Forensic signature for tracking storage devices

Analysis of UEFI firmware image, disk signature and windows artifacts

Doowon Jeong, Sangjin Lee

Research output: Contribution to journalArticle

Abstract

Tracking storage devices is one of the important fields in digital forensics. The existing methods and tools about registry, event log or IconCache analysis help solving cases on confidential leakage, illegal copying, and security incident cases. However, previous approach has drawback in tracking storage devices such as HDD, SSD, and etc since it was based on the good performance of USB device tracking. Another drawback in previous approach is that it is vulnerable to anti-forensics because the artifacts are dependent on the operating system. This paper introduces a new definition of forensic signature for tracking various storage devices and reviews the known artifacts. Furthermore, this study introduces unidentified artifact stored in UEFI firmware image and independent of operating system. Moreover, this paper develops a methodology for tracking storage devices using forensic signature according to the storage type.

Original languageEnglish
Pages (from-to)21-27
Number of pages7
JournalDigital Investigation
Volume29
DOIs
Publication statusPublished - 2019 Jun 1

Fingerprint

Firmware
Copying
Computer operating systems
Artifacts
artifact
Data storage equipment
Equipment and Supplies
Silver Sulfadiazine
Registries
incident
Digital forensics
event
methodology
performance

Keywords

  • Digital investigation
  • Disk forensics
  • Disk serial number
  • Firmware image analysis
  • UEFI

ASJC Scopus subject areas

  • Pathology and Forensic Medicine
  • Information Systems
  • Computer Science Applications
  • Medical Laboratory Technology
  • Law

Cite this

Forensic signature for tracking storage devices : Analysis of UEFI firmware image, disk signature and windows artifacts. / Jeong, Doowon; Lee, Sangjin.

In: Digital Investigation, Vol. 29, 01.06.2019, p. 21-27.

Research output: Contribution to journalArticle

@article{47c514bcd27942b7bfd088e34b33b14b,
title = "Forensic signature for tracking storage devices: Analysis of UEFI firmware image, disk signature and windows artifacts",
abstract = "Tracking storage devices is one of the important fields in digital forensics. The existing methods and tools about registry, event log or IconCache analysis help solving cases on confidential leakage, illegal copying, and security incident cases. However, previous approach has drawback in tracking storage devices such as HDD, SSD, and etc since it was based on the good performance of USB device tracking. Another drawback in previous approach is that it is vulnerable to anti-forensics because the artifacts are dependent on the operating system. This paper introduces a new definition of forensic signature for tracking various storage devices and reviews the known artifacts. Furthermore, this study introduces unidentified artifact stored in UEFI firmware image and independent of operating system. Moreover, this paper develops a methodology for tracking storage devices using forensic signature according to the storage type.",
keywords = "Digital investigation, Disk forensics, Disk serial number, Firmware image analysis, UEFI",
author = "Doowon Jeong and Sangjin Lee",
year = "2019",
month = "6",
day = "1",
doi = "10.1016/j.diin.2019.02.004",
language = "English",
volume = "29",
pages = "21--27",
journal = "Digital Investigation",
issn = "1742-2876",
publisher = "Elsevier Limited",

}

TY - JOUR

T1 - Forensic signature for tracking storage devices

T2 - Analysis of UEFI firmware image, disk signature and windows artifacts

AU - Jeong, Doowon

AU - Lee, Sangjin

PY - 2019/6/1

Y1 - 2019/6/1

N2 - Tracking storage devices is one of the important fields in digital forensics. The existing methods and tools about registry, event log or IconCache analysis help solving cases on confidential leakage, illegal copying, and security incident cases. However, previous approach has drawback in tracking storage devices such as HDD, SSD, and etc since it was based on the good performance of USB device tracking. Another drawback in previous approach is that it is vulnerable to anti-forensics because the artifacts are dependent on the operating system. This paper introduces a new definition of forensic signature for tracking various storage devices and reviews the known artifacts. Furthermore, this study introduces unidentified artifact stored in UEFI firmware image and independent of operating system. Moreover, this paper develops a methodology for tracking storage devices using forensic signature according to the storage type.

AB - Tracking storage devices is one of the important fields in digital forensics. The existing methods and tools about registry, event log or IconCache analysis help solving cases on confidential leakage, illegal copying, and security incident cases. However, previous approach has drawback in tracking storage devices such as HDD, SSD, and etc since it was based on the good performance of USB device tracking. Another drawback in previous approach is that it is vulnerable to anti-forensics because the artifacts are dependent on the operating system. This paper introduces a new definition of forensic signature for tracking various storage devices and reviews the known artifacts. Furthermore, this study introduces unidentified artifact stored in UEFI firmware image and independent of operating system. Moreover, this paper develops a methodology for tracking storage devices using forensic signature according to the storage type.

KW - Digital investigation

KW - Disk forensics

KW - Disk serial number

KW - Firmware image analysis

KW - UEFI

UR - http://www.scopus.com/inward/record.url?scp=85062462970&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85062462970&partnerID=8YFLogxK

U2 - 10.1016/j.diin.2019.02.004

DO - 10.1016/j.diin.2019.02.004

M3 - Article

VL - 29

SP - 21

EP - 27

JO - Digital Investigation

JF - Digital Investigation

SN - 1742-2876

ER -