SATA M.2 on Forensics: Trim Function Effect on Recovering Permanently Deleted Files

2023 International Conference on Smart Applications, Communications and Networking (SmartNets) Pub Date : 2023-07-25 DOI:10.1109/SmartNets58706.2023.10215536

Ruwa F. Abu Hweidi, M. Jazzar, A. Eleyan, T. Bejaoui

{"title":"SATA M.2 on Forensics: Trim Function Effect on Recovering Permanently Deleted Files","authors":"Ruwa F. Abu Hweidi, M. Jazzar, A. Eleyan, T. Bejaoui","doi":"10.1109/SmartNets58706.2023.10215536","DOIUrl":null,"url":null,"abstract":"The spread of different types of SSD memory in a wide range of devices increases the challenge of cybercrime and forensic investigation. This is due to the features of the memory structure and how the data is recovered under such features. This research paper consists of an experiment to recover permanently deleted files in SATAM.2 SSD memory when- the Trim function is disabled and permitted with various forensic tools such as OSForensics, Autopsy, FTK and AXIOM. The experiment is applied to the NTFS file system under the Windows 11 environment. The research finds that 0% of files are recovered when the Trim function is enabled and 100% of files can be recovered if Trim function is disabled. This makes the recovery process difficult for investigators to find valid evidence. In future work, there is a need for a method that allows investigators to recover files in such conditions, and to apply more experiments to various features under different file system types and operating systems.","PeriodicalId":301834,"journal":{"name":"2023 International Conference on Smart Applications, Communications and Networking (SmartNets)","volume":"85 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2023-07-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2023 International Conference on Smart Applications, Communications and Networking (SmartNets)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SmartNets58706.2023.10215536","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

The spread of different types of SSD memory in a wide range of devices increases the challenge of cybercrime and forensic investigation. This is due to the features of the memory structure and how the data is recovered under such features. This research paper consists of an experiment to recover permanently deleted files in SATAM.2 SSD memory when- the Trim function is disabled and permitted with various forensic tools such as OSForensics, Autopsy, FTK and AXIOM. The experiment is applied to the NTFS file system under the Windows 11 environment. The research finds that 0% of files are recovered when the Trim function is enabled and 100% of files can be recovered if Trim function is disabled. This makes the recovery process difficult for investigators to find valid evidence. In future work, there is a need for a method that allows investigators to recover files in such conditions, and to apply more experiments to various features under different file system types and operating systems.

查看原文本刊更多论文

SATA M.2 on Forensics: Trim功能对恢复永久删除文件的影响

不同类型的SSD内存在各种设备中的传播增加了网络犯罪和法医调查的挑战。这是由于内存结构的特性以及在这些特性下数据是如何恢复的。本研究论文由一个实验组成，当Trim功能被禁用并允许使用各种取证工具(如OSForensics, Autopsy, FTK和AXIOM)恢复SATAM.2 SSD内存中永久删除的文件。实验应用于Windows 11环境下的NTFS文件系统。研究发现，启用Trim功能时，文件恢复率为0%;关闭Trim功能时，文件恢复率为100%。这使得调查人员很难在恢复过程中找到有效证据。在未来的工作中，需要一种方法，使研究者能够在这种条件下恢复文件，并将更多的实验应用于不同文件系统类型和操作系统下的各种特征。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2023 International Conference on Smart Applications, Communications and Networking (SmartNets)

自引率

0.00%

发文量