Server Virtualization Acquisition Using Live Forensics Method

Soni,; Prayudi, Yudi; Sugiantoro, Bambang; Sudyana, Didik; Mukhtar, Harun

doi:10.2991/iccelst-st-19.2019.4

“…Bukti digital yang dibutuhkan dapat diperoleh dengan menggunakan teknik live forensics. Live forensics adalah sebuah metode yang digunakan untuk penanganan kejahatan komputer dan data recovery saat sistem komputer sedang berjalan [13]. Teknik live forensics mampu meningkatkan hasil data recovery bukti digital dari fungsi TRIM di SSD NVMe.…”

Section: Gambar 2 Statistik Pengguna Ssdunclassified

“…Metode live forensics bertujuan agar penanganan investigasi lebih cepat, integritas data lebih terjamin, teknik enkripsi lebih memungkinkan untuk dibaca dan meminimalkan kapasitas imaging memori bila dibandingkan dengan teknik forensik tradisional [21,22]. Menurut penelitian yang dilakukan oleh Soni dkk [13], metode live forensics diterapkan untuk melakukan data recovery pada saat virtual server sedang berjalan. Proses live forensics virtual server dilakukan seperti menggunakan virtual mesin proxmox yang menyediakan fitur backup.…”

Section: Gambar 2 Statistik Pengguna Ssdunclassified

Perbandingan Tools Forensics pada Fitur TRIM SSD NVMe Menggunakan Metode Live Forensics

Pranoto

¹

,

Riadi

²

,

Prayudi

³

2020

ITJRD

Self Cite

View full text Add to dashboard Cite

SSD saat ini memiliki teknologi media penyimpanan yang baru yaitu Solid State Drive Non-volatile Memory Express (SSD NVMe). Selain itu, SSD memiliki fitur bernama TRIM. Fitur TRIM memungkinkan sistem operasi untuk memberitahu SSD terkait block mana saja yang sudah tidak digunakan. TRIM berfungsi menghapus block yang telah ditandai untuk dihapus oleh sistem operasi. Namun fungsi TRIM memiliki efek atau nilai negatif bagi bidang forensik digital khususnya terkait dengan recovery data. Penelitian ini bertujuan untuk melakukan perbandingan fungsi TRIM disable dan enable guna mengetahui kemampuan tools forensics dan tools recovery dalam mengembalikan bukti digital pada SSD NVMe fungsi TRIM. Sistem operasi yang digunakan dalam penelitian ini adalah Windows 10 profesional dengan file system NTFS. Selama ini, teknik akuisisi umumnya digunakan secara tradisional atau static. Oleh karena itu diperlukan teknik untuk mengakuisisi SSD dengan menggunakan metode live forensics tanpa mematikan sistem operasi yang sedang berjalan. Penerapan metode live forensics digunakan untuk mengakuisisi SSD NVMe secara langsung pada fungsi TRIM disable dan enable. Tools yang digunakan untuk live akuisisi dan recovery adalah FTK Imager Portable dan Testdisk. Prosentase recovery TRIM disable menggunakan tool Autopsy dan Testdisk 100% sehingga dapat menemukan barang bukti dan menjaga integritas barang bukti, hal ini dibuktikan dengan nilai hash yang sama pada file asli dan file hasil recovery, Sedangkan tool Belkasoft hanya 3%. Sementara pada TRIM enable menggunakan tool Autopsy, Belkasoft, dan Testdisk 0%, file hasil recovery mengalami kerusakan dan tidak dapat di-recovery.

show abstract

“…The required digital evidence can be obtained using live forensics technique. Live forensics is a method used for handling computer crime and data recovery while the computer system is running [13]. Live forensics technique will be able to improve the results of digital evidence data recovery from the TRIM function on the NVMe SSD.…”

Section: Introductionmentioning

confidence: 99%

“…The advantages of live forensics method include faster investigation process, secure data integrity, more readable encryption technique and less memory imaging capacity compared to traditional forensic techniques [21][22]. In a research conducted by Soni et al [13], live forensics method was applied to perform data recovery while the virtual server was running. The live forensics virtual server process was carried out by using a proxmox virtual machine that provided backup features.…”

Section: Introductionmentioning

confidence: 99%

Live forensics method for acquisition on the Solid State Drive (SSD) NVMe TRIM function

Pranoto

¹

,

Riadi

²

,

Prayudi

³

2020

KINETIK

Self Cite

View full text Add to dashboard Cite

SSD currently has a new storage media technology namely Solid State Drive Non-volatile Memory Express (SSD NVMe). In addition, SSD has a feature called TRIM. The TRIM feature allows the operating system to tell SSDs which blocks are not used. TRIM removes blocks that have been marked for removal by the operating system. However, the TRIM function has a negative effect for the digital forensics specifically related to data recovery. This study aimed to compare the TRIM disable and enable functions to determine the ability of forensics tools and recovery tools to restore digital evidence on the NVMe SSD TRIM function. The operating system used in this study was Windows 10 professional with NTFS file system. Typically, acquisition is conducted by using traditional or static techniques. Therefore, there was a need of a technique to acquire SSD by using the live forensics method without shutting down the running operating system. The live forensics method was applied to acquire SSD NVMe directly to the TRIM disable and enable functions. The tools used for live acquisition and recovery were FTK Imager Portable. The inspection and analysis phases used Sleutkit Autopsy and Belkasoft Evidence Center. This research found that in the recovery process of TRIM disabled and enabled, TRIM disabled could find evidence while maintaining the integrity of evidence. It was indicated by the same hash value of the original file and the recovery file. Conversely, when TRIM is enabled, the files were damaged and could not be recovered. The files were also not identical to the original so the integrity of evidence was not guaranteed.

show abstract

“…The advantages of live forensics method include faster investigation process, secure data integrity, more readable encryption technique and less memory imaging capacity compared to traditional forensic techniques [21] [22]. In a research conducted by Soni et al [13], live forensics method was applied to perform data recovery while the virtual server was running. The live forensics virtual server process was carried out by using a proxmox virtual machine that provided backup features.…”

mentioning

confidence: 99%

Live Forensics Method for Acquisition on the Solid State Drive (SSD) NVMe TRIM Function

Pranoto

¹

,

Riadi

²

,

Prayudi

³

2020

KINETIK

Self Cite

3

0

View full text Add to dashboard Cite

SSD currently has a new storage media technology namely Solid State Drive Non-volatile Memory Express (SSD NVMe). In addition, SSD has a feature called TRIM. The TRIM feature allows the operating system to tell SSDs which blocks are not used. TRIM removes blocks that have been marked for removal by the operating system. However, the TRIM function has a negative effect for the digital forensics specifically related to data recovery. This study aimed to compare the TRIM disable and enable functions to determine the ability of forensics tools and recovery tools to restore digital evidence on the NVMe SSD TRIM function. The operating system used in this study was Windows 10 professional with NTFS file system. Typically, acquisition is conducted by using traditional or static techniques. Therefore, there was a need of a technique to acquire SSD by using the live forensics method without shutting down the running operating system. The live forensics method was applied to acquire SSD NVMe directly to the TRIM disable and enable functions. The tools used for live acquisition and recovery were FTK Imager Portable. The inspection and analysis phases used Sleutkit Autopsy and Belkasoft Evidence Center. This research found that in the recovery process of TRIM disabled and enabled, TRIM disabled could find evidence while maintaining the integrity of evidence. It was indicated by the same hash value of the original file and the recovery file. Conversely, when TRIM is enabled, the files were damaged and could not be recovered. The files were also not identical to the original so the integrity of evidence was not guaranteed.

show abstract

Server Virtualization Acquisition Using Live Forensics Method

Cited by 3 publications

References 2 publications

Perbandingan Tools Forensics pada Fitur TRIM SSD NVMe Menggunakan Metode Live Forensics

Perbandingan Tools Forensics pada Fitur TRIM SSD NVMe Menggunakan Metode Live Forensics

Live forensics method for acquisition on the Solid State Drive (SSD) NVMe TRIM function

Live Forensics Method for Acquisition on the Solid State Drive (SSD) NVMe TRIM Function

Contact Info

Product

Resources

About