Solid-state storage media, particularly solid-state drives (SSDs), present new challenges to forensic investigation that need to be addressed. The lowlevel
behavior of these drives is dramatically different than for mechanical hard disk drives-including what low-level data is available, how that data is
obtained, and how that data is interpreted. Interpreting low-level data is a useful tool in computer forensics, but disk forensics tools and techniques
have not yet adapted to accommodate solid-state drives. The fundamental problem is that there is a layer of hardware logic between the computer and
the raw flash storage that is difficult to bypass. To improve the analysis of SSDs in computer forensics, forensic analysts must be able to acquire data
from as low a level as possible and must have tools and techniques available to properly interpret and analyze data acquired from SSDs. To address
this need, ATC-NY will develop Arden, a collection of tools and techniques to acquire low-level SSD data and perform forensic analysis of both highlevel
and low-level data acquired from SSDs. We will develop and test techniques that obtain access to low-level device data over the peripheral bus,
over debug ports, and through device reprogramming. Using Arden, a computer forensic analyst can easily acquire a forensic image of a solid-state
drive; obtain SSD-specific evidence, such as hidden data; and then analyze the forensic image using existing analysis tools, such as EnCase or FTK.
ATC-NY will release Arden as open-source software.
Small Business Information at Submission:
33 Thornwood Drive, Suite 500 Ithaca, NY 14850-1280
Number of Employees: