Difference between pages "Solid State Drive (SSD) Forensics" and "Compression"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (Bibliography)
 
(Deflate/Inflate)
 
Line 1: Line 1:
Solid State Drives pose a variety of interesting challenges for computer forensics. Most SSD devices are based on flash memory. Flash has two properties that complicate its use in computer storage systems:
+
{{Expand}}
# Unlike normal hard drives that can be written in a single pass, flash memory is arranged in pages that must first be erased before it can be written.
+
# Each flash page consists of multiple blocks. Typically block size is 512 bytes and page size is 2KiB, 4KiB, or larger.
+
# Each page can be erased and rewritten a limited number of times---typically 1000 to 10,000. (Hard drive sectors, in contrast, can be rewritten millions of times or more.)
+
  
To overcome these problems, SSD manufacturers have created a system for ''wear leveling''---that is, spreading the writes to flash out among different sectors. Wear leveling is typically done with a ''flash translation layer'' that maps ''logical sectors'' (or LBAs) to ''physical pages.''  Most FTLs are contained within the SSD device and are not accessible to end users.
+
== LZ-based ==
  
==Bibliography==
+
=== Deflate/Inflate ===
<bibtex>
+
Used in:
@inproceedings{wei2011,
+
* [[Encase image file format|Expert Witness (Compression) Format (EWF)]]
  author = {Michael Wei and Laura M. Grupp and Frederick M. Spada and Steven Swanson},
+
* [[Gzip|gzip]]
  title = {Reliably Erasing Data from Flash-Based Solid State Drives},
+
  booktitle={FAST 2011},
+
  year = 2011,
+
  keywords = {erasing flash security ssd},
+
  added-at = {2011-02-22T09:22:03.000+0100},
+
  url={http://cseweb.ucsd.edu/users/m3wei/assets/pdf/FMS-2010-Secure-Erase.pdf},
+
  biburl = {http://www.bibsonomy.org/bibtex/27c408ad559fc19f829717f485707a909/schmidt2}
+
}
+
</bibtex>
+
<bibtex>
+
@article{bell2011,
+
author="Graeme B. Bell and Richard Boddington",
+
title="Solid State Drives: The Beginning of the End for Current Practice in Digital Forensic Recovery?",
+
journal="Journal of Digital Forensics, Security and Law",
+
volume=5,
+
issue=3,
+
year=2011,
+
url={http://www.jdfsl.org/subscriptions/JDFSL-V5N3-Bell.pdf}
+
}
+
</bibtex>
+
<bibtex>
+
@inproceedings{Billard:2010:MSU:1774088.1774426,
+
author = {Billard, David and Hauri, Rolf},
+
title = {Making sense of unstructured flash-memory dumps},
+
booktitle = {Proceedings of the 2010 ACM Symposium on Applied Computing},
+
series = {SAC '10},
+
year = {2010},
+
isbn = {978-1-60558-639-7},
+
location = {Sierre, Switzerland},
+
pages = {1579--1583},
+
numpages = {5},
+
url = {http://doi.acm.org/10.1145/1774088.1774426},
+
doi = {http://doi.acm.org/10.1145/1774088.1774426},
+
acmid = {1774426},
+
publisher = {ACM},
+
address = {New York, NY, USA},
+
keywords = {cell phone, computer forensics, file carving, flash-memory dumps, forensics},
+
}
+
</bibtex>
+
  
==Presentations==
+
=== LZNT1 ===
* [http://www.snia.org/events/storage-developer2009/presentations/thursday/NealChristiansen_ATA_TrimDeleteNotification_Windows7.pdf ATA Trim / Delete Notification Support in Windows 7], Neal Christiansen, Storage Developer 2009
+
Used in:
* [http://www.slideshare.net/digitalassembly/challenges-of-ssd-forensic-analysis Challenges of SSD Forensic Analysis], Digital Assembly.
+
* [[NTFS]]
* [http://www.youtube.com/watch?v=WcO7xn0wJ2I ]Solid State Drives: Ruining Forensics, by Scott Moulton, DEFCON 16 (2008)
+
* [[Windows SuperFetch Format]]
* Scott Moulton, Shmoocon 20008,  SSD drives vs. Hard Drives.
+
 
** [http://www.youtube.com/watch?v=l4hbdZFWGog SSD Flash Hard Drives - Shmoocon 2008 - Part 1]
+
=== LZXPRESS ===
** [http://www.youtube.com/watch?v=mglEnIPnzjo SSD Flash Hard Drives - Shmoocon 2008 - Part 2]
+
Used in:
** [http://www.youtube.com/watch?v=3psy_d-pyNg SSD Flash Hard Drives - Shmoocon 2008 - Part 3]
+
* [[Extensible Storage Engine (ESE) Database File (EDB) format]]
** [http://www.youtube.com/watch?v=pKeZvhDd5c4 SSD Flash Hard Drives - Shmoocon 2008 - Part 4]
+
 
** [http://www.youtube.com/watch?v=9XMBdDypSO4 SSD Flash Hard Drives - Shmoocon 2008 - Part 5]
+
=== LZXPRESS Huffman ===
** [http://www.youtube.com/watch?v=LY36SWbfQg0 SSD Flash Hard Drives - Shmoocon 2008 - Part 6]
+
Used in:
* [http://risky.biz/RB185 Risky Business #185], Peter Gutmann talks SSD forensics, March 4, 2011 (Radio Show)
+
* [[Windows SuperFetch Format]]
 +
 
 +
== External Links ==
 +
* [http://en.wikipedia.org/wiki/Lempel-Ziv Wikipedia: Lempel-Ziv]
 +
* [http://www.coderforlife.com/microsoft-compression-formats/ Microsoft Compression Formats]
 +
 
 +
=== Deflate/Inflate ===
 +
* [http://en.wikipedia.org/wiki/DEFLATE Wikipedia: DEFLATE]
 +
* [https://tools.ietf.org/html/rfc1950 RFC1950 - ZLIB Compressed Data Format Specification], by [[IETF]]
 +
* [https://tools.ietf.org/html/rfc1951 RFC1951 - DEFLATE Compressed Data Format Specification], by [[IETF]]
 +
 
 +
=== LZ1 ===
 +
* [http://andyh.org/LZ1.html LZ1]

Revision as of 09:58, 21 June 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

LZ-based

Deflate/Inflate

Used in:

LZNT1

Used in:

LZXPRESS

Used in:

LZXPRESS Huffman

Used in:

External Links

Deflate/Inflate

LZ1