Forensic signature for tracking storage devices: Analysis of UEFI firmware image, disk signature and windows artifacts

Doowon Jeong, Sangjin Lee

    Research output: Contribution to journalArticlepeer-review

    11 Citations (Scopus)

    Abstract

    Tracking storage devices is one of the important fields in digital forensics. The existing methods and tools about registry, event log or IconCache analysis help solving cases on confidential leakage, illegal copying, and security incident cases. However, previous approach has drawback in tracking storage devices such as HDD, SSD, and etc since it was based on the good performance of USB device tracking. Another drawback in previous approach is that it is vulnerable to anti-forensics because the artifacts are dependent on the operating system. This paper introduces a new definition of forensic signature for tracking various storage devices and reviews the known artifacts. Furthermore, this study introduces unidentified artifact stored in UEFI firmware image and independent of operating system. Moreover, this paper develops a methodology for tracking storage devices using forensic signature according to the storage type.

    Original languageEnglish
    Pages (from-to)21-27
    Number of pages7
    JournalDigital Investigation
    Volume29
    DOIs
    Publication statusPublished - 2019 Jun

    Keywords

    • Digital investigation
    • Disk forensics
    • Disk serial number
    • Firmware image analysis
    • UEFI

    ASJC Scopus subject areas

    • Pathology and Forensic Medicine
    • Information Systems
    • Computer Science Applications
    • Medical Laboratory Technology
    • Law

    Fingerprint

    Dive into the research topics of 'Forensic signature for tracking storage devices: Analysis of UEFI firmware image, disk signature and windows artifacts'. Together they form a unique fingerprint.

    Cite this