Automated Flash Memory Analysis

Electronic devices used in criminal activity provide excellent evidence when examined, which is getting increasingly difficult as devices shrink and tools
fall behind in capability. Law enforcement face an uphill battle to stay ahead of the latest technology changes since devices evolve so quickly. Central to
all of these devices is the role of flash memory, which is the long-term storage available on almost all devices. As a result of these trends, there is a need
to be able to obtain data from flash memories.
Factors hindering obtaining useful data from seized flash chips are: 1) there is no standard way to access flash chips, 2) ordering mixed data blocks is
like jigsaw solving, and 3) after reordering the data needs converted into usable pieces.
Our solution is a hardware/software combination that allows software controlled reading of any chip type through programmable logic. Resulting raw
data is reorganized with a software tool we developed that operates by finding "fingerprints" of various data objects, then leverages knowledge of what
must be nearby to weed out false positives and obtain more fingerprints, incrementally ordering the blocks correctly. A data view orders objects,
presenting multiple views of the data suitable for forensic analysis