Digital Forensics on Solid State Drives and NVMe devices: Data acquisition and steps of investigation

Project Description

Digital Forensics on Solid State Drives and NVMe devices: Data acquisition and steps of investigation.

Over the years, technology has advanced in much faster pace that it was a decade ago, thus, people rely heavily in utilizing and transferring a large amount of data using their HDD, SSD and NVMe storage devices. In the current era, these storage devices have become an integral part of our mobile devices as well, this is because their effectiveness in providing high storage in much smaller form-factor. Therefore, with the increasing demand and usage of SSDs and NVMe among all computing devices due to their benefits, it exploits a vulnerability that an attacker would use to initiate their malicious activities using these devices, keeping in mind the ease of reachability and the availability of needed tools.

To ensure digital forensics investigators understand and investigate such lateral movements, there must be a clear vision on what approach should be taken in order to properly investigate a crime which involves SSD or NVMe as an evidence and reach into forensically sound results which will be presented an accepted by court of law. Thus, the main objective of our research is to explore the methodologies of investigating a crime which NVMe and SSDs devices are the only evidence, furthermore, we will be exploring the limitations of the current forensics tools when it comes to handling these storage devices and whether they are on par to detect them. Hence, our research project will be used around the below scenario.

It was a Friday afternoon. Khalid was eating in his house. When he suddenly heard shots fired in his neighbors house. Khalid immediately called the police and explained what he had heard. The police arrived at the scene and found the body of Salem who is Khalids neighbor. During the investigations and the acquiring phase by the police and the investigation team, they found NVMe storage device above the table, which they acquired as evidence for investigation.

In this research project, the research type will be experimental. We are going to provide an introduction and comparison among storage devices to pave the way for forensics investigation approaches. In addition, the above scenario going to aid us in conducting a meaningful experiment. Furthermore, we are going to discuss about the role of write-blockers when it comes to SSD and NVMe. Moreover, the artifacts which will be acquired to be analyzed and preserved as evidence from the found NVMe device in the crime. We are going to illustrate how an NVMe can be connected to forensic workstation using the write-blocker extension, then, we will be imaging the NVMe into dd file for our further investigations using tools such as FTK or Guymager in Linux operating system. During the experiments, we might face some challenges which will be mentioned in our research project, for instance, data that will be acquired might be corrupted due to NVMe hardware damage, also, the tools could not support the NVMe bandwidth which will be explored, furthermore, as the current pandemic, there will be some difficulties to conduct the experiment as a group. Finally, we seek to provide in our research useful information on the capability of digital forensics technologies to properly investigate cybercrimes conducted using NVMe devices and the importance of forensics investigators to always have setup and knowledge ready.

Project instructions

1.    The research SHOULD include figures of processes, methodologies, and investigation applications. It should be from 3000 to 3500 words maximum. The references should not be less than 9.
2.    The research SHOULD be in IEEE formatting with the proper styles.
3.    The paper is between 6 pages and 8 pages (single spaced lines, font size <=11).
4.    Kindly update us about your progress frequently, this will help us to review the work and see the way forward. 
5.    The practical part was done ImagingSteps.docx, please ensure that the research is around that. Also, make sure to include screenshots were applicable in the research. Experimental Procedures section in the research will include the practical part ImagingSteps.docxthat. Also, makes sure to include screenshots were applicable in the research. Experimental Procedures section in the research will include the practical part ImagingSteps.docx

Project Sections   

Abstract    A brief summary of the detailed research project, please add keywords which are important terms not known to common readers.
   
Introduction   
1.    Introduce digital forensics, SSD and NVMe storage devices
2.    Outline the importance of digital forensics science in resolving crimes conducted with NVMe storage devices
3.    Giving examples of where NVMe used (computers, mobile phones and tablets) and whether tools support.
4.    Address steps used to forensically sound investigate NVMe devices.

Literature Review   
1.    Describe the most relevant prior work and their key insights.
2.    Critically analyzing existing literature in storage devices and digital forensics.
3.    Discuss pros and cons of each methods found.
   
Experimental procedures   
1.    Detailed description of what we are trying to accomplish.
2.    Explore the differences among HDD, SSD and NVMe storage devices.
3.    Specify the hardware used to investigate such cybercrimes.
4.    Specify tools you will be using in investigation cybercrimes used by NVMe.
5.    Explain the proper procedures which are done in investigating cybercrimes using NVMe.
6.    Explain whether forensics investigation on iPhone with NVMe is possible.

Conclusion and Future Work   
1.    Summarize the key aspects of the research
2.    Imply potential future work
3.    Opinion on the research carried out

References   
References will be taken based on the found readings.  Please provide 9 or more references no less.

find the cost of your paper