scholarly journals Experimental Investigation of Frozen Solid State Drive on Digital Evidence with Static Forensic Methods

2018 ◽  
pp. 169
Author(s):  
Imam Riadi ◽  
Rusydi Umar ◽  
Imam Mahfudl Nasrulloh
Keyword(s):  
Solid State ◽  
Computer System ◽  
Rapid Development ◽  
Hard Disk ◽  
Data Access ◽  
Solid State Drive ◽  
Disk Storage ◽  
Digital Forensic ◽  
Storage Media ◽  
Media Storage

The rapid development of computer technology in hardware, is currently developing non-volatile computer storage media Solid State Drive (SSD). SSD technology has a faster data access speed than Hard Disk and is currently starting to replace Hard Disk storage media. Freezing software on computer systems is often carried out by computer technicians, because it can save a computer maintenance costs due to errors, be exposed to computer viruses or malware. This software is used to prevent unwanted changes to the computer system, when the computer is restarted changes that occur in the computer system will not be stored on storage media. When this happens, what should be done by digital forensic investigators. This study discusses experimental forensic investigations on SSD media storage with frozen conditions or in this study said the frozen SSD. Frozen SSD is the condition of the drive that is locked so that there is no change in the computer system. Software used to lock and prevent changes such as Deep Freeze, Shadow Defender, Windows Steady State, and Toolwiz Time Freeze. Forensic research stages using methods NIST. The result shows that from comparative analysis conducted with Deep Freeze the results of the RecoverMyFile gives 76.38% and Autopsy gives 75,27%, while frozen condition with Shadow Defender the results of the RecoverMyFile gives 59.72% and Autopsy gives 74.44%. So the results of this study indicate the drive freezing software has an effect obtained can be an obstacle in the digital forensic process.  

scholarly journals Analisis Perbandingan File Carving Dengan Metode Nist

2020 ◽  
Vol 2 (2) ◽  
pp. 1-6
Author(s):  
Doddy Teguh Yuwono ◽  
Yunanri W
Keyword(s):  
Solid State ◽  
Hard Disk Drive ◽  
Hard Disk ◽  
Disk Drive ◽  
Solid State Drive ◽  
Digital Forensic ◽  
File Carving

Pemulihan data adalah bagian terpenting dari Digital Forensic. Bagi penyidik ??negara untuk menghasilkan bukti yang sah di pengadilan sangat penting dan wajib. Memori Flash, Hard Disk Drive (HDD) dan Solid State Drive (SDD) adalah beberapa Media Penyimpanan yang digunakan sebagai tempat untuk meletakkan semua jenis data dan informasi dalam berbagai format file digital. Karena bentuk digitalnya sehingga memungkinkan berbagai format file digital disembunyikan, dihapus, dan bahkan diformat di media penyimpanan, sedangkan semua data dan informasi harus ditemukan oleh penyelidik negara. Prinsip dasar data atau informasi digital jika telah disalin pada Memori Flash, Hard Disk Drive (HDD) dan Solid State Drive (SDD) tidak akan pernah hilang secara permanen dan bahkan data atau informasi digital hilang karena dihapus, diformat dengan cepat atau sistem macet. Jadi, mengembalikan data sangat mungkin. Dalam penelitian ini, tes dilakukan menggunakan Foremost, FTK Imager, dan Scalpel, yang merupakan Alat OpenSource yang dapat digunakan pada sistem operasi Propietary dan OpenSource. Metode yang digunakan adalah Institut Teknologi Standar Nasional (NIST). NIST memiliki panduan kerja yang sangat baik tentang kebijakan dan standar untuk memastikan setiap Penguji mengikuti alur kerja yang sama, sehingga pekerjaan mereka didokumentasikan dan hasilnya dapat ditinjau dan dapat dipertahankan saat pelaporan sebelum dijadikan sebagai bukti yang valid. Hasil penelitian ini membuktikan bahwa Foremost, FTK Imager, dan Scalpel dapat mengembalikan data yang dihapus, disembunyikan, dan diformat.

A Statistics-Based Data Placement Strategy for Hybrid Storage

2014 ◽  
Vol 644-650 ◽  
pp. 1620-1624
Author(s):  
Yuan Hua Yang ◽  
Xian Bin Xu ◽  
Shui Bing He ◽  
Yu Hua Wen
Keyword(s):  
Solid State ◽  
Storage System ◽  
Hard Disk Drives ◽  
Hard Disk ◽  
Data Access ◽  
Data Placement ◽  
Disk Drives ◽  
Hybrid Storage ◽  
Solid State Disks ◽  
Storage Media

Although hard disk drives have been popular over several decades, there still exists the deficiency because of their slow speeds and high power consumptions. By contrast, flash-based solid state disks exhibit good performance and low power consumption. However, the limited lifetimes become a fatal flaw of solid state disks. In order to take full advantage of hard disk drives and solid state disks, we design a hybrid storage system to make them work in a complementary manner. Further, we propose a data placement scheme for this system to determine the data placement on the underlying solid state disks or hard disk drives based on the data access statistics. Experiment results show that the lifetime of solid state disks and the response time of the system can be significantly improved compared with the alone storage media.

scholarly journals Live forensics method for acquisition on the Solid State Drive (SSD) NVMe TRIM function

2020 ◽  
Vol 5 (2) ◽  
Author(s):  
Wisnu Pranoto ◽  
Imam RIadi ◽  
Yudi Prayudi
Keyword(s):  
Operating System ◽  
Solid State ◽  
Recovery Process ◽  
Media Technology ◽  
Solid State Drive ◽  
Storage Media ◽  
Non Volatile Memory ◽  
Negative Effect ◽  
Original File ◽  
Live Forensics

SSD currently has a new storage media technology namely Solid State Drive Non-volatile Memory Express (SSD NVMe). In addition, SSD has a feature called TRIM. The TRIM feature allows the operating system to tell SSDs which blocks are not used. TRIM removes blocks that have been marked for removal by the operating system. However, the TRIM function has a negative effect for the digital forensics specifically related to data recovery. This study aimed to compare the TRIM disable and enable functions to determine the ability of forensics tools and recovery tools to restore digital evidence on the NVMe SSD TRIM function. The operating system used in this study was Windows 10 professional with NTFS file system. Typically, acquisition is conducted by using traditional or static techniques. Therefore, there was a need of a technique to acquire SSD by using the live forensics method without shutting down the running operating system. The live forensics method was applied to acquire SSD NVMe directly to the TRIM disable and enable functions. The tools used for live acquisition and recovery were FTK Imager Portable. The inspection and analysis phases used Sleutkit Autopsy and Belkasoft Evidence Center. This research found that in the recovery process of TRIM disabled and enabled, TRIM disabled could find evidence while maintaining the integrity of evidence. It was indicated by the same hash value of the original file and the recovery file. Conversely, when TRIM is enabled, the files were damaged and could not be recovered. The files were also not identical to the original so the integrity of evidence was not guaranteed.

HAMR HDD Shock Responses

2013 ◽  
Author(s):  
Lidu Huang ◽  
Kenzi Suzuki ◽  
Fu-Ying Huang ◽  
Toshiki Hirano ◽  
Barry Stipe
Keyword(s):  
Solid State ◽  
Laser Diode ◽  
Magnetic Recording ◽  
Hard Disk Drives ◽  
Hard Disk ◽  
Cost Advantage ◽  
Disk Drives ◽  
Solid State Drive ◽  
Lift Off ◽  
Operational Shock

Heat assisted magnetic recording (HAMR) and slim mobile hard disk drives (HDD) are being developed parallelly to maintain cost advantage over the solid state drive (SSD). Operational shock and non-operational shock capabilities are seriously challenged for the slim HDDs due to reduced stiffness (thickness). It is worse for slim HAMR drives due to additional laser diode (LD) and other necessities being added on slider. Shock tests are part of the key performance matrices that must be passed in HDD reliability tests, and the concerns for HAMR mobile drives are, 1) slider lift-off G-level degradation during op-shock, and 2) LD back-to-back hitting during non-operational shock. We studied a few potential HAMR HGA designs, also analyzed a design that improves drive op-shock performances.

scholarly journals EKSPLORASI BUKTI DIGITAL PADA SMART ROUTER MENGGUNAKAN METODE LIVE FORENSICS

Infotekmesin ◽  
2019 ◽  
Vol 10 (2) ◽  
pp. 1-8
Author(s):  
Abdul Rohman Supriyono ◽  
Bambang Sugiantoro ◽  
Yudi Prayudi
Keyword(s):  
Digital Media ◽  
File Sharing ◽  
Digital Evidence ◽  
Digital Forensic ◽  
Log Files ◽  
Storage Media ◽  
The Right ◽  
Media Storage ◽  
Acquisition Method ◽  
Live Forensics

Network devices as media file sharing and can be used as file servers have begun to appear, just as smart router devices can be used as file servers by adding USB Thumb drive as storage media. With the diversity of router devices, it becomes a challenge in digital forensic science when a case occurs by utilizing a smart router device related to file-sharing services. Then it is necessary to study the right method in investigating smart router devices. This paper discusses the use of the live forensics acquisition method in investigating smart router devices, against system log files related to file-sharing activities. In identifying the process of searching, recognizing, and documenting potential things as digital evidence of processing devices and digital media storage. The acquisition process uses two methods, namely the live acquisition method on the router device and physical acquisition on the device that is used as storage media on the smart router.

scholarly journals Analisis Forensik Solid State Drive (SSD) Menggunakan Framework Rapid Response

2019 ◽  
Vol 6 (5) ◽  
pp. 509
Author(s):  
Imam Mahfudl Nasrulloh ◽  
Sunardi Sunardi ◽  
Imam Riadi
Keyword(s):  
Solid State ◽  
Negative Impact ◽  
Rapid Development ◽  
Rapid Response ◽  
Computer Crime ◽  
Digital Evidence ◽  
Solid State Drive ◽  
Client Server ◽  
Non Volatile Memory ◽  
Volatile Memory

<p class="Abstrak">Teknologi komputer pada empat tahun terahir ini mengalami perkembangan yang pesat. Bersamaan dengan itu juga berdampak negatif salah satunya adalah berupa kejahatan komputer. Kejahatan komputer akan meninggalkan jejak aktivitas kejahatan, maka perlu dilakukan analisa dengan ilmu dan metode forensik untuk mendapatkan barang bukti. Bagaimana jika terjadi kejahatan komputer pada media penyimpanan komputer berjenis <em>non-volatile memory</em> dan dilakukan secara <em>live</em> forensik<em>.</em> Pada penelitian ini dilakukan proses forensik pada <em>Solid State Drive</em> <em>(SSD)</em> dengan <em>framework</em> <em>Grr Rapid Response</em> pada kasus kehilangan <em>data (lost data)</em> suatu organisasi. Langkah kerja forensik mengimplementasikan dari <em>National Institute of Standards Technology (NIST).</em><em> Framework</em> <em>Grr Rapid Response</em> digunakan untuk memberikan tanggapan terhadap insiden forensik digital yang difokuskan pada lingkungan forensik jarak jauh, <em>f</em><em>ramework</em> ini berbasis arsitektur <em>client server</em>. Hasil penelitian ini menunjukkan langkah kerja forensik <em>NIST</em> dapat diimplementasikan pada proses pengambilan bukti digital dengan metode akuisisi secara <em>live </em>forensik,  kemampuan <em>tool</em> forensik pada proses eksaminasi <em>Grr Rapid Response</em> pada <em>Workstation (</em><em>Client Grr)</em> dengan media simpan <em>SSD</em><em>,</em> bukti digital dapat ditemukan dan dikembalikan. Bukti digital yang dapat dikembalikan berupa <em>file</em> dokumen, dan hasil validasi pada bukti digital tersebut memiliki nilai <em>hash</em> yang sama dari dua algoritma validasi bukti digital yang diimplementasikan, MD5 dan SHA-1. Sehingga hasil integritas dari dokumen tersebut menunjukkan bahwa bukti digital tersebut identik.</p><p class="Abstrak"> </p><p class="Abstrak"><em><strong>Abstract</strong></em></p><p class="Abstract"><em>Computer technology in the last four years has experienced rapid development. At the same time, it also has a negative impact, one of which is a computer crime. Computer crime will leave traces of criminal activity, so it is necessary to analyze with forensic science and methods to obtain evidence. What if there is a computer crime on a computer storage medium of a type of non-volatile memory and carried out live forensics In this study a forensic process on Solid State Drive (SSD) was carried out with the Grr Rapid Response framework for lost data in an organization. The forensic work step is implemented from the National Institute of Standards Technology (NIST). The Grr Rapid Response Framework is used to provide responses to incidents of digital forensics focused on remote forensic environments, this framework is based on a client server architecture. The results of this study indicate that NIST's forensic work steps can be implemented in the process of taking digital evidence with live forensic acquisition methods, the ability of forensic tools in the Grr Rapid Response examination process on Workstations (Client Grr) with SSD storage media, digital evidence can be found and returned. Digital evidence that can be returned is a document file, and the results of the validation of digital evidence have the same hash value from the two digital proof validation algorithms implemented, MD5 and SHA-1. So the results of the integrity of the document so that the digital evidence is identical.</em></p><p class="Abstrak"><em><strong><br /></strong></em></p>

scholarly journals Development of Algorithm to Enhance the Security Feature of SATA on Solid State Drives

2019 ◽  
Vol 8 (6S) ◽  
pp. 193-198
Keyword(s):  
Solid State ◽  
Data Storage ◽  
User Authentication ◽  
Hard Disk Drives ◽  
Hard Disk ◽  
Solid State Drives ◽  
Flash Memories ◽  
Storage Devices ◽  
Storage Media ◽  
Security Feature

Now a day’s quantity of data growing day by day accordingly the size of storage media is also increasing rapidly. In most of the storage devices flash memories are used one of them is Solid State drive. Solid state drives i.e. SSDs are non-volatile data storage devices which store determined data in NAND or NOR i.e. in flash memories, which provides similar functionality like traditional hard disk (HDD). This paper provides comparative study of Solid-state drives over Hard-disk drives. Also, implementation of algorithm to enhance the security of Solid-state drives in terms of user authentication, access control and media recovery from ATA security feature set. This algorithm fulfils security principles like Authentication and Data Integrity.

scholarly journals Live Forensics Method for Acquisition on the Solid State Drive (SSD) NVMe TRIM Function

2020 ◽  
pp. 129-138
Author(s):  
Wisnu Pranoto ◽  
Imam RIadi ◽  
Yudi Prayudi
Keyword(s):  
Operating System ◽  
Solid State ◽  
Recovery Process ◽  
Media Technology ◽  
Solid State Drive ◽  
Storage Media ◽  
Non Volatile Memory ◽  
Negative Effect ◽  
Original File ◽  
Live Forensics

SSD currently has a new storage media technology namely Solid State Drive Non-volatile Memory Express (SSD NVMe). In addition, SSD has a feature called TRIM. The TRIM feature allows the operating system to tell SSDs which blocks are not used. TRIM removes blocks that have been marked for removal by the operating system. However, the TRIM function has a negative effect for the digital forensics specifically related to data recovery. This study aimed to compare the TRIM disable and enable functions to determine the ability of forensics tools and recovery tools to restore digital evidence on the NVMe SSD TRIM function. The operating system used in this study was Windows 10 professional with NTFS file system. Typically, acquisition is conducted by using traditional or static techniques. Therefore, there was a need of a technique to acquire SSD by using the live forensics method without shutting down the running operating system. The live forensics method was applied to acquire SSD NVMe directly to the TRIM disable and enable functions. The tools used for live acquisition and recovery were FTK Imager Portable. The inspection and analysis phases used Sleutkit Autopsy and Belkasoft Evidence Center. This research found that in the recovery process of TRIM disabled and enabled, TRIM disabled could find evidence while maintaining the integrity of evidence. It was indicated by the same hash value of the original file and the recovery file. Conversely, when TRIM is enabled, the files were damaged and could not be recovered. The files were also not identical to the original so the integrity of evidence was not guaranteed.

Sign in / Sign up

Export Citation Format

Share Document