wallner, ClusterHQ Docker, Inc.
 
DockerCon 2016 Ecosystem - Everything You Need to Know About Docker and Stora...
DockerCon 2016 Ecosystem - Everything You Need to Know About Docker and Stora...DockerCon 2016 Ecosystem - Everything You Need to Know About Docker and Stora...
DockerCon 2016 Ecosystem - Everything You Need to Know About Docker and Stora...ClusterHQ
 
Working of Volatile and Non-Volatile memory
Working of Volatile and Non-Volatile memoryWorking of Volatile and Non-Volatile memory
Working of Volatile and Non-Volatile memoryDon Caeiro
 

Similar to Digital Forensics Guide to SSD Acquisition and Analysis (20)

Solid state drives
Solid state drivesSolid state drives
Solid state drives
 
Geek Sync | Taking Control of Your Organization’s SQL Server Sprawl
Geek Sync | Taking Control of Your Organization’s SQL Server SprawlGeek Sync | Taking Control of Your Organization’s SQL Server Sprawl
Geek Sync | Taking Control of Your Organization’s SQL Server Sprawl
 
CNIT 121: 11 Analysis Methodology
CNIT 121: 11 Analysis MethodologyCNIT 121: 11 Analysis Methodology
CNIT 121: 11 Analysis Methodology
 
Gone in a flash pdf
Gone in a flash pdfGone in a flash pdf
Gone in a flash pdf
 
BSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on WheelsBSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on Wheels
 
DataStax Enterprise in the Field – 20160920
DataStax Enterprise in the Field – 20160920DataStax Enterprise in the Field – 20160920
DataStax Enterprise in the Field – 20160920
 
A better storage solution
A better storage solutionA better storage solution
A better storage solution
 
Group assignment 1
Group assignment 1Group assignment 1
Group assignment 1
 
Analyst Perspective: SSD Caching or SSD Tiering - Which is Better?
Analyst Perspective: SSD Caching or SSD Tiering - Which is Better?Analyst Perspective: SSD Caching or SSD Tiering - Which is Better?
Analyst Perspective: SSD Caching or SSD Tiering - Which is Better?
 
SSD PPT BY SAURABH
SSD PPT BY SAURABHSSD PPT BY SAURABH
SSD PPT BY SAURABH
 
Storage (Hard disk drive)
Storage (Hard disk drive)Storage (Hard disk drive)
Storage (Hard disk drive)
 
Elastic Stack Roadmap
Elastic Stack RoadmapElastic Stack Roadmap
Elastic Stack Roadmap
 
Blazing Data With Redis (and LEGOS!)
Blazing Data With Redis (and LEGOS!)Blazing Data With Redis (and LEGOS!)
Blazing Data With Redis (and LEGOS!)
 
Ssd collab13
Ssd collab13Ssd collab13
Ssd collab13
 
Active directory - an introduction
Active directory - an introductionActive directory - an introduction
Active directory - an introduction
 
MongoDB Sharding
MongoDB ShardingMongoDB Sharding
MongoDB Sharding
 
VSAN – Architettura e Design
VSAN – Architettura e DesignVSAN – Architettura e Design
VSAN – Architettura e Design
 
Everything You Need to Know About Docker and Storage by Ryan Wallner, ClusterHQ
Everything You Need to Know About Docker and Storage by Ryan Wallner, ClusterHQ Everything You Need to Know About Docker and Storage by Ryan Wallner, ClusterHQ
Everything You Need to Know About Docker and Storage by Ryan Wallner, ClusterHQ
 
DockerCon 2016 Ecosystem - Everything You Need to Know About Docker and Stora...
DockerCon 2016 Ecosystem - Everything You Need to Know About Docker and Stora...DockerCon 2016 Ecosystem - Everything You Need to Know About Docker and Stora...
DockerCon 2016 Ecosystem - Everything You Need to Know About Docker and Stora...
 
Working of Volatile and Non-Volatile memory
Working of Volatile and Non-Volatile memoryWorking of Volatile and Non-Volatile memory
Working of Volatile and Non-Volatile memory
 

More from dandb-technology

7 Baby Steps to Financial Freedom - Dave Ramsey
7 Baby Steps to Financial Freedom - Dave Ramsey7 Baby Steps to Financial Freedom - Dave Ramsey
7 Baby Steps to Financial Freedom - Dave Ramseydandb-technology
 
Amazon Web Services (AWS) - A Brief Introduction
Amazon Web Services (AWS) - A Brief IntroductionAmazon Web Services (AWS) - A Brief Introduction
Amazon Web Services (AWS) - A Brief Introductiondandb-technology
 
Tips on Effective Development
Tips on Effective DevelopmentTips on Effective Development
Tips on Effective Developmentdandb-technology
 
Blackhat 2014 Conference and Defcon 22
Blackhat 2014 Conference and Defcon 22 Blackhat 2014 Conference and Defcon 22
Blackhat 2014 Conference and Defcon 22 dandb-technology
 
PDQ C++ Uml state Machines
PDQ C++ Uml state MachinesPDQ C++ Uml state Machines
PDQ C++ Uml state Machinesdandb-technology
 
The state of social network data mining
The state of social network data mining The state of social network data mining
The state of social network data mining dandb-technology
 
How to Fail at Almost Everything and Still Win Big by Scott Adams - Book Review
How to Fail at Almost Everything and Still Win Big by Scott Adams - Book ReviewHow to Fail at Almost Everything and Still Win Big by Scott Adams - Book Review
How to Fail at Almost Everything and Still Win Big by Scott Adams - Book Reviewdandb-technology
 
Big Data Lightning Talk - JRowe
Big Data Lightning Talk - JRoweBig Data Lightning Talk - JRowe
Big Data Lightning Talk - JRowedandb-technology
 

More from dandb-technology (17)

7 Baby Steps to Financial Freedom - Dave Ramsey
7 Baby Steps to Financial Freedom - Dave Ramsey7 Baby Steps to Financial Freedom - Dave Ramsey
7 Baby Steps to Financial Freedom - Dave Ramsey
 
Amazon Web Services (AWS) - A Brief Introduction
Amazon Web Services (AWS) - A Brief IntroductionAmazon Web Services (AWS) - A Brief Introduction
Amazon Web Services (AWS) - A Brief Introduction
 
Tips on Effective Development
Tips on Effective DevelopmentTips on Effective Development
Tips on Effective Development
 
Blackhat 2014 Conference and Defcon 22
Blackhat 2014 Conference and Defcon 22 Blackhat 2014 Conference and Defcon 22
Blackhat 2014 Conference and Defcon 22
 
PDQ C++ Uml state Machines
PDQ C++ Uml state MachinesPDQ C++ Uml state Machines
PDQ C++ Uml state Machines
 
Jmock testing
Jmock testingJmock testing
Jmock testing
 
The state of social network data mining
The state of social network data mining The state of social network data mining
The state of social network data mining
 
Web Accelerators
Web AcceleratorsWeb Accelerators
Web Accelerators
 
Mythical Man-Month
Mythical Man-MonthMythical Man-Month
Mythical Man-Month
 
How to Fail at Almost Everything and Still Win Big by Scott Adams - Book Review
How to Fail at Almost Everything and Still Win Big by Scott Adams - Book ReviewHow to Fail at Almost Everything and Still Win Big by Scott Adams - Book Review
How to Fail at Almost Everything and Still Win Big by Scott Adams - Book Review
 
Buying a car
Buying a carBuying a car
Buying a car
 
Meteor
MeteorMeteor
Meteor
 
Infinite complexity
Infinite complexityInfinite complexity
Infinite complexity
 
Big Data Lightning Talk - JRowe
Big Data Lightning Talk - JRoweBig Data Lightning Talk - JRowe
Big Data Lightning Talk - JRowe
 
Performative Ecologies
Performative EcologiesPerformative Ecologies
Performative Ecologies
 
Place cells
Place cellsPlace cells
Place cells
 
DNA as Storage Medium
DNA as Storage MediumDNA as Storage Medium
DNA as Storage Medium
 

Digital Forensics Guide to SSD Acquisition and Analysis

  • 2. Digital Forensics is the scientific process and analysis of electronic data/devices as evidence for use in a court of law.
  • 3. Roles of digital devices in a crime Contraband material - Selling a company computer - Illegal downloads Tool for the crime - Modifying a company balance sheet Incidental to the crime - Drug dealer storing his buyers/sellers on a phone
  • 4. 6 A's of Computer Forensics •  Assessment •  Acquisition •  Authentication •  Analysis •  Articulation •  Archival
  • 5. 6 A's of Computer Forensics •  Assessment •  Acquisition •  Authentication •  Analysis •  Articulation •  Archival
  • 6. Acquisition - Traditional hard drives Suspect Write Drive Blocker Your System Imaging a Your drive Forensic Drive
  • 7. Authentication Your Suspect Forensic Drive Drive Matching md5 hash
  • 8. SSD •  SSD are masked by the SSD Controller to look like a traditional hard drive SSD Flash Memory Controller SATA + Power Flash Memory
  • 9. SSD •  SSD are masked by the SSD Controller to look like a traditional hard drive •  Unreliable 1's and 0's o  All "not in use" blocks must be erased before being used again 0 New data Old Data 1
  • 10. SSD •  SSD are masked by the SSD Controller to look like a traditional hard drive •  Unreliable 1's and 0's o  All "not in use" blocks must be erased before being used again •  Garbage Collection - background process
  • 11. Problems with SSD Once the power is connected to the SSD, the garbage collection process physically begins to erase blocks marked as "not in use".
  • 12. Acquisition - SSD Suspect Write Drive Blocker Your System Imaging the Your drive Forensic Drive
  • 13. Acquisition - SSD Suspect Write Drive Blocker Your System Imaging the Your drive Forensic Drive
  • 14. Authentication Your Suspect Forensic Drive Drive Different md5 hash
  • 15. Problems with SSD Once the power is connected to the SSD, the garbage collection process physically begins to erase blocks marked as "not in use". •  Different md5 hashes •  Evidence that the suspect tried to delete may be removed because of garbage collection