Notes - MCS
Computer Systems Forensic Analysis
Notes - MCS
Computer Systems Forensic Analysis
  • Computer Systems Forensic Analysis
  • Overview of Cybercrime
    • Cyberspace
    • Information Security Principles
    • Cybercrime vs. Computer Crime
    • Cybercrime slang
      • Images
    • Digital Evidence
  • Introduction to Digital Forensics
    • Concepts
    • Digital Forensic
    • Digital Investigation
    • Digital Crime Scene Investigation Methodology
    • Digital Evidence Handling
    • Ethical Code
  • Obtaining Evidences
    • Introduction
    • Boot Process
    • Secuere Boot Process
    • Windows Boot Process
    • Forensic Boot Tools
    • Bootable CD-ROMS - Linux Based
    • ADS
    • Forensic Sorting Tools
    • Forensic Acquisition
    • Dealing With Media Errors
    • Hidden Areas
    • Write Protection of Evidence Media
    • Storing Acquired Data
    • Image File Acquisition
    • Hash Values
  • Data Organization
    • Data Organization
    • File System
    • File Content
    • Endianness
    • Character Encoding
    • Data Structures
    • Date and Time
    • Encoding
  • Storage Devices
    • BIOS versus direct access
    • Hard Disk Geometry
    • Advanced Technology Attachment Interface
      • Device Configuration Overlay
    • Small Computer Systems Interface
    • NAND Flash memory
    • Level wearing
    • HDD vs SSD
    • Pen USB vs SSD Comparison
    • SSD Connectors, Interfaces, and Transfer Protocols
  • Volumes and Partitions
    • Concepts
    • Partition Tables
    • Sectors Addresses
    • Logical addresses
    • Volume Analysis
    • Types of Partition Tables
    • Common Partition Tables (MBR)
    • Boot Code
    • MBR examination
    • Removable Storage
    • Common Partition Tables (GPT)
    • Common Partition Tables (BSD)
    • Volumes’ Aggregation
  • RAM Analysis
    • RAM Analysis
    • General Computer Architecture
    • DMA – Direct Memory Access
    • Paging
    • Memory Acquisition
  • Mobile Forensics
    • Forensic value of phones
    • International Mobile Equipment Identifier
    • Potential Evidence
    • Forensics Dangers
    • Data Acquisition
    • Logical acquisition
    • Physical acquisition
    • Hashing
    • Software tools
  • Open Source INTelligence
    • Classical sources of information and intelligence
    • Evolution of OSINT - Open Sources Intelligence
    • Information sources
    • Closed source of information
    • Open sources
    • Information to Intelligence Cycle
    • Skills of the Analyst
    • Open Source Possibilities
    • Automated Processing
    • DarkNet
  • Documentation and Reporting
    • Introduction
    • Physical examination
    • Examining a computer
    • Media Examination
    • Examples of things to write in the report
    • Forensic Report
Powered by GitBook
On this page
  • SSD
  • Advantages
  • Different kinds of SSD
  • Flash memory
  • Structure
  1. Storage Devices

NAND Flash memory

SSD

Hard disk drives (HDD).

  • few manufactures:

    • concentration of manufacturers through purchases and mergers over the years.

  • mature technology, with many aspects in common:

    • between disk models and sizes.

    • between manufacturers.

  • digital research in hard drives is almost the same in all models and brands.

Solid-State Drives (SSD).

  • basic components are the same or very similar.

    • between manufacturers.

    • between flash memory and SSDs.

  • but there are important differences:

    • flash memory requires driver software – uses CPU.

    • SSD has its processing unit – doesn’t use CPU.

    • firmware between models or manufacturers can be very different.

Advantages

  • are mechanically more reliable.

    • have no moving parts and are more resistant to falls.

  • read speed is independent of the data location (which doesn’t happen with HDD).

  • power consumption is lower (1h to 2h of increased battery autonomy on a laptop).

  • emits no noise or vibrations.

  • heat less than HDD – HDD can reach very high temperatures.

  • are lighter – don’t require a metallic structure as HDDs.

Different kinds of SSD

DRAM

  • older solid state disk (they have existed for more than 30 years).

  • based on volatile DRAM memory.

  • require battery or other power source to ensure redundancy.

  • need of a traditional drive to store data permanently.

  • used in high-performance systems such as banks, stock exchanges, military assets, ...

  • the cost of flash memory is falling more than DRAM → the crossing point was reached in 2004.

Flash memory

  • non-volatile.

  • there are 2 categories:

    • NOR gates, NAND gates.

Flash memory

With NOR gates.

  • used for small amounts of memory (< 16MB), e. g. BIOS.

  • allows very fast readings, but is slow to write and erase (up to 5 seconds).

  • supports fewer write cycles (10× less than NAND gates).

  • allows one to read or write a single byte at a time.

  • allows local execution, without having to use RAM.

    • uses an SRAM interface that enables it to address all bytes.

With NAND gates.

  • provides large bit density → ideal for replacing HDD.

  • erase and write faster than NOR (up to 4 ms), but slightly slower readings.

  • reads and writes are made in large blocks of bytes.

  • disadvantages:

    • internal management complexity.

    • serial access to data, wear leveling, garbage collection, ...

NAND Flash memory – is the most common type of flash.

  • USB pen drives.

  • Solid State Drives (SSD).

Management of bad blocks.

  • all devices have bad blocks.

  • an initial test to identify bad blacks is required.

    • the cost of creating chips without defects does not pay off.

    • it is preferable to put capacity in excess and then remove the addresses with bad blocks.

Inner working of a NAND chip.

  • at rest = 1 (stores the value 1) at load = 0 (stores the value zero).

  • to increase density, they can be produced in layers: MLC (multi-layer chip).

    • several bits have to be read/written simultaneously.

    • allows more capacity, but has lower performance than the single-layer chip (SLC).

    • cheaper.

Data access.

  • data access in a grid with word lines (16 bits).

  • minimum writing unit is a sector with a size multiple of word lines.

    • HDD: 1 sector = 512 Bytes → minimum read and write unit.

    • SSD: 1 sector = [512, 2048] Bytes.

      • depends on several factors, such as a manufacturer and disk capacity.

      • minimum writing unit differs from the minimum erasing unit.

      • it is not possible to erase a single sector.

      • data as to be erased by blocks – the electric charge to erase is similar to a photographic flash.

Structure

Last updated 1 year ago