Not sure how much comfort we can take in the increasing use of hand-held and other small form-factor devices (with the implication of storage limitations).

The 64-GB iPhone is already a reality, and I think we can all guess where it's going from there. In a few years, you'll have a TB of storage in some format that will be the size of a grain of rice, requiring a nanowatt of power.

www.9to5mac.com/54940/...s-to-come/  

I the argument of having to parse through the null values in an image to just get to what we all are here for (the data) there is a soulution. ASR Data uses sprase files for imaging. In the relm of Linux the OS can understand that one null is just like the next null. It will wirte out the actual data only when you aquire your image, and make reference the the amoutn of null space there was on the drive. In doing that if you blow the image back out it will write the nulls in the correct palce and give you a true bit by bit copy of the oringinal. Yet your 1TB drive that has only 300GB of actual data allocated and unallocated will only be a 300 GB image, but still be a true and acurate copy.

Now the trick is get Windows to be able to use these sparse files  

Craig, thanks for a great article that summed up the fears that I see in our projects as well. Simply put, the copy speed has not kept up with the increase in drive size.

We do a lot of domestic work which requires field acquisitions. Many times these have to be done stealthily. With a tweaked forensic computer we can reliably get a 500GB drive or less in 2 hours. That is the limit I am willing to spend if I am worried about a suspect returning etc.

Now that we are encountering these 1.5 and 2tb drives in the field it changes our ability to do that.

Here is my point, in the past the interface speeds have kept up with the drive sizes but not anymore, in fact many of these 1.5 drives only run at 5400 rpm which compounds the problem. Sata3 doesn't help you copy a 2tb 5400 sata 2 drive any faster.

Are there some options with Smart images or other algorithms that can speed up these larger drives when 75% of the drive is null space?

I get frustrated having to image a 2tb drive with 80gb of data on it.

thx


Edit: For processing, storage and archiving we do convert the field DD images to Hashed Smart images. IMHO everyone should be doing that as the storage sizes are a lot smaller. It saves room on our lab systems to do it in Smart. We can convert back to DD if need be and the hashes are the same. AD FTK imager does a great job with that.  

Two points;

1. Overly dramatic headlines like "The End of Digital Forensics?" followed by an article which dismisses the headline are rather disingenuous

2. The discussion has centered on the speed of acquisition of ever larger drives. Rather than work harder and rely on technological advancement why not work smarter? Where appropriate forensic triage, memory acquisition and live forensics can help focus imaging and analysis.
_________________
Forensic Control
twitter.com/ForensicControl
St Bride Foundation, 14 Bride Lane, London, EC4Y 8EQ 

Jonathan,

I agree with point two from a practical standpoint. But here in the US the law and the education of Judges and Attorneys lag behind technical realities.

If I don't copy an entire hard drive, then I took a shortcut and I obviously missed something / didn't do my job right.

I do fear that our jobs will get harder with encryption being commonplace, secure deletion being built into programs, and garbage data clouding relevant data to make investigative time/costs prohibitive. I would hate to have to rely solely on unspoiled subpoenaed evidence. . . .  

- ellingtond

Jonathan,

I agree with point two from a practical standpoint. But here in the US the law and the education of Judges and Attorneys lag behind technical realities.

If I don't copy an entire hard drive, then I took a shortcut and I obviously missed something / didn't do my job right.

I do fear that our jobs will get harder with encryption being commonplace, secure deletion being built into programs, and garbage data clouding relevant data to make investigative time/costs prohibitive. I would hate to have to rely solely on unspoiled subpoenaed evidence. . . .

As an expert, if you document your reasoning for not copying an entire job and back it up with solid scientific reasoning, you shouldn't have a problem explaining it in court.
_________________
Greg Kelley, EnCE, DFCP
Vestige, Ltd
www.vestigeltd.com 

It's 2012, and the suspect in question has a laptop, a 64-GB iPhone, and a desktop computer at work, as well as a game box. Then you find an external HD, and a collection of 2- to 32-GB USB sticks, as well as potentially relevant CDs and DVDs. Checking his system, you discover that he also has a backup "cloud" storage and file-sharing account, a hosted website and a YouTube channel with 86 videos posted. Naturally, he has a Facebook account as well as Twitter, with a few thousand "friends". Moreover, we have reason to think that some of his physical activity might have been captured by a variety of CCTV and access control systems. These, too, must be identified and examined.

But wait. That's just one of the suspects...and there are three others. You'd better have lots of collection and analytical horsepower as well as time.

I am not at all sanguine about the strategy of falling back on "explanations" to the court for an examination that defense counsel could characterize as "incomplete", "slip-shod", "taking shortcuts", etc. The explanations might get past a judge in an evidence hearing, but it's not the judge we must be (most) concerned with - it's 12 people on a jury, who now believe in the "absolute power" of forensics (the CSI effect) and don't want to hear anything about "limitations" when it comes to such matters. These are also people who are aware of miscarriages of justice that have occurred when the forensics wasn't "done right" and will reject such evidence if there is even a whiff of "examiner incompetence", let alone the suggestion that evidence was "ignored", "discounted", "missed" or "overlooked".

Such "overlooked" evidence will, of course, be characterized by the defense as "potentially exculpatory" and the defense bears no burden to do more than introduce the element of doubt.

We have entered an era in which "digital forensics" literally means examination of the binary expressions and electronic detritus that are generated by the billions throughout an individual's entire day, 24x7, by a host of activities, including some of which he may not even be aware, and which may reside potentially anywhere in the world, and in a myriad of formats, both public and proprietary.

Of course it's not the "end of digital forensics", and the headline was obviously provocative. But it is certainly changing. What I think we can reasonably hope is that the forensic technology itself will rise to the challenge of multi-TB, multi-source, multi-format examinations...and that we will someday solve the other major problem - i.e., that of multi-jurisdictional and even multi-national investigations.  

Last edited by BattleSpeed on Apr 04, 11 19:49; edited 2 times in total