This document summarizes current digital forensic techniques and discusses challenges posed by new technologies. It describes standard techniques like imaging hard drives to gather evidence. Live acquisitions of volatile memory are also discussed. Solid state drives pose difficulties as their controllers can automatically delete data through garbage collection. Private browsers also aim to not store artifacts, complicating investigations. Overall, the document outlines investigative methods and how new technologies increasingly challenge examiners' ability to recover digital evidence.

1. 1
Manuel Garza
ITDF 2435
Prof. Nye
January 29, 2014
Computer Forensics: Modern Seizure Policy and New Technology
The introduction of computers into the business and personal world has benefitted our
society greatly. Computers have allowed us to access our finances and share information from
almost anywhere instantaneously. It was only inevitable that criminals would begin to use this
technology for their own benefit. Computer forensics was introduced to create a trail of evidence
for crimes performed using digital devices. Computer forensics, like all forensics sciences, uses
methods and techniques to gather and examine information. With this information, we can get an
idea of what happened in the past, who was there when it happened, and how it was performed.
Currently computer forensics has done a pretty good job of gathering and examining information
from digital devices. But just like these digital devices, computer forensics will soon become
outdated. As technology evolves, the need for new methods and techniques to perform forensics
analysis on these new devices becomes apparent. This paper will summarize current digital
forensic techniques and discuss how new technology generates a great difficulty in gathering and
analyzing past data.
There are many techniques used in computer forensics for both gathering and examining
information. The most basic technique requires only the hard disk drive to generate an exact
imaged copy of all the data stored on that drive. This technique is usually performed on desktop

2. 2
or laptop computers. During seizure of these devices, it is necessary to ensure that the power is
off. If the power is on, it is required to pull the power cord from the back of the desktop (United
States 3). If the device is a laptop, the power cord must be disconnected from the device and the
battery must be removed. After seizing the device, the hard disk drive is removed and plugged
into a digital forensics machine through the means of a write blocker. The write blocker is
necessary in keeping the integrity of the investigation by not writing or adding any information
to the hard disk drive. Forensic analysis software is then used to create an exact image of the data
on the hard disk drive. After the data is verified, a forensic examiner can begin their investigation
by searching through the data present on the hard disk drive, as well as any deleted data that has
not been overwritten. Although this “dead” acquisition will work for a majority of cases, some
cases may require what is called a “live” acquisition.
Live acquisitions are performed while the target system is running. This type of
acquisition is necessary when a system cannot be shut down, like when working with company
servers or when a case requires volatile data from RAM. Encrypted file systems are usually not
accessible from a dead acquisition which may require a live acquisition. Casey and Stellatos
state, “Because strong encryption cannot be circumvented without a key or passphrase, forensic
examiners may not be able to access data after a computer is shut down, and must decide
whether to perform a live forensic acquisition” (93). The key or passphrase that Casey and
Stellatos are referring to could be found in RAM, which would require a live memory
acquisition. If the encrypted files are already accessible, it may be possible to perform a live
acquisition and create an image of the hard disk drive for later analysis. There are two main ways
in which we can perform a live memory acquisition. These include hardware-based and
software-based methods.

3. 3
Although software-based methods are easier to use and free, hardware-based methods
seem to be more safe and effective when comparing the two. Zhang et al. mention “software-
based methods cannot deal with locked systems when the unlock password is unknown since
they need to run software application program(s) on the subject machine.” They then go on to
say “…running of such software acquisition tools… may overwrite useful data and destroy the
integrity of system memory data and keep it from being evidence. Moreover, software-based
memory acquisition tools can be easily cheated by anti-forensic malwares…” (Lai 159). So even
if a forensic examiner was able to bypass a locked system and use the software, evidence could
still be destroyed in the process or not even be recognized due to malware deception. Hardware-
based methods do not need to worry about any of these problems because they bypass the
operating system and have direct access to the memory without the use of software on the target
system. Based on this information, the more reliable option for a live acquisition is hardware-
based.
So what exactly is a hardware-based live acquisition? There are two ways to conduct this
type of acquisition. One way is through a PCI expansion card and the other way is through a
FireWire port (Lai 160). A PCI expansion card works great at live memory acquisition, but there
are some downfalls to using it. Because it is an expansion card, it must be installed prior to an
investigation. A switch must also be used to acquire any live data currently on the subject
machine. This technique works well in a corporate environment where an investigator has the
ability to install this hardware before an event takes place, but it may not be feasible in other
situations. This is why FireWire is the preferred method when performing a live memory
acquisition.

4. 4
Most computers currently have a FireWire port installed directly to the motherboard. This
is what allows live memory acquisition through FireWire to operate in Direct Memory Access
mode. FireWire acquisition works on any operating system considering that it bypasses the
operating system. A FireWire memory acquisition is performed by connecting the investigating
device to the subject device through means of FireWire ports. Software is run on the
investigating machine which allows the acquisition of memory from the subject machine without
writing to it. Antonio Martin states this acquisition can also recover “the last sixteen bytes from
the keyboard buffer accepted by the BIOS prior to booting the primary operating system, useful
in finding BIOS and disk encryption passwords”. The ability to obtain this information is what
allows this acquisition technique to access a fully encrypted hard disk drive. Although live
memory acquisition through FireWire sounds very reliable, it does have negative aspects. The
suspect could open the machine and disconnect the FireWire port form the motherboard. They
can also fill the FireWire port with some sort of epoxy or resin. This method of acquisition can
also cause the subject system to crash. Arne Vidstrom “illustrates that when FireWire methods of
acquisition access the Upper Memory Area (UMA) region of memory they can cause random
system crashes” (qtd. in Australia 10). With this in mind, we can see that live memory
acquisitions are not always reliable and should only be used in special cases. Now that basic
digital forensic techniques have been explained, we will move onto how problems arise when
dealing with new technology.
The advancement of new technology has created a dilemma in the world of digital
forensics. Technologies like Solid State Drives, private internet browsers, and video game client
web browsers have increased the difficulty in acquiring and analyzing data. Why are these

5. 5
problems present? How does this technology work? What are the best practices when dealing
with this technology? All of this will be discussed but we will begin with solid state drives.
Solid state drives, like hard disk drives, are used in the storage of data. Although they
share the same purpose, there are a few differences between the two. Unlike hard disk drives,
solid state drives do not contain spinning magnetic disks or read-write heads. Instead, solid state
drives employ multiple flash memory chips dictated by a flash memory controller. This allows
solid state drives to have increased speed and performance over hard disk drives because there
are no moving parts. Another difference between the two drives is the actual storage of data.
Hard disk drives are made up of multiple platters divided into multiple blocks of sectors.
A sector is the smallest divisible area that can store data. John Sammons states “Traditionally,
each sector holds up to 512 bytes of data. It can hold less, but it can’t hold more” (1). This means
any file containing more than 512 bytes of data will take up more than one sector. The number of
sectors used can only be equal to or more than the amount of bytes in a file when adding up the
bytes of each sector. So what if a file contains less data than the number of bytes in a sector?
The file will still use, or allocate, the sector but any leftover space cannot be used by
other files. This unused space is called slack space. When a user deletes a file they usually think
the deleted file is gone and cannot be recovered. This is not the case. Deleted files are never
actually removed from the hard disk drive; they are simply not recognized by the operating
system. The operating system now sees the sectors that were occupied by the deleted file as
ready to use, or unallocated. Now when the drive saves a new file, it can save it to the same
unallocated sectors that were previously used by the recently deleted file. When a new file is
saved to these unallocated sectors it overwrites the data of the previous deleted file. Thus, the

6. 6
previous deleted file is now truly deleted and gone forever. But what happens if the newly saved
file is not big enough to overwrite the full sector?
Above it was mentioned that if a file does not fill a sector there is slack space left over.
The same principle applies to this newly saved file. If the previously deleted file takes up more
bytes on a sector than the newly saved file, the extra data will be left in the slack space of that
sector. This leftover data could possibly contain enough bytes to reconstruct text, pictures, or any
type of evidence left over in the slack space. The same principles apply when fragmenting a hard
disk drive.
Fragmentation happens when there are pockets of unallocated space between allocated
space. This occurs over time as files are “deleted” and saved. Deleted files can create pockets of
unallocated space and saved files try to fill up these pockets. So what happens when a saved file
needs more unallocated space than provided by these pockets?
The hard disk drive will save a portion of the file to fill up the pocket while spreading out
and saving the rest of the file to other unallocated areas of the drive. This spreading of files is
fragmentation and tends to slow down a system because each point of data must be accessed
sequentially. Defragmenting a hard disk drive gets rid of this spread. The drive will take data and
“move” it around until the data from these fragmented files are next to each other in uniform
sectors, thus defragmenting them and speeding up the system. Moving files around are similar to
deleting files. Files that are moved are basically copied to the target location. The sectors from
which the data originated are no longer referenced by the operating system but the data still
remains. Again this leftover data can be acquired and examined by forensic software unless

7. 7
overwritten. Solid state drives are somewhat similar, but they operate much differently which
creates roadblocks for digital forensic investigators.
Solid state drives use blocks of pages that contain cells to store data. Each cell generally
stores bit(s) of data. The number of bits stored in a cell depends on the type of solid state drive
used. There are multi-level cell drives which can currently contain two to eight bits of data, or
there are single-cell drives which store one bit per cell. According to Kurt Marko, multi-level
cell drives have lower performance, particularly for writes, and are less durable and reliable (3).
The advantages of a multi-level cell drive when compared to a single-cell drive are that they are
much cheaper and can hold more memory. This is why most solid state drive manufactures
choose to assemble multi-cell drives. Although multi-cell drives are much worse in performance
when compared to single-cell drives, they are still much faster than hard disk drives.
Solid state drives are much more quick and efficient at removing deleted data from the
drive. This is due to a process called garbage collection ran by the flash memory controller. This
process is similar to defragmenting a hard disk drive. Blocks contain free space that is available
to hold pages. Pages are allowed to be created as long as there is free space on a block. Pages are
moved around in this free space and deleted pages are removed from the drive by the garbage
collection process. This process removes any slack space leftover on a block by filling the space
with existing pages occupying other blocks. When a file is deleted the data stays on the drive and
the occupied page space is now considered invalid, or stale. When the garbage collection process
is run, the data is removed from the drive and the space is then considered free space. If a block
contains valid data and stale data, the valid data pages must be moved to another open block
before the stale data can be wiped. After the stale data is wiped, the valid data pages are then

8. 8
moved back to the free space on the original block. This permanent deletion of files and removal
of slack space destroys potential evidence much easier than hard disk drives.
The flash memory controller manages the garbage collection process and can run it
automatically at random anytime there is power to the drive. This allows deleted data to be
removed on a regular basis. Since garbage collection is controlled at the hardware level, pulling
out the solid state drive and attaching it to a digital forensics machine could still cause the
garbage collection process to run. Not only is potential evidence erased from unallocated and
slack space, but the evidence could be rendered useless. Currently we can verify the imaged copy
of hard disk drives by comparing cryptographic hashing algorithms between the subject drive
and the image. The garbage collection process causes the hash of the subject machine to
constantly change sacrificing the integrity of the entire investigation. Not only that, but the
secure erase command completely wipes a solid state drive removing all data from every block.
Jon Jacobi says “Secure erase, a function built into every ATA-based hard drive and SSD since
2001, erases everything on the drive and marks the cells as empty” (1). The secure erase
command is a nightmare for digital forensic investigators. An investigation is completely
nullified because there is no data left to examine. What options do investigators have when
dealing with solid state drives?
We can still read the data stored on the flash chips if we are able to seize the drive before
a secure erase command executes. Even if we seize the drive before a secure erase command
finishes, we can still pull the power cord and examine any flash chips that were not erased. The
problem lies with the flash memory controller. Wiebe explains that “While write-blockers may
stop the TRIM command from reaching a hard drive, they do not stop a SSD drive from
executing internal wear-leveling algorithms” (6). The TRIM command is a garbage collection

9. 9
tool. Wear-leveling, unlike defragmentation, causes files to be spread out and saved in blocks all
over the solid state drive. This is to prolong the longevity of the drive because cells can only be
written to a certain amount of times before they wear out. It is not necessary for data to be in
sequential order like hard disk drives. This can cause files to be spread out randomly across the
entire drive. Because of this random spread, even if we were able to examine the data from the
flash chips, we may not be able to piece some of the data together. In order to acquire the data
from the flash chips reliably, we need to eliminate interference from the flash memory controller.
The flash chips can be removed from the solid state drive and implanted in a device that
reads the data. Digital forensic investigators are able to image the flash chips with this device.
We can read any data left on the chip, whether valid or stale, but as mentioned previously we
may not be able to read some of the data that has been randomly spread out. This is not a
complete solution to the problems created by solid state drives and new forensic technology must
evolve to combat this threat. As hardware advances so does software.
Private internet browsers are becoming more popular. As rumors spread about the NSA,
people want more privacy while using their devices. The four largest internet browsers have
incorporated a private mode for staying hidden when browsing the web. They all work
differently, but their goals are mostly the same. Internet Explorer, Google Chrome, Mozilla
Firefox, and Apple Safari have all created a private mode for their users. All of these web
browsers claim their privacy mode either does not store artifacts or removes them from the local
machine after exiting a browser session. Google Chrome and Mozilla Firefox both claim their
privacy mode keeps users hidden from websites tracking their browsing patterns. Are their
claims legitimate?

10. 10
All privacy modes for these browsers store artifacts in volatile memory so they operate
correctly, but it is not always feasible to perform a live acquisition. What data, if any, is left
behind on the hard drive by these private browsers? Ohana and Shashidhar state that “private
browsing modes and portable browsers do in fact leave incriminating evidence, but it depends on
the browser. Some browsers left enough information to establish an affirmative link and some
did not” (139). Their research showed that internet explorer left behind the most artifacts but not
where these artifacts are typically found. They were able to recover all of the data, except for
playable videos, from Internet Explorer’s InPrivate mode. This data includes cached images,
URL history, and usernames with their associated accounts. Slack space and free space contained
a lot of the data found. The other three browsers were not as simple as Internet Explorer in
recovering artifacts.
Ohana and Shashidhar explain that “it was difficult to establish an affirmative link
between the user and session because none of the usernames and other history information was
accessible; the same resulted for Mozilla Firefox” (139). Both browsers displayed timestamps
when privacy mode was opened and closed. Images were only recoverable through a live
memory acquisition with mostly partial images. Google Chrome Incognito Mode modified
timestamps on leftover artifacts which ruins the affirmative link between user and session. An
important note is that any documents viewed through these private browsers were recoverable on
the hard disk drive. These two browsers left much less artifacts than both Internet Explorer and
Apple Safari.
Ohana and Shashidhar’s research concluded that Apple Safari left behind every URL
visited in the free and slack space on the hard drive. The “WebpageIcons” database also
contained webpage icons for every website visited (139). Unlike Internet Explorer, Apple Safari

11. 11
left behind partial images only available through a live memory acquisition. Timestamps were
also visible and unmodified on the hard drive. What can we conclude from this research on
private browsers?
The private browsing modes for Internet Explorer and Apple Safari show that are not
very private at all. There are enough artifacts left behind from both of these browsers to build a
case of evidence against a subject. However, not all private browsers allow an investigator to
gather evidence. We see that Google Chrome and Mozilla Firefox are both quite private when it
comes to examining artifacts on a hard drive. Gathering enough evidence from the data they
leave behind can be very difficult. The only sure way a forensics investigator can gather a great
deal of evidence with these browsers is through a live memory acquisition. Combining private
internet browsers with solid state drives can make it almost impossible for an investigator to
acquire and examine the data from these browsing sessions. There is another web browser rising
in popularity that is hidden to some digital forensic investigators.
Steam is a video game client for windows, mac, and now linux. The client is based off of
the webkit engine. A user must log into the Steam client with their Steam account in order to
access its features. Steam consists of the client and the in-game overlay. The Steam client allows
a user to browse and purchase games, add and chat with friends, launch and browse games
purchased by the user, and browse the web. The in-game overlay can only be accessed while
playing a game. It allows a user to view achievements, add and chat with friends, view guides
and other community created content, and also browse the web. Many digital forensic
investigators may ignore Steam data since it presents itself as only a video game client.. Not only
can Steam contain evidence, but it can also lead to acquiring passwords for access to other
aspects important in an investigation.

12. 12
Peter Clemenko examined the Steam client and presented his findings at BSides
Delaware 2013. He says that “all of the steam components that use a browser store cookies,
cache, and local storage files” (Clemenko). The cache is stored as raw files, while the cookies
and local storage files are stored in SQLite 3 databases. All of these files are located in the
“/steam/config/htmlcache/” folder. Some PC games even store usernames and passwords used
for logging in. The private chat used for communicating with friends can sometimes store the last
portions of recent chats. The chat logs are not stored locally but over the Steam cloud instead.
Although acquiring and gathering data in the Steam client may not be as difficult as solid state
drives or private browsers, it can still be overlooked by digital forensics investigators.
The evolution of technology seems to be difficult to keep up with in the world of digital
forensics. The most common techniques we use to acquire and examine data are now becoming
outdated. It is no longer as easy as pulling the power cord and taking out the hard disk drive for
acquisition. Acquiring data from unallocated space will no longer be a reliable option as solid
state drives become cheaper and faster. Evidence can now be removed permanently from a drive
automatically through garbage collection. A drive full of data can now be completely wiped in
minutes or seconds with a single command. Write blockers can be rendered useless by the wear-
leveling algorithms of flash memory controllers. Our only option is to physically pull out each
flash memory chip and examine data that has not been deleted. We must piece this data together
as it is randomly spread across multiple blocks on different flash chips.
Live memory acquisition might become a necessity instead of an option as private web
browsers like Google Chrome and Mozilla Firefox become more popular. Even private web
browsers like Internet Explorer and Apple Safari will not have to worry about leaving behind
artifacts when using them in combination with solid state drives. We must become more aware

13. 13
as video game clients like Steam add features that allow users to browse the internet and chat
with friends.
Currently there are very few options to acquire solid evidence from new technology.
Analyzing and gathering past data from this technology has proved to be problematic with our
modern digital forensic techniques. More research needs to be done and new techniques must be
discovered to examine digital evidence. Computer forensics was introduced to create a trail of
evidence for crimes using digital devices. As that digital evidence fades away, so does the world
of computer forensics.

14. 14
Works Cited
Best Practices for Seizing Electronic Evidence V.3: a Pocket Guide for First Responders. United
States, 2007. Print.
Casey, Eoghan, and Gerasimos J. Stellatos. "The impact of full disk encryption on digital
forensics." ACM SIGOPS Operating Systems Review 42.3 (2008): 93. Print.
Lai, Xuejia. "Live Memory Acquisition through FireWire." Forensics in telecommunications,
information and multimedia third international ICST conference ; revised selected papers. Berlin
; Heidelberg: Springer, 2011. 159-167. Print.
Martin, Antonio. "FireWire Memory Dump of a Windows XP Computer: A Forensic
Approach." http://www.friendsglobal.com/papers/FireWire%20Memory%20Dump%20of%20Wi
ndows%20XP.pdf. N.p., 2007. Web. 7 Apr. 2014.
Australia. Department of Defense. Cyber and Electronic Warfare Division. Memory Forensics:
Review of Acquisition and Analysis Techniques. By Grant Osborne. Defence Science and
Technology Organisation, Nov. 2013. Web. 7 Apr. 2014.
Sammons, John. "Solid-State Drives Are a Game Changer for Deleted Files." Technology for the
Litigator E-Newsletter (11 June 2012): n. pag. American Bar Association. Technology for the
Litigator, 11 June 2012. Web. 8 Apr. 2014.
Marko, Kurt. "Storage Innovation." InformationWeek 23 July 2012: 12. Computer Database.
Web. 9 Apr. 2014.

15. 15
JACOBI, JON L. "Restore Your SSD To Peak Performance." PC World 32.3 (2014): 148-
151. Computer Source. Web. 10 Apr. 2014.
Wiebe, James. "Forensic Insight into Solid State Drives." DFI News. CRU-DataPort/WiebeTech,
28 May 2013. Web. 10 Apr. 2014.
Ohana, Donny J., and Narasimha Shashidhar. "Do Private and Portable Web Browsers Leave
Incriminating Evidence?: A Forensic Analysis of Residual Artifacts from Private and Portable
Web Browsing Sessions." EURASIP Journal on Information Security 2013.1 (2013): 6. Print.
Clemenko, Peter, III. "Playing the Forensics Game: Forensic Analysis of Gaming Applications
for Fun and Profit." BSides Delaware 2013. Delaware, Wilmington. 13 Apr. 2014. Lecture.