Forensic Investigations Involving SCSI

From an investigator’s point of view, it is important to understand that there are still computers that utilize devices with SCSI connectors (see Figure 3.1). Therefore, you may need older systems in your lab to operate these devices, and you must also think about the relevant drivers that will need to be installed. SCSI hard disk interfaces are uncommon today. However, there are still forensic imaging devices that can be used with SCSI hard disks. For example, the RoadMASSter 3 Mobile Computer Forensics Data Acquisition and Analysis Lab is a system that supports the SCSI interface.

Alternative Copy Devices

The ImageMASSter Solo IV Forensic is a much more expensive device than the Disk Jockey PRO, but it has the ability to image two devices simultaneously. The investigator can select either a Linux DD file or an E01 image file.

Solid State Drives

A solid state drive (SSD; see Figure 3.13) is a non-volatile storage device found in computers. Unlike on a hard drive, files on a solid state drive are stored on memory chips in a stationary layout of transistors, and not on metal platters. In other words, a solid state drive has no moving parts—no read/write heads or spinning disks. Most solid state drives are flash memory NAND devices. It is important to know about these drives because they are growing in importance; they can be found in Chromebooks, the MacBook Air/Pro, and numerous personal computers today.

In a single-level cell (SLC) NAND flash, each cell in the SSD has 1 bit. In a multi-level cell NAND flash, each cell has two or more bits. An MLC has higher density but generally requires more voltage than an SLC.

There are more than 80 SSD manufacturers, while there are very few hard disk drive manufacturers. There are numerous controller manufacturers who have different manufacturing requirements for SSD manufacturers. Therefore, this complicates the life of a computer forensics investigator, i.e., an SSD from one manufacturer can have different controllers with varying firmware. The proprietary firmware associated with the controller affects garbage collection, caching, wear-leveling, encryption, compression, bad block detection, and more.

Consider the following examples of SSD controller manufacturers:

• Marvell

• Hyperstone

• SandForce

• Indilix

• Phison

• STEC

• Fusion-io

• Intel

• Samsung

In many ways, solid state drives are a more efficient alternative to hard disk drives, given their more efficient use of power, faster retrieval and storage of files, and greater resistance to environmental factors, including heat and vibration. Nevertheless, solid state drives suffer from ware-leveling. Ware-leveling is the process by which over time areas of a storage medium become unusable.

From a file storage perspective, solid state drives are very different from hard disk drives, and they do not use the traditional 512-byte storage sectors.

In terms of computer forensics, recovering deleted files on a solid state drive is more challenging as a result of the garbage collection process. Garbage collection is a memory-management process that removes unused files to make more memory available. Garbage collection is rather unpredictable with solid state drives and is particularly problematic from a forensics perspective. Changes to files stored on a solid state drive can occur without warning, regardless of the best efforts of a computer forensics examiner. Garbage collection and other automated functions associated with an SSD mean that once a hash is forensically created for a hard drive, and then another hash is generated, on the same drive, the two hashes might not match, which is different with a HDD.

Unlike a hard disk drive, with an SSD, data must be erased before a write can occur. Writes are completed in large blocks with high latency. Another difference is that the operating system does not keep track of the physical location of files; the File Translation Layer (FTL) is responsible for this. The File Translation Layer (FTL) maps a logical block address to a physical block address. TRIM is an operating system function that informs a solid state drive which blocks are no longer in use, and this allows for greater write performance. TRIM runs immediately after the Recycle Bin is emptied. However, there are a couple of important points that should be made. First, techniques have been developed to prevent the TRIM function and garbage collection from operating, which can be explored in recently published academic literature. Secondly, there are many instances in digital forensics today where one copy of a volume is not an exact match to another, based on the MD5 or SHA-1 verification process. This is largely because of the introduction of NAND flash storage in smartphones and hard drives, which is more volatile. Nevertheless, we know from case law that this evidence is still admissible.

Random Access Memory (RAM)

Random Access Memory (RAM) is volatile memory that is used for processes currently running on a computer. Please see Figure 3.14, which display some sample RAM. Its volatile nature comes from the fact that, when a computer is powered off, the contents of RAM are generally erased. However, if a system is powered on, RAM can provide a forensics examiner with a treasure trove of information, which can include Internet searches, websites visited, and possibly even passwords. There are numerous forensics tools, including Volatility, which can perform a RAM capture (acquisition).

Redundant Array of Independent Disks (RAID)

A Redundant Array of Independent (or Inexpensive) Disks (RAID) is commonly referred to with the acronym RAID. A RAID (Redundant Array of Independent Disks) is where two or more disks are used in conjunction with one another to provide increased performance and reliability through redundancy (see Figure 3.15). In the case of a RAID, reliability refers to fault tolerance, which means that if one component in a system, like a hard disk drive, fails, then the system will continue to operate. This kind of reliability is worth the investment for many critical systems in an organization. More recently, organizations have installed RAIDs to increase storage. Although RAID contains multiple hard disks, the operating system views the RAID as one logical disk with the use of hardware controllers.

From a computer forensics perspective, it is important to know that a computer may have multiple hard drives connected to it, all of which have evidentiary value. It is also important for an investigator to note the order in which each drive was added to the RAID and which drive adapter is connected to which drive, as this can be confusing.

Secure Digital (SD) Cards

A Secure Digital (SD) card is a file storage device that was developed for use in portable electronics, like cameras. The association that developed SD cards and set the standard for this memory is a joint venture between Matsushita Electrical Industrial Co., Ltd. (Panasonic), SanDisk Corporation, and Toshiba Corporation.

The standard size for an SD card is 24mm wide and 32mm long, with a thickness of 2.1mm (see Figure 3.20). This standard size SD card has often been used in digital cameras, and many laptops come with an SD card slot and reader as standard. SDHC (Secure Digital High Capacity) cards have also still sold. SDHC cards generally go up to around 32GB. More recently, 64GB cards began to appear with the emergence of SDXC (Secure Digital eXtended Capacity). Micro SDXC cards are now available with 1TB of storage. Secure Digital cards are formatted with the FAT32 file system.

Note that some SD cards are Wi-Fi enabled with preinstalled utilities. Some of these utilities can automatically send photos to a mobile device, upload files to social media sites, or even add files to a cloud service. Generally, a logo on the SD card indicates that the card is Wi-Fi enabled, but this might not always be the case. The investigator should be cognizant of potential wireless capabilities.

If you encounter an SD card during an investigation, it is proper protocol to set the write-protect switch to on, when present on the card, to prevent any data from being written to this memory. Of course, the investigator will use a write-blocker before examining any removable memory, like an SD card.

A miniSD is 20 mm wide and 21.5 mm long. The microSD format was developed by SanDisk. A microSD card can be used in a Standard Digital card reader with the use of an SD adapter. microSD cards are sometimes found in cellular telephones, and therefore they can be a valuable source of evidence. Additionally, many cellphone forensic imaging or cloning devices cannot read the contents of the microSD card, so the card may have to be removed and imaged separately.

CompactFlash (CF) Cards

CompactFlash (see Figure 3.21) is a memory card that was first developed by SanDisk for use in portable electronics, like digital cameras. A CompactFlash (CF) can have two different dimensions: (a) Type I is 43mm × 36mm × 3.3mm, and (b) Type II is 43mm × 36mm × 5mm. CompactFlash cards are not as popular today as Secure Digital cards, but they do have an effective file storage system and can potentially support up to 1TB of memory.

Memory Sticks

A Memory Stick (see Figure 3.22) is Sony’s proprietary memory card that was introduced in 1998. Unlike many other flash memory manufacturers, Sony also produced many of the electronic devices that support its memory card. Sony manufactures televisions, laptops, cellular telephones, digital cameras, video recorders, game consoles, MP3 players, and numerous other electronic devices, all of which often supported additional memory through the use of a Memory Stick. The original Memory Stick was replaced by the Memory Stick PRO in 2003, to enable a greater storage capacity. The PRO series utilized FAT12, FAT16, and FAT32 file systems. The Memory Stick Duo was a smaller memory card that was developed to fit well into small handheld devices. Other versions of the Memory Stick were developed to increase memory capabilities and to support high-definition video capture.

The Memory Stick XC (Extended High Capacity) series was released by Sony and SanDisk. These memory cards have the potential to store up to 2TB of memory. The XC series uses the exFAT (FAT64) file system. This series has maximum data transfer rates up to 160 Mbps and 480Mbps depending upon the XC model.

The important point for investigators to note is that if a suspect owns Sony products, Memory Sticks could be present in these devices. For example, a Sony television might have a Memory Stick inserted. Moreover, that memory card will probably contain files uploaded from a computer.

xD Picture Cards

Introduced in 2002, xD (Extreme Digital) Picture Cards were developed by Olympus and Fujifilm for digital cameras and some voice recorders. These memory cards have been slowly phased out by Olympus and Fujifilm in favor of the more popular SD cards.

Hardware for Reading Flash Memory

There are a few ways to securely view the contents of flash memory cards. One tool is Digital Intelligence’s UltraBlock Forensic Card Reader and Writer (see Figure 3.23). This device is connected to a computer via the USB port (2.0 or 1.0) and can read the following media:

• CompactFlash

• MicroDrive

• Memory Stick

• Memory Stick PRO

• Smart Media Card

• xD Picture Card

• Secure Digital Card (SD and SDHC)

• MultiMediaCard

A regular memory card reader could be used in addition to a USB write-blocker to ensure that the data is viewed forensically. A write-blocker is a hardware device that allows an individual to read data from a device, like a hard drive, without writing to that device. An investigator could connect a media card reader to Digital Intelligence’s UltraBlock USB Write Blocker, which would be connected to a computer, where the media card’s contents would be viewed or acquired.

Compact Discs

A compact disc (CD), also known as an optical disc, is a polycarbonate plastic disc with one or more metal layers, used to store data digitally. A CD is usually 1.2mm thick and weighs 15–20 grams. Aluminum is generally used for the metallic surface. Data is stored to the disc and read from the disc using a laser. The laser that writes data to a disc reaches a temperature of 500–700 degrees Celsius. Because the data is stored using a laser, CDs are not vulnerable to electromagnetic charges. The high temperatures used in storing the data cause the metal alloy to liquefy, and the reflective state changes. Lands are the reflective surfaces on a CD burned flat by a laser. Pits are the less reflective surfaces on a CD that have not been burned by a laser. The differences between the reflective and less reflective surfaces can be translated to binary (0s, 1s).

CDs were initially developed by Sony and Philips to store and play audio files. Later the CD-ROM was developed for data storage. A CD-R allows data to be stored once. Because a CD-R can only have data written to it once, handling this type of CD in a forensically sound manner does not require a write-blocker. A CD-RW, on the other hand, allows data to be written multiple times to the disc. Today a standard CD generally has a storage capacity of 700MB.

ISO 9660, introduced in 1988, refers to the standard for optical discs and their file system. ISO 9660 is also called CDFS (Compact Disc File System), and it was created to support different operating systems, like Windows and macOS. Other file systems that can also be supported by CDs include Joliet, UDF, HSG, HFS, and HFS+. Joliet allows for longer filenames, which are associated with more recent versions of Windows. Because other file systems can exist on a CD, it is important to remember that a CD used in a Windows computer may show that it is invalid if an HFS+ file system resides on the disc. This means that specialized tools may be required to access the files stored on a CD. IsoBuster, for example, is a data recovery tool for CD, DVD, and Blu-ray. InfinaDyne’s CD/DVD Inspector is a specialized tool for a forensic acquisition of files from CDs and DVDs. It should be noted that an .iso file, which is an image of an optical disc, may be saved on the hard drive of a suspect’s computer or on another storage device.

The International Standardization Organization (ISO) in Geneva, Switzerland, has created this standard to facilitate the use of CDs on Windows, Macintosh, and UNIX computers. Frames consist of 24 bytes and are the smallest unit of memory on a CD-ROM. A sector on a CD-ROM consists of 98 frames (2352 bytes).

Compact Disc–Rewritable (CD-RW)

A CD-RW usually stores less data than a CD (570MB instead of 700MB). A track on a compact disc is a group of sectors that are written to at one time. A session on a compact disc is a group of tracks recorded at the same time. The table of contents (TOC) records the location of the start address, the session number, and track information (music or video) on a compact disc. The TOC is an example of a session, and every session contains a TOC. If the TOC cannot be read by the computer’s CD-ROM drive, then the compact disc will not be recognized. A full erase of a CD-RW deletes all data on a disc. However, a quick erase will only remove all references to tracks and sessions, leaving the land and pits unchanged. Nevertheless, the CD-RW will not be recognized because the sessions have been removed.

CnW Recovery is a tool that claims to recover disc data that has been through the quick erase process. Ultimately, when a quick erase has been performed, it is possible to recover the data on a CD-RW. When a full erase has been executed, the data cannot be recovered.

DVDs

A Digital Video (or Versatile) Disc (DVD) is an optical disc with a large storage capacity that was developed by Philips, Sony, Toshiba, and Time Warner. A single-sided DVD generally has a capacity of 4.7GB. Other DVD formats can store more than 17GB of data. Their large storage capacity makes them ideal for storing video files, which are often very large in size. A DVD player uses a red laser (650 nanometers [nm]) to read data from a DVD disc.

Blu-ray Discs

A Blu-ray disc (BD) is a high-capacity optical disc that can be used to store high-definition video. A single-layer disc has a storage capacity of 25GB, while dual-layer disc can store 50GB of data. Also available are 3D Blu-ray players and discs. A firmware upgrade available for Sony’s PlayStation 3 facilitates 3D Blu-ray playback as well. The name of this storage media comes from the blue laser (405nm) used to read the disc. This laser enables more data to be stored than the red laser used in DVDs. Standards for these optical discs have been developed and are maintained by the Blu-ray Disc Association (www.blu-raydisc.com).

From a forensics perspective, Blu-ray discs have limited value because both the Blue-ray burner and recordable discs can be prohibitively expensive for the average consumer. A suspect is more likely to store video on a hard drive or burn video files onto a DVD. Nevertheless, there are two different recordable formats. A BD-R disc can be written to once, while a BD-RE can be used for re-recording.

Companies like Digital Forensics Systems produce devices for imaging and analyzing CDs, DVDs, and BDs.

Floppy Disks

While floppy disks have been replaced by other storage media, it is not inconceivable that an investigator could still encounter these. A floppy disk is a thin, flexible, plastic computer storage disc that is housed in a rigid plastic rectangular case. Files are stored on the disk magnetically. These disks have historically come in 8-inch (see Figure 3.25), 5¼-inch, and 3½-inch (see Figure 3.26) sizes. Initially, these disks were used to store a computer’s operating system. Subsequently, they were used for general file storage purposes. The 3½-inch disk was introduced in 1987 and its storage capacity ranged from 720KB to 1.4MB.

IBM invented the floppy disk drive, which was used to store and read data from floppy disks.

Floppy disks have been largely replaced by flash memory, optical disks, and external hard drives. An investigator who encounters floppy disks during an investigation is more likely to find the PC-compatible 1440KB format. Floppy disks are formatted with the FAT12 file system. All of these disks will only have either one or two clusters.

A forensic image of a floppy disk can be made by using the following Linux command:

Click here to view code image

# dd if=/dev/fd0 of=/evidence/floppy1.img bs=512

In this command, /dev/fd0 refers to the floppy disk drive, and bs=512 refers to the block size (bs), which is 512 bytes.

Of course, prior to inserting any disk, you should make sure that the disk is set to write-protected. You should then make a bit-for-bit copy of the floppy disk and lock the original disk in an evidence locker, away from any potential magnetic interference. To view the files on the disk, you can use the following command:

# ls /dev/fd0

Zip Disks

A zip disk is a removable storage medium that was developed by Iomega in the early 1990s. Zip disks originally came with a 100MB capacity and subsequently increased to 750MB. They were introduced as a higher-capacity alternative to floppy disks. A zip drive, in which zip disks are loaded, can be either an internal drive or an external drive. Zip drives and their disks have largely been replaced by CDs and the more popular, smaller, flash memory devices.

Magnetic Tapes

Magnetic tape is a thin plastic strip with a magnetic coating that is used for storing audio, video, and data. Because data is stored magnetically, an investigator must be careful to keep magnetic tapes away from all types of magnetism. Magnetic tapes are unique in the way that data is retrieved because they must be read in a linear fashion, from the start of the tape through the end of the tape. This often makes the process of acquiring data from magnetic tape quite time-consuming.

The use of audio tapes in investigations has become less important than it once was. The same is true of videotapes used in video cassette recorders (VCRs).

Magnetic Tapes (Data Storage)

Forensic imaging and analysis of magnetic tapes (see Figure 3.27) used for data storage on servers is challenging. Many different proprietary server systems exist, which makes a single solution impossible. An analysis of the physical surface can be conducted using a complicated process known as magnetic force microscopy. This method can be used to uncover wiped or overwritten data.

Generally, data is recorded to a magnetic tape in blocks. Data at the block level can be accessed using the dd command. In computer investigations, dd is a UNIX command that produces a raw data image of a storage medium, like a hard drive or magnetic tape, in a forensically sound manner. The dd command is written in such a way that the image is copied to a hard drive, which allows for better search capabilities. A magnetic tape has no hierarchical file system because files are stored sequentially or in a tape partition. Partitions on magnetic tapes allow users to group files in “tape directories”, When a sector is only partially used by a file, the remainder of the sector is referred to as memory slack, buffer slack, or RAM slack. Similar to hard disks, file slack on magnetic tape can contain remnants of data from previously existing files.

Work with a Dual-Boot System

Find an Apple Mac computer running a dual-boot system or install Boot Camp and Microsoft Windows on an Apple Mac with macOS currently running. Create standard operating procedures to help computer forensics investigators identify whether a Mac computer is running more than one operating system and determine how to acquire digital evidence from this type of machine.

Identify Changes in Computer Hardware

Write an essay that discusses how computer hardware and memory are likely to be transformed over the next 5 years. Include in your discussion how computer forensics practices will have to change to keep pace with changing technology.

Identify the Use of RAID

Find out how an investigator can identify whether a suspect’s computer is running RAID. How should RAID be forensically examined?

Work with Volatile Memory

Random Access Memory (RAM) can provide an extraordinary amount of evidence. What computer forensics tools can be used to image RAM? Are there any issues with using RAM as a source of evidence in an investigation?

Explain USB Flash Memory

Explain the physical makeup of a USB flash drive. Include in your explanation how files are stored and organized on this type of storage device.