Browse > Article

A File Recovery Technique for Digital Forensics on NAND Flash Memory  

Shin, Myung-Sub (숭실대학교 컴퓨터학과)
Park, Dong-Joo (숭실대학교 컴퓨터학부)
Publication Information
Journal of KIISE:Databases / v.37, no.6, 2010 , pp. 292-299 More about this Journal
Abstract
Recently, as flash memory is used as digital storage devices, necessity for digital forensics is growing in a flash memory area for digital evidence analysis. For this purpose, it is important to recover crashed files stored on flash memory efficiently. However, it is inefficient to apply the hard disk based file recovery techniques to flash memory, since hard disk and flash memory have different characteristics, especially flash memory being unable to in-place update. In this paper, we propose a flash-aware file recovery technique for digital forensics. First, we propose an efficient search technique to find all crashed files. This uses meta-data maintained by FTL(Flash Translation Layer) which is responsible for write operation in flash memory. Second, we advise an efficient recovery technique to recover a crashed file which uses data location information of the mapping table in FTL. Through diverse experiments, we show that our file recovery technique outperforms the hard disk based technique.
Keywords
file recovery; digital forensic; flash memory; FTL;
Citations & Related Records
Times Cited By KSCI : 1  (Citation Analysis)
연도 인용수 순위
1 H. Y. Choe, S. H. Kim, S. W. Lee, S. W. Park. "FlaSim : A FTL Memory Emulator using Linux Kernel Modules," Journal of KIISE : Computing Practices and Letters, vol.15, no. 11, pp.836-840, Nov.2009. (in Korean)   과학기술학회마을
2 S. L. Garfinkel, "Carving contiguous and fragmented files with fast object validation," Digital Investigation, 2007.
3 G. G. Richard III, V Roussev, "Scalpel: A Frugal, High Performance File Carver," 2005 DFRWS Published by Citeseer, 2005.
4 A Kawaguchi, S. Nishioka, H. Motoda, "A Flash-Memory based File System," Proceedings of 1995 USENIX Technical Conference, pp.155-164, 1995.
5 Microsoft Corporation, "FAT: General Overview of On-Disk Format," Version 1.02, May 5, 1999.
6 A. Ban, "Flash file system optimized for page-mode flash technologies", United States Patent. no. 5,937,42, 1999.
7 Intel Corporation, "Understanding the flash Translation layer(FTL) specification," http://www.intel.com.1998.
8 J. Kiln, J. M. Kim, S. H. Noh, S. L. Min, Y. Cho, "A Space-Efficient Flash Translation Layer for CompactFlash Systems," IEEE Translation on Consumer Electronics, vol.48, no.2, pp.366-375, 2002.   DOI   ScienceOn
9 Samsung Electronics, "NAND Flash Spare Area Assignment Standard," http://www.samsung.com/. 2005.
10 T. Shinohara, "Flash memory card with block memory address arrangement," United States Patent, no. 5,905,993, 1999.
11 A. Ban, "Flash File System," United States Patent. no.5,404,485, 1995.