With the advent of wearable computing, digital forensics community must be able to prepare themselves on how to conduct the analysis on this technology. It is anticipated these wearable devices will be mainly embedded microcomputer with flash memory (the hard disk expansion is coming to an end and flash storage is up-and-coming). Thus, the digital forensics/data recovery scope is entrenched into the small-scale devices.
As such, the work conducted by Breeuwsma et al. (including my friend Mr. Klaver) [1] can be a pretty good reference because they have explored the embedded devices storage for data recovery analysis. It looked at the low level hexadecimal data of forty-five USB (universal serial bus) models and also mobile phones.
Before starting the actual analysis, they studied on the flash technology on its physical and logical characteristics. Then the data acquisition is performed using several methods such as flasher tool, JTAG port (usually used for testing/debugging) and interestingly removing the chip itself. Upon completing the data acquisition, the file system analysis is done on the USB and mobile phones (very technical) in order to extract the relevant data/digital evidence.
But the most intriguing part is the semi invasive data acquisition. Please bear in mind that some jurisdictions do not allow the analysis to be disruptive in nature (e.g. not like blood sample analysis). This means the exhibit must be in working condition after the analysis is completed.
Most probably, it is acceptable if the relevant data is obtained but will be a big issue if nothing is found instead. The defense side might contend the exhibit is destroyed and there is no further evidence can be gathered.
But the removal of the chip and imaging it could be the best possible method to extract the relevant data (just like the typical hard disk imaging process). Perhaps this is the risk that the digital forensics community needs to take and hopefully the method can be improved further.
[1] M.Breeuwsma, M.de Jongh, C.Klaver, R.van der Knijff and M.Roeloffs. “Forensic Data Recovery from Flash Memory.” The Small Scale Digital Device Forensics Journal, vol. 1, no. 1, June 2007.
