Difference between pages "Solid State Drive (SSD) Forensics" and "User:Gilpacheco"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
m (Bibliography)
 
m (Creating user page with biography of new user.)
 
Line 1: Line 1:
Solid State Drives pose a variety of interesting challenges for computer forensics. Most SSD devices are based on flash memory. Flash has two properties that complicate its use in computer storage systems:
+
System Analyst.
# Unlike normal hard drives that can be written in a single pass, flash memory is arranged in pages that must first be erased before it can be written.
+
# Each flash page consists of multiple blocks. Typically block size is 512 bytes and page size is 2KiB, 4KiB, or larger.
+
# Each page can be erased and rewritten a limited number of times---typically 1000 to 10,000. (Hard drive sectors, in contrast, can be rewritten millions of times or more.)
+
 
+
To overcome these problems, SSD manufacturers have created a system for ''wear leveling''---that is, spreading the writes to flash out among different sectors. Wear leveling is typically done with a ''flash translation layer'' that maps ''logical sectors'' (or LBAs) to ''physical pages.''  Most FTLs are contained within the SSD device and are not accessible to end users.
+
 
+
==Bibliography==
+
<bibtex>
+
@inproceedings{wei2011,
+
  author = {Michael Wei and Laura M. Grupp and Frederick M. Spada and Steven Swanson},
+
  title = {Reliably Erasing Data from Flash-Based Solid State Drives},
+
  booktitle={FAST 2011},
+
  year = 2011,
+
  keywords = {erasing flash security ssd},
+
  added-at = {2011-02-22T09:22:03.000+0100},
+
  url={http://cseweb.ucsd.edu/users/m3wei/assets/pdf/FMS-2010-Secure-Erase.pdf},
+
  biburl = {http://www.bibsonomy.org/bibtex/27c408ad559fc19f829717f485707a909/schmidt2}
+
}
+
</bibtex>
+
<bibtex>
+
@article{bell2011,
+
author="Graeme B. Bell and Richard Boddington",
+
title="Solid State Drives: The Beginning of the End for Current Practice in Digital Forensic Recovery?",
+
journal="Journal of Digital Forensics, Security and Law",
+
volume=5,
+
issue=3,
+
year=2011,
+
url={http://www.jdfsl.org/subscriptions/JDFSL-V5N3-Bell.pdf}
+
}
+
</bibtex>
+
<bibtex>
+
@inproceedings{Billard:2010:MSU:1774088.1774426,
+
author = {Billard, David and Hauri, Rolf},
+
title = {Making sense of unstructured flash-memory dumps},
+
booktitle = {Proceedings of the 2010 ACM Symposium on Applied Computing},
+
series = {SAC '10},
+
year = {2010},
+
isbn = {978-1-60558-639-7},
+
location = {Sierre, Switzerland},
+
pages = {1579--1583},
+
numpages = {5},
+
url = {http://doi.acm.org/10.1145/1774088.1774426},
+
doi = {http://doi.acm.org/10.1145/1774088.1774426},
+
acmid = {1774426},
+
publisher = {ACM},
+
address = {New York, NY, USA},
+
keywords = {cell phone, computer forensics, file carving, flash-memory dumps, forensics},
+
}
+
</bibtex>
+
<bibtex>
+
@mastersthesis{regan:2009,
+
  title="The Forensic Potential of Flash Memory",
+
  author="James E. Regan",
+
  school="Naval Postgraduate School",
+
  address="Monterey, CA",
+
  date=Sep,
+
  year=2009,
+
  pages=86,
+
  url="http://handle.dtic.mil/100.2/ADA509258"
+
}
+
</bibtex>
+
<bibtex>
+
@inproceedings{Phillips:2008:RDU:1363217.1363243,
+
author = {Phillips, B. J. and Schmidt, C. D. and Kelly, D. R.},
+
title = {Recovering data from USB flash memory sticks that have been damaged or electronically erased},
+
booktitle = {Proceedings of the 1st international conference on Forensic applications and techniques in telecommunications, information, and multimedia and workshop},
+
series = {e-Forensics '08},
+
year = {2008},
+
isbn = {978-963-9799-19-6},
+
location = {Adelaide, Australia},
+
pages = {19:1--19:6},
+
articleno = {19},
+
numpages = {6},
+
url = {http://portal.acm.org/citation.cfm?id=1363217.1363243},
+
acmid = {1363243},
+
publisher = {ICST (Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering)},
+
address = {ICST, Brussels, Belgium, Belgium},
+
keywords = {data recovery, flash memory, semiconductor data remanence},
+
}
+
</bibtex>
+
 
+
==Presentations==
+
* [http://www.snia.org/events/storage-developer2009/presentations/thursday/NealChristiansen_ATA_TrimDeleteNotification_Windows7.pdf ATA Trim / Delete Notification Support in Windows 7], Neal Christiansen, Storage Developer 2009
+
* [http://www.slideshare.net/digitalassembly/challenges-of-ssd-forensic-analysis Challenges of SSD Forensic Analysis], Digital Assembly.
+
* [http://www.youtube.com/watch?v=WcO7xn0wJ2I ]Solid State Drives: Ruining Forensics, by Scott Moulton, DEFCON 16 (2008)
+
* Scott Moulton, Shmoocon 20008,  SSD drives vs. Hard Drives.
+
** [http://www.youtube.com/watch?v=l4hbdZFWGog SSD Flash Hard Drives - Shmoocon 2008 - Part 1]
+
** [http://www.youtube.com/watch?v=mglEnIPnzjo SSD Flash Hard Drives - Shmoocon 2008 - Part 2]
+
** [http://www.youtube.com/watch?v=3psy_d-pyNg SSD Flash Hard Drives - Shmoocon 2008 - Part 3]
+
** [http://www.youtube.com/watch?v=pKeZvhDd5c4 SSD Flash Hard Drives - Shmoocon 2008 - Part 4]
+
** [http://www.youtube.com/watch?v=9XMBdDypSO4 SSD Flash Hard Drives - Shmoocon 2008 - Part 5]
+
** [http://www.youtube.com/watch?v=LY36SWbfQg0 SSD Flash Hard Drives - Shmoocon 2008 - Part 6]
+
* [http://risky.biz/RB185 Risky Business #185], Peter Gutmann talks SSD forensics, March 4, 2011 (Radio Show)
+

Latest revision as of 14:21, 21 April 2011

System Analyst.