Forensic data analysis
Forensic data analysis is a key concept in the digital industry. It entails the examination
of structured data to protect it from fraudulent activities; by coming up with defined
procedures to identify the security level of data and putting in place preservation
measures for digital information. This has been done through two major ways: the
traditional magnetic disks and through the solid-state disks.
Magnetic disks, also referred to as hard disk drives (HDDs), are storage devices that use
magnetic processes to write, store and enable retrieve of information easier. It has been in
use since its inception in the 1950s. It works by storing binary data as information
encoded in the magnetized regions of rapidly rotating disks. Data in magnetic disks can
be accessed randomly without any sequential procedure in locating data individually
(Treewitt, 2018). On the other hand, solid state-disks (SDDs) are storage devices that use
linked electronic circuit to write, store and aid in retrieve of data.
SSDs have relatively small storage capacity. They have storage capacity
ranging from an average of 1TB for smaller drives to 4TB for desktops. Whereas, the
traditional magnetic disks have an average of 500GB to 2TB for small size drives; it has a
maximum capacity of 10TB for desktops. Both HDDs and SDDs can support encryption
features. This will depend on whether a given model supports the feature (Treewitt,
2018). As a result, both of them can aid in safe storage of data. SSDs and HDDs also
have varying file copy speed rates. For instance, SSDs have a writing speed ranging from
200MBs to 550MBs. On the other hand, HDDs have a file copy speed ranging between
50MBs and 120MBs (Treewitt, 2018). Besides, HDDs have a relatively shorter period as
FORENSIC DATA ANALYSIS 3
they have moving parts which wear out over time. SDDs, on the other hand, can last for a
period of two to three years.
Effect of TRIM and Garbage collection on data recovery
Garbage collection relates to the automatic management of memory of a
computer by attempting to make use of memory that is occupied by programs or services
that have been redundant for a defined period. SSDs are exceptional in the way they deal
with data that has been deleted. When data has been deleted in an operating system, the
file still has its traces in the storage device, in this case, the SSD (Ian, 2009). When an
operating system attempts to write a new file on a space which initially housed the data,
the SSD will prompt deletion of the initial file before storing the current one; a process
referred to garbage collection. The garbage collection process and strategies will always
be determined by the firmware of a given SSD.
With the TRIM feature enabled in an Operating System; when a file has
been deleted, the Operating System prompts the location of the deleted file and ensure
cleaning of residual files. The SSD must be able to support the TRIM feature for the
cleaning process to be optimal (Ian, 2009). The TRIM feature enhances the exemplary
and consistent performance of the SSDs over time. The main detriment of TRIM is that it
relies on the ability to communicate to the SSD via SATA interphase. To illustrate this,
when an SSD is set up with a RAID array using a HBA controller externally located from
the host personal computer, the TRIM authorization will be unable to get to the SSD.
FORENSIC DATA ANALYSIS 4
In an aim to test the efficacy of TRIM and garbage collection on data
recovery, the developers of Windows 7 experimented. They put up a utility which was set
to occupy the storage of the SSD with data, erase and then fill it up again; measuring the
change between the first and second cycle of the process (Treewitt, 2018). Through the
exercise of deletion and simultaneous filling up of the SSD space, the controller of the
SSD is forced to “garbage collect” the storage space in the drive. The SSD was set up as
a drive and a utility function “fill-delete-fill” was done. The TRIM command was turned
on and off simultaneously to ensure only the Windows 7 operating system is in control.
During the tests, 54000RPM HDD was used as a control experiment. The results were as
It was noted that fastest fill time was as a result of the first run on each
drive. This is because the drive was first erased securely to simulate the new
SSD1, SSD2 and SSD3 showed consistent outcome throughout the test when the TRIM is
on because of the efficiency of the command with the drives (Ian, 2009). When it was
turned off in run 4, SSDs 1 and 2 took relatively longer time to complete the utility test
because of the inconsistency in performance; the drives do not have the guidance of the
TRIM command to help locate where the garbage data is.
In conclusion, garbage collection and the TRIM command are essential in data retention;
more so when used together. An SSD that has an efficient garbage collection mechanism
will always retain garbage at an optimal performance level.
Tools that specialize in SSD data recovery
FORENSIC DATA ANALYSIS 5
Various tools aid in SSD data recovery. The tool chosen is based on several parameters:
security and protection, performance and versatility, speed, file preview, reliability, and
the technical support capability. The tools have been explained below (Treewitt, 2018).
Recoverit Data Recovery; it is a software that helps in retrieval of deleted, lost or missing
files. The main advantage is that it can recover data from SSDs that have been formatted
or that have been corrupted. It is compatible with several file systems such as FAT,
exFAT and NTFS (Treewitt, 2018). It also gives the user a preview before doing a data
recovery. The main disadvantages are that it is only capable of retrieving a maximum of
100 MB of data. Besides, there is no portable version of it and can only be installed on a
MiniTool Data Recovery; This tool aids in data recovery by the conduct of
three basic steps. The steps include selecting the location, scanning it and then selecting
the items that you wish to be restored. It will instantly save them in a safe place. The
main advantage is that it is easy and fast to do. It also has a quick way of accessing the
results (Ian, 2009). Disk Drill; This tool works by selecting the location, selecting the
items and organizing the files in a prompted category basis. It scans and filters results by
the data and size. The main advantage is that it can retrieve up to 500 MBs of data
(Treewitt, 2018). It also organizes recovered data in well-defined categories. However, its
main limitation is that it is hectic to identify the data retrieved after the scan.
Anti-forensics on magnetic disks and SSDs
By the use of Secure Erase. This entails the use of a command that deletes
the file in its entirety within your operating system or using a Linux live environment. It
FORENSIC DATA ANALYSIS 6
can be done using a manufacturer software or by using parted magic. Parted Magic is
provided by Linux and it entails an array of data deletion tools. It has a one-time cost of
$11 attached to it. On the other hand, SSD manufacturers can devise hardware tools that
have an array of Secure Erase functions such as OCZ Toolbox and Intel Solid State
Toolbox (Ian, 2009). By encryption; it entails converting the file to an unreadable format
to restrict on access of the drive to authorized persons only. It can only be accessed using
the defined key. In the current times, techniques such as Data Encryption Standard (DES)
and Advanced Encryption Standard (AES) are used.
By onion routing; this is practiced by sending messages that have been
encrypted in phases to symbolize the phases of the onion shells. The data goes through
various stages, with each stage decoding an encryption. It must go through all the phases
for the message to be completely understandable (Treewitt, 2018). By obfuscation; this is
a method that makes the message difficult to understand because of the ambiguity and
jargons used. It embraces use of in-group words and phrases to communicate within the
limited scope of persons only. It can be achieved by changing a signature or an eye print
of malicious code.
FORENSIC DATA ANALYSIS 7
Ian, A. (2009). A Chip-Based challenge to a cars spinning camshaft. WHAT NEXT.
Treewitt, C. (2018). Engine control module repairs . How the engine control module
works , 4-6.