A forensics overview and analysis of USB flash memory devices
Centre for Security Research, Edith Cowan University
Faculty of Computing, Health and Science
School of Computer and Security Science / Centre for Security Research
Current forensic tools for examination of embedded systems like mobile phones and PDAs mostly perform data extraction on a logical level and do not consider the type of storage media during data analysis. This report suggests different low level approaches for the forensic examination of flash memories and describes three low-level data acquisition methods for making full memory copies of flash memory devices. Results of a file system study in which USB memory sticks from 45 different make and models were used are presented. For different mobile phones, this paper shows how full memory copies of their flash memories can be made and which steps are needed to translate the extracted data into a format that can be understood by common forensic media analysis tools. Artefacts, caused by flash specific operations like block erasing and wear levelling, are discussed and directions are given for enhanced data recovery and analysis of data originating from flash memory.