Arden

Solid-state storage media, particularly solid-state drives (SSDs), present new challenges to forensic investigation that need to be addressed. The low-level behavior of these drives is dramatically different than for mechanical hard disk drives-including what low-level data is available, how that data is obtained, and how that data is interpreted. Interpreting low-level data is a useful tool in computer forensics, but disk forensics tools and techniques have not yet adapted to accommodate solid-state drives. The fundamental problem is that there is a layer of hardware logic between the computer and the raw flash storage that is difficult to bypass. To improve the analysis of SSDs in computer forensics, forensic analysts must be able to acquire data from as low a level as possible and must have tools and techniques available to properly interpret and analyze data acquired from SSDs. To address this need, ATC-NY will develop Arden, a collection of tools and techniques to acquire low-level SSD data and perform forensic analysis of both high-level and low-level data acquired from SSDs. We will develop and test techniques that obtain access to low-level device data over the peripheral bus, over debug ports, and through device reprogramming. Using Arden, a computer forensic analyst can easily acquire a forensic image of a solid-state drive; obtain SSD-specific evidence, such as hidden data; and then analyze the forensic image using existing analysis tools, such as EnCase or FTK. ATC-NY will release Arden as open-source software.