Title

A forensics overview and analysis of USB flash memory devices

Document Type

Conference Proceeding

Publisher

Centre for Security Research, Edith Cowan University

Faculty

Computing, Health and Science

School

Computer and Security Science, Centre for Security Research

RAS ID

8632

Comments

Originally published as: Sansurooah, K. (2009, March). A forensics overview and analysis of USB flash memory devices. In Australian Digital Forensics Conference (p. 70). Original article available here

Abstract

Current forensic tools for examination of embedded systems like mobile phones and PDAs mostly perform data extraction on a logical level and do not consider the type of storage media during data analysis. This report suggests different low level approaches for the forensic examination of flash memories and describes three low-level data acquisition methods for making full memory copies of flash memory devices. Results of a file system study in which USB memory sticks from 45 different make and models were used are presented. For different mobile phones, this paper shows how full memory copies of their flash memories can be made and which steps are needed to translate the extracted data into a format that can be understood by common forensic media analysis tools. Artefacts, caused by flash specific operations like block erasing and wear levelling, are discussed and directions are given for enhanced data recovery and analysis of data originating from flash memory.

DOI

10.4225/75/57b28b7240cd3

 
COinS
 

Link to publisher version (DOI)

10.4225/75/57b28b7240cd3