Difference between pages "Solid State Drive (SSD) Forensics" and "Libqcow"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (Presentations)
 
(External Links)
 
Line 1: Line 1:
Solid State Drives pose a variety of interesting challenges for computer forensics. Most SSD devices are based on flash memory. Flash has two properties that complicate its use in computer storage systems:
+
{{Infobox_Software |
# Unlike normal hard drives that can be written in a single pass, flash memory is arranged in pages that must first be erased before it can be written.
+
  name = libqcow |
# Each flash page consists of multiple blocks. Typically block size is 512 bytes and page size is 2KiB, 4KiB, or larger.
+
  maintainer = [[Joachim Metz]] |
# Each page can be erased and rewritten a limited number of times---typically 1000 to 10,000. (Hard drive sectors, in contrast, can be rewritten millions of times or more.)
+
  os = [[Linux]], [[FreeBSD]], [[NetBSD]], [[OpenBSD]], [[Mac OS X]], [[Windows]] |
 +
  genre = {{Disk imaging}} |
 +
  license = {{LGPL}} |
 +
  website = [http://code.google.com/p/libqcow/ code.google.com/p/libqcow] |
 +
}}
  
To overcome these problems, SSD manufacturers have created a system for ''wear leveling''---that is, spreading the writes to flash out among different sectors. Wear leveling is typically done with a ''flash translation layer'' that maps ''logical sectors'' (or LBAs) to ''physical pages.''  Most FTLs are contained within the SSD device and are not accessible to end users.
+
The '''libqcow''' package contains a library and applications to read the [[QCOW_Image_Format | QEMU Copy-On-Write (QCOW) image]] format.
  
==Bibliography==
+
== Tools ==  
<bibtex>
+
The '''libqcow''' package contains the following tools:
@inproceedings{wei2011,
+
* '''qcowinfo''', which shows the information about QCOW files.
  author = {Michael Wei and Laura M. Grupp and Frederick M. Spada and Steven Swanson},
+
* '''qcowmount''', which FUSE mounts QCOW image files.
  title = {Reliably Erasing Data from Flash-Based Solid State Drives},
+
  booktitle={FAST 2011},
+
  year = 2011,
+
  keywords = {erasing flash security ssd},
+
  added-at = {2011-02-22T09:22:03.000+0100},
+
  url={http://cseweb.ucsd.edu/users/m3wei/assets/pdf/FMS-2010-Secure-Erase.pdf},
+
  biburl = {http://www.bibsonomy.org/bibtex/27c408ad559fc19f829717f485707a909/schmidt2}
+
}
+
</bibtex>
+
<bibtex>
+
@article{bell2011,
+
author="Graeme B. Bell and Richard Boddington",
+
title="Solid State Drives: The Beginning of the End for Current Practice in Digital Forensic Recovery?",
+
journal="Journal of Digital Forensics, Security and Law",
+
volume=5,
+
issue=3,
+
year=2011,
+
url={http://www.jdfsl.org/subscriptions/JDFSL-V5N3-Bell.pdf}
+
}
+
</bibtex>
+
<bibtex>
+
@inproceedings{Billard:2010:MSU:1774088.1774426,
+
author = {Billard, David and Hauri, Rolf},
+
title = {Making sense of unstructured flash-memory dumps},
+
booktitle = {Proceedings of the 2010 ACM Symposium on Applied Computing},
+
series = {SAC '10},
+
year = {2010},
+
isbn = {978-1-60558-639-7},
+
location = {Sierre, Switzerland},
+
pages = {1579--1583},
+
numpages = {5},
+
url = {http://doi.acm.org/10.1145/1774088.1774426},
+
doi = {http://doi.acm.org/10.1145/1774088.1774426},
+
acmid = {1774426},
+
publisher = {ACM},
+
address = {New York, NY, USA},
+
keywords = {cell phone, computer forensics, file carving, flash-memory dumps, forensics},
+
}
+
</bibtex>
+
<bibtex>
+
@mastersthesis{regan:2009,
+
  title="The Forensic Potential of Flash Memory",
+
  author="James E. Regan",
+
  school="Naval Postgraduate School",
+
  address="Monterey, CA",
+
  date=Sep,
+
  year=2009,
+
  pages=86,
+
  url="http://handle.dtic.mil/100.2/ADA509258"
+
}
+
</bibtex>
+
<bibtex>
+
@inproceedings{Phillips:2008:RDU:1363217.1363243,
+
author = {Phillips, B. J. and Schmidt, C. D. and Kelly, D. R.},
+
title = {Recovering data from USB flash memory sticks that have been damaged or electronically erased},
+
booktitle = {Proceedings of the 1st international conference on Forensic applications and techniques in telecommunications, information, and multimedia and workshop},
+
series = {e-Forensics '08},
+
year = {2008},
+
isbn = {978-963-9799-19-6},
+
location = {Adelaide, Australia},
+
pages = {19:1--19:6},
+
articleno = {19},
+
numpages = {6},
+
url = {http://portal.acm.org/citation.cfm?id=1363217.1363243},
+
acmid = {1363243},
+
publisher = {ICST (Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering)},
+
address = {ICST, Brussels, Belgium, Belgium},
+
keywords = {data recovery, flash memory, semiconductor data remanence},
+
}
+
</bibtex>
+
  
==Presentations==
+
== Examples ==  
* [http://www.snia.org/events/storage-developer2009/presentations/thursday/NealChristiansen_ATA_TrimDeleteNotification_Windows7.pdf ATA Trim / Delete Notification Support in Windows 7], Neal Christiansen, Storage Developer 2009
+
 
* [http://www.slideshare.net/digitalassembly/challenges-of-ssd-forensic-analysis Challenges of SSD Forensic Analysis], Digital Assembly,
+
FUSE mounting a QCOW image (libqcow 20111009 or later)
* [http://www.youtube.com/watch?v=WcO7xn0wJ2I Solid State Drives: Ruining Forensics], by Scott Moulton, DEFCON 16 (2008)
+
<pre>
* Scott Moulton, Shmoocon 20008,  SSD drives vs. Hard Drives.
+
qcowmount image.qcow mount_point
** [http://www.youtube.com/watch?v=l4hbdZFWGog SSD Flash Hard Drives - Shmoocon 2008 - Part 1]
+
</pre>
** [http://www.youtube.com/watch?v=mglEnIPnzjo SSD Flash Hard Drives - Shmoocon 2008 - Part 2]
+
 
** [http://www.youtube.com/watch?v=3psy_d-pyNg SSD Flash Hard Drives - Shmoocon 2008 - Part 3]
+
== History ==
** [http://www.youtube.com/watch?v=pKeZvhDd5c4 SSD Flash Hard Drives - Shmoocon 2008 - Part 4]
+
 
** [http://www.youtube.com/watch?v=9XMBdDypSO4 SSD Flash Hard Drives - Shmoocon 2008 - Part 5]
+
Libqcow was created by [[Joachim Metz]] in 2010.
** [http://www.youtube.com/watch?v=LY36SWbfQg0 SSD Flash Hard Drives - Shmoocon 2008 - Part 6]
+
 
* [http://risky.biz/RB185 Risky Business #185], Peter Gutmann talks SSD forensics, March 4, 2011 (Radio Show)
+
== Also See ==
 +
[[QCOW_Image_Format | QEMU Copy-On-Write (QCOW) image format]]
 +
 
 +
== External Links ==
 +
* [https://code.google.com/p/libqcow/ Project site]
 +
* [https://code.google.com/p/libqcow/wiki/Building Building libqcow and tools from source]
 +
* [https://code.google.com/p/libqcow/wiki/Mounting Mounting a QCOW image]

Revision as of 00:29, 15 July 2013

libqcow
Maintainer: Joachim Metz
OS: Linux, FreeBSD, NetBSD, OpenBSD, Mac OS X, Windows
Genre: Disk imaging
License: LGPL
Website: code.google.com/p/libqcow

The libqcow package contains a library and applications to read the QEMU Copy-On-Write (QCOW) image format.

Tools

The libqcow package contains the following tools:

  • qcowinfo, which shows the information about QCOW files.
  • qcowmount, which FUSE mounts QCOW image files.

Examples

FUSE mounting a QCOW image (libqcow 20111009 or later)

qcowmount image.qcow mount_point

History

Libqcow was created by Joachim Metz in 2010.

Also See

QEMU Copy-On-Write (QCOW) image format

External Links