Deconstruct and preserve (DaP): a method for the preservation of digital evidence on solid state drives (SSD)

Mitchell, Ian ORCID: https://orcid.org/0000-0002-3882-9127, Anandaraja, Tharmila, Hara, Sukhvinder ORCID: https://orcid.org/0000-0003-1859-1227, Hadzhinenov, George and Neilson, David (2017) Deconstruct and preserve (DaP): a method for the preservation of digital evidence on solid state drives (SSD). Global Security, Safety and Sustainability - The Security Challenges of the Connected World: 11th International Conference, ICGS3 2017, London, UK, January 18-20, 2017, Proceedings. In: 11th International Conference on Global Security, Safety and Sustainability, 18-20 Jan 2017, Greenwich, London, England. ISBN 9783319510637. ISSN 1865-0929 [Conference or Workshop Item] (doi:10.1007/978-3-319-51064-4_1)

Preview

PDF - Final accepted version (with author's formatting) Download (308kB) | Preview

Abstract

Imaging SSDs is problematic due to TRIM commands and garbage collectors that make the SSD behave inconsistently over time. It is this inconsistency that can cause a difference between images taken of the SSD. These differences result in unmatched hash number gener-ation and would normally be attributed to contamination or spoliation of digital evidence. DaP is a proposed method that ensures all images taken of the SSD are consistent and removes the volatility normally as-sociated with these devices. DaP is not focused with the recoverability of deleted data, however DaP does stabilise the device to prevent uninten-tional contamination due to garbage collection. Experiments show that the DaP method works on a range of devices and consistently produces the hash-identical images. The conclusions are to consider DaP as a new Standard Operating Procedure (SOP) when imaging SSDs.

Actions (login required)

View Item

Statistics

Downloads

Export as CSVXMLJSON

Activity Overview

624Downloads

534Hits

Additional statistics are available via IRStats2.