Issue

Vol. 5, No. 2, May 2020

Live Forensics Method for Acquisition on the Solid State Drive (SSD) NVMe TRIM Function

https://doi.org/10.22219/kinetik.v5i2.1032
Wisnu Pranoto
Universitas Islam Indonesia
Imam RIadi
Universitas Ahmad Dahlan
Yudi Prayudi
Universitas Islam Indonesia

Corresponding Author(s) : Wisnu Pranoto

17917130@students.uii.ac.id

Kinetik: Game Technology, Information System, Computer Network, Computing, Electronics, and Control, Vol. 5, No. 2, May 2020

Abstract

SSD currently has a new storage media technology namely Solid State Drive Non-volatile Memory Express (SSD NVMe). In addition, SSD has a feature called TRIM. The TRIM feature allows the operating system to tell SSDs which blocks are not used. TRIM removes blocks that have been marked for removal by the operating system. However, the TRIM function has a negative effect for the digital forensics specifically related to data recovery. This study aimed to compare the TRIM disable and enable functions to determine the ability of forensics tools and recovery tools to restore digital evidence on the NVMe SSD TRIM function. The operating system used in this study was Windows 10 professional with NTFS file system. Typically, acquisition is conducted by using traditional or static techniques. Therefore, there was a need of a technique to acquire SSD by using the live forensics method without shutting down the running operating system. The live forensics method was applied to acquire SSD NVMe directly to the TRIM disable and enable functions. The tools used for live acquisition and recovery were FTK Imager Portable. The inspection and analysis phases used Sleutkit Autopsy and Belkasoft Evidence Center. This research found that in the recovery process of TRIM disabled and enabled, TRIM disabled could find evidence while maintaining the integrity of evidence. It was indicated by the same hash value of the original file and the recovery file. Conversely, when TRIM is enabled, the files were damaged and could not be recovered. The files were also not identical to the original so the integrity of evidence was not guaranteed.

Keywords

Solid State Drive NVMe Digital Evidence TRIM Live Forensics
Pranoto, W., RIadi, I., & Prayudi, Y. (2020). Live Forensics Method for Acquisition on the Solid State Drive (SSD) NVMe TRIM Function. Kinetik: Game Technology, Information System, Computer Network, Computing, Electronics, and Control, 5(2), 129-138. https://doi.org/10.22219/kinetik.v5i2.1032
Download Citation
Endnote/Zotero/Mendeley (RIS)
BibTeX
References
  1. Dwi, “Laporan Dwi Bulan I 2014,” Incident Monitoring Report, Pp. 1–9, 2018.
  2. M. Nuh Al-Azhar, Digital Forensic Practical Guildelines for Computer Investigation, No. c. 2012.
  3. I. Riadi, R. Umar, and I. M. Nasrulloh, “Analisis Forensik Digital Pada Frozen Solid State Drive Dengan Metode National Institute of Justice (NIJ),” Elinvo (Electronics, Informatics, and Vocational Education), Vol. 3, No. 1, Pp. 70–82, 2018. https://doi.org/10.21831/elinvo.v3i1.19308
  4. R. A. Ramadhan, Y. Prayudi, and B. Sugiantoro, “Implementasi dan Analisis Forensika Digital Pada Fitur Trim Solid State Drive (SSD),” 2016.
  5. B. Nikkel, “NVM express drives and digital forensics,” Digital Investigation, Vol. 16, Pp. 38–45, 2016. https://doi.org/10.1016/j.diin.2016.01.001
  6. Q. Xu et al., “Performance Analysis of NVMe SSDs and their Implication on Real World Databases,” SYSTOR 2015 - Proceedings of the 8th ACM International Systems and Storage Conference, 2015. https://doi.org/10.1145/2757667.2757684
  7. R. Hubbard, “Forensics Analysis of Solid State Drive ( SSD ),” Pp. 1–11, 2016.
  8. F. Geier, “The differences between SSD and HDD technology regarding forensic investigations,” Pp. 67, 2015.
  9. R. K. Chaurasia and P. Sharma, “Solid State Drive (SSD) Forensics Analysis : A New Challenge,” International Journal of Scientific Research in Computer Science, Engineering and Information Technology, Vol. 6, No. 2, Pp. 1081–1085, 2017.
  10. Statista, “Shipments of Hard and Solid State Disk (HDD/SSD) Drives Worldwide From 2015 to 2021.”
  11. M. N. Al-Azhar, “The Essentials of Digital Forensic,” 2016.
  12. Y. Prayudi, “Problema dan Solusi Digital Chain of Custody,” Senasti - Seminar Nasional Sains dan Teknologi Informasi, No. 2011, 2014.
  13. Soni, D. Sudyana, Y. Prayudi, H. Mukhtar, and B. Sugiantoro, “Server Virtualization Acquisition Using Live Forensics Method,” Advances in Engineering Research, Vol. 190, Pp. 18–23, 2019. https://dx.doi.org/10.2991/iccelst-st-19.2019.4
  14. D. Sudyana and N. Lizarti, “Digital Evidence Acquisition System on IAAS Cloud Computing Model using Live Forensic Method,” Scientific Journal of Informatics, Vol. 6, No. 1, Pp. 125–137, 2019. https://doi.org/10.15294/sji.v6i1.18424
  15. I. Riadi and M. E. Rauli, “Live forensics analysis of line app on proprietary operating system,” Kinetik: Game Technology, Information System, Computer Network, Computing, Electronics, and Control, Vol. 4, No. 4, Pp. 305–314, 2019. https://doi.org/10.22219/kinetik.v4i4.850
  16. J. Arulraj and A. Pavlo, “How to Build a Non-Volatile Memory Database Management System,” Proceedings of the ACM SIGMOD International Conference on Management of Data, Vol. Part F1277, Pp. 1753–1758, 2017. https://doi.org/10.1145/3035918.3054780
  17. M. Rafique and M. N. A. Khan, “Exploring Static and Live Digital Forensics: Methods, Practices and Tools,” International Journal of Scientific & Engineering Research, Vol. 4, No. 10, Pp. 1048–1056, 2013.
  18. A. Nisbet, S. Lawrence, and M. Ruff, “A Forensic Analysis and Comparison of Solid State Drive Data Retention With Trim Enabled File Systems,” Australian Digital Forensics Conference, P p. 10, 2013. https://doi.org/10.4225/75/57b3d766fb873
  19. A. Faiz and R. Imam, “Forensic Analysis of ‘Frozen’ Hard Drive Using Deep Freeze Method,” No. March, 2017.
  20. A. Hadi and S. Riadi, Imam, “Forensik Bukti Digital Pada Solid State Drive ( SSD ) NVMe Menggunakan Metode National Institute Standards and Technology ( NIST ),” Pp. 551–558, 2019.
  21. D. S. Yudhistira, “Metode Live Forensics Untuk Analisis Random Access Memory Pada Perangkat Laptop,” 2018.
  22. S. Rahman and M. N. A. Khan, “Review of Live Forensic Analysis Techniques,” International Journal of Hybrid Information Technology, Vol. 8, No. 2, Pp. 379–388, 2015. https://doi.org/10.14257/ijhit.2015.8.2.35
  23. B. S. Nasional, “Teknologi Informasi – Teknik Keamanan – Pedoman Identifikasi, Pengumpulan Akuisisi, dan Preservasi Bukti Digital,” in SNI 27037:2014, Jakarta, 2014.
  24. D. Jeong and S. Lee, “Forensic signature for tracking storage devices: Analysis of UEFI firmware image, disk signature and windows artifacts,” Digital Investigation, Vol. 29, Pp. 21–27, 2019, https://doi.org/10.1016/j.diin.2019.02.004
  25. K. Gary, “File Signature.”
  26. Y. Gubanov and O. Afonin, “Recovering Evidence from SSD Drives: Understanding TRIM, Garbage Collection, and Exclusions,” 2014.
Read More
Author biographies is not available.
Download this PDF file
PDF
Statistic
Read Counter : 793 Download : 305

Downloads

Download data is not yet available.