Monday, 24 September 2012

eForensics Magazine Interview With Aswami Ariffin

Aswami Ariffin, the founder and the first Head of Digital Forensics Department of CyberSecurity Malaysia, shares his experience gained throughout the years of research and work as a digital forensic practitioner. He reveals how he deals with multiple cases and the storage of ESI, he describes the specificity of the digital forensic sector in Malaysia and declares that he never gave up during an investigation.

PS: This interview is part of my research paper on “Digital Forensics Institute in Malaysia: The way forward” to be published by Digital Evidence and Electronic Signature Law Review. Professor Jill Slay and Dato' Husin Jazri (former CEO of CyberSecurity Malaysia) are co-authors of this paper.

Saturday, 1 September 2012

Solid State Drive (SSD) Forensics: Is it a myth?

I spent two weeks doing solid state drive forensic analysis and found something that I could share with the digital forensics community. Before that I read a couple of papers on this topic, e.g.,

i) Solid State Drives: The Beginning of the End for Current Practice in Digital Forensic Recovery? By Graeme B. Bell and Richard Boddington.
ii) Empirical Analysis of Solid State Disk Data Retention when used with Contemporary Operating Systems by Christopher King (CERT) and Tim Vidas (CMU ECE).

Both papers gave me quick info so that I could design my own SSD forensic analysis. This is quite important for my research too.

I’ve included EnCase, WinHex, external SSD, videos and pictures for the analysis.
After deleting all video files, I used EnCase to view the SSD contents (see below).

No problem with the pictures but videos, there was an issue. To be precise, 7 video files were copied to the SSD and as you can see in the above snapshot, only 1 video file was discovered by EnCase (it should be 7 because there shouldn’t be overwritten; totally disappeared).

So, what happened here? I’m perplexed! Not for a HD but SSD…? TRIM…garbage collection…wear levelling…? FTL? We got a serious problem here!

All these technologies are making forensic analysis complicated! Why (I’ve written/presented so many times on the difficulties faced by the digital forensics practitioners)?

So, I decided to use my WinHex to ‘peep’ into the SSD image (DD file) and surprisingly I found a few video files.

It wasn’t a nice experience though! Looking at bits and bytes (My vision is getting worse by the day! No more computers after this!).

EnCase?; I’m not trying to condemn EnCase here, in fact I’m using it regularly.
SSD?; the death of digital forensics, then I need to change my profession. Not at this age!

But the best outcome was the retrieval of my favourite videos not seen by EnCase.