DaP∀: Deconstruct and Preserve for All: A Procedure for the Preservation of Digital Evidence on Solid State Drives and Traditional Storage Media

Human error is often a cause of contamination of potential digital evidence and can jeopardise an entire case. One of the biggest problems is the data acquisition stage that requires the Digital Forensic Analyst to make bit-for-bit copies of the device seized. This procedure, despite using write-blockers, can go wrong. The proposed Deconstruct and Preserve for all (DaP∀) aims at mitigating the risk involved in exposing any data to these procedures and ensures that third parties get an exact match; the process works on SSDs, GPT formatted devices, and other traditional formats, e.g. HDD. The results show a GPT TRIM enabled SSD imaged multiple times produces verification of matched hashes. With these results, it is proposed that DaP∀ should be considered as a Standard Operating Procedure (SOP) when completing data acquisition.