A forensics overview and analysis of USB flash memory devices
Document Type
Conference Proceeding
Publisher
Centre for Security Research, Edith Cowan University
Faculty
Faculty of Computing, Health and Science
School
School of Computer and Security Science / Centre for Security Research
RAS ID
8632
Abstract
Current forensic tools for examination of embedded systems like mobile phones and PDAs mostly perform data extraction on a logical level and do not consider the type of storage media during data analysis. This report suggests different low level approaches for the forensic examination of flash memories and describes three low-level data acquisition methods for making full memory copies of flash memory devices. Results of a file system study in which USB memory sticks from 45 different make and models were used are presented. For different mobile phones, this paper shows how full memory copies of their flash memories can be made and which steps are needed to translate the extracted data into a format that can be understood by common forensic media analysis tools. Artefacts, caused by flash specific operations like block erasing and wear levelling, are discussed and directions are given for enhanced data recovery and analysis of data originating from flash memory.
DOI
10.4225/75/57b28b7240cd3
Comments
Sansurooah, K. (2009, March). A forensics overview and analysis of USB flash memory devices. In Australian Digital Forensics Conference (p. 70). Available here