A forensics framework and method in the acquisition and extraction of data from NAND Flash memory storage chip

Date of Award

2015

Document Type

Thesis

Publisher

Edith Cowan University

Degree Name

Doctor of Philosophy

School

School of Computer and Security Science

Faculty

Faculty of Health, Engineering and Science

First Supervisor

Professor Craig Valli

Second Supervisor

Associate Professor Trish William

Third Supervisor

Dr Wlodzimierz Gornisiewicz

Abstract

The aim of this thesis is to investigate a method for acquiring and extracting data from NAND flash memory storage devices and to validate that methodology. Furthermore, a validated and reproducible framework for the acquisition and extraction of data from the NAND flash memory storage chip is developed as a guideline for forensic investigators who are required to preserve and recover data stored on NAND flash memory storage devices in a forensically acceptable manner.

The digital forensic community is currently facing a situation determined by the rapidly increasing popularity of NAND flash memory technology. NAND flash technology is significantly different from other storage memory technologies. Like any technology that is new and evolving, manufacturers are still experimenting with the design and implementation of their versions. Compared to magnetic drives, there is no standardized approach to producing the NAND flash memory storage devices.

The first part of this thesis presented the results of a literature review of NAND flash memory storage devices, digital forensics practices and principles, an understanding of the Flash Translation Layer (FTL) and the characteristics of the NAND flash memory chip, together with, logical versus physical acquisition and forensic guidelines. The literature review examined how the NAND flash memory storage chip differs architecturally from a traditional magnetic hard disk drive (HDD) and also highlighted that, given the increased use of NAND flash technology related devices as part of digital devices, NAND flash memory storage devices are an integral part of the creation of digital artefacts that may later need to be considered as evidence in criminal or civil proceedings.

Existing forensic guidelines and procedures were developed based mainly on HDD technology and although NAND flash memory storage devices are widely accepted by consumers, they are poorly integrated into the forensic guidelines which have been explicitly discussed by forensic and data recovery experts.

This thesis then identifies the gaps between well reputed forensic guidelines and further outlines through a series of experiments and analysis carried out with various parameters and concludes that those well repute forensic practices and principles are inadequate to handle the NAND flash memory technology in a forensic manner.

Through a series of experiments and iterations, the analysis showed that a complex forensic framework for the acquisition and extraction of NAND flash memory storage chip was created, verified and validated. This reinforces the need to recognise the issues raised by NAND flash memory storage devices to maximise the chance of data recovery. Specific processes were identified and the data recovery rate was measured for testing.

In conclusion, this thesis develops a validated forensic framework and method in the acquisition and extraction of NAND flash memory storage chip that existing forensic techniques and guidelines are incapable of addressing thereby generating new knowledge and perspectives on ways to acquire and extract raw data from NAND flash memory storage device in general. This innovative model provides a new perspective on the acquisition and extraction of raw data from NAND flash memory storage devices which may be potentially useful in a court of law or similar.

Access Note

Access to this thesis is not available.

Access to this thesis is restricted. Please see the Access Note below for access details.

Share

 
COinS