The Forensic Potential of Flash Memory
Abstract
This thesis explores the forensic opportunities afforded by flash memory. It starts with a discussion of flash storage starting with the physics of flash devices, the development of flash translation layers (which allow flash devices to be used with unmodified legacy operating systems), and flash file systems (which provide for better utilization of flash storage at a somewhat higher cost). Then this thesis provides a comprehension survey of the relevant academic literature and evaluates the work that others have done in the field of flash data recovery. It provides a theory of circumstances when residual data may exist on flash memory through the intentional deletion and overwrite of previously saved data, based upon a thorough patent review and freely available documentation. It clearly documents the steps of configuring a Linux kernel to use the YAFFS2 (Yet Another Flash File System used in Android) and the JFFS2 (the Journaling Flash File System used on the One Laptop per Child Program) flash file systems. It then conducts experiments to confirm or deny these theories, with a focus on the recovery of data and other evidence that overwritten and deleted data once existed. Finally, this thesis makes recommendations for further research.
Document Details
- Document Type
- Technical Report
- Publication Date
- Sep 01, 2009
- Accession Number
- ADA509258
Entities
People
- James E. Regan
Organizations
- Naval Postgraduate School