The End of Digital Forensics?

by Craig Ball

When Microsoft introduced its Encrypting File System (EFS) in Windows 2000, the Cassandras of computer forensics peppered the listserves with predictions that the days of digital forensics were numbered. Ten years on and hundreds of systems acquired, I’ve yet to handle a case stymied by encryption—and 90% of my acquisitions were corporate machines, many with TPMs and fingerprint readers. Voluntary encryption turned out to be noencryption at all.The next sky falling threats to forensics were privacy tools and features. “Surely,” our Chicken Littles clucked, “everyone will run free tools that routinely wipe unallocated clusters and securely delete data!” Turns out, they only run the antiforensic tools right before the examiner arrives, and most such tools do a lousy job covering their tracks. Instead, we’ve come to see much morerevealing data and metadata created and retained by operating systems. The Windows Registry and all those logs and .dat files are like birthday presents from Bill Gates.Finally, there are the stormy forecasts about the Cloud. Absent dominion over physical storage media, digital forensics is indeed different. We need credentials to acquire data in the Cloud, and deletion tends to mean really gone. But the silver lining is that the portable devices used to access Cloud data tend to store so much information that they’re proving a cornucopia of case-making information. Are handhelds trickier to acquire? Sure. Are they less revealing? Not on your life!

But lately, one acorn that has fallen on my head and caused me to look warily aloft is the quantum leap in hard drive capacity. I suspect I’ve acquired more aggregate data in the last year than in all of the previous nine years put together. Not more media, mind you, more data. At least more nulls, but we’ve got to read those too, right?

Four 2TB hard drives proved barely enough capacity to hold the working copies of data acquired last weekend, even after I compressed some of it. It took two days to consolidate the various target media onto a pair of 2TB drives and thirteen hours to clone and hash each drive using the very latest drive-to-drive tools. Kudos to Voom Technologies, Inc. (voomtech.com) for its terrific Hardcopy 3P hard drive data capture unit. At 5+GB per minute, it’s a data moving marvel. I shudder to think how long the imaging and cloning would have taken using the usual software imaging tools over USB 2.0, but I’m certain I’d still be freezing my ass off in a server room in Louisiana but for Hardcopy.

The upside of a hardware imager is that it’s incredibly fast. The downside is that you’ve got to grab the entire drive. So you’re offsite faster, but the data volume to process back in the lab is huge now that we’re encountering terabyte drives in the field. Seek to acquire anything less than the entire drive (as is common in e-discovery collection efforts), and you’re relegated to the interface speed–typically USB 2.0 for an external hard drive unless you crack the enclosure and get the drive write blocked and on bus, USB 3.0 or eSATA. Note to self: Add glue to field kit for when plastic tabs break off while opening shoddy enclosures.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


At USB 2.0 transfer speeds, multi-terabyte acquisitions are measured in days, not hours. I’m a good lawyer, but I haven’t found a loophole in the laws of physics that govern transfer speeds. Moving lots of data takes too long.

Of course, terabyte data volumes also slow search, indexing, volume refinement, file carving and other key tasks. Most of the volume is nulls, but you have to read those nulls at least once to identify and ignore them. If you acquire drives raw and fast, you’ll invest time back at the lab to compress the data. It all ratchets up the cost of digital forensics, tending to make it less accessible in civil cases and adding to budget burdens of law enforcement.

If you’re thinking, “more hours mean more money to me,” beware. That’s golden goose money. Like the now-struggling e-discovery service providers who were profitable only while gouging customers, profiting near-term from what destroys your business long term is not sustainable. In the end, the commercial viability of computer forensics flows from its broad acceptance and use, fostered by reducing its cost.

We need faster ways to leave those nulls behind, or those predicting the end of forensics may end up being right…finally.

Click here to discuss this article.

Read Craig’s previous columns

Craig Ball is a globetrotting Texas lawyer who limits his practice to service as a court-appointed special master and consultant in computer forensics and electronic discovery. Notwithstanding formal training and multiple certifications in computer forensics, Craig credits a lifelong passion to understand how things work and be able to explain it to others as his most cherished credential. Craig writes the award-winning Ball in Your Court column on electronic discovery for Law Technology News and is the author of numerous articles on e-discovery and computer forensics, many available at www.craigball.com

Leave a Comment