by Craig Ball
But lately, one acorn that has fallen on my head and caused me to look warily aloft is the quantum leap in hard drive capacity. I suspect I’ve acquired more aggregate data in the last year than in all of the previous nine years put together. Not more media, mind you, more data. At least more nulls, but we’ve got to read those too, right?
Four 2TB hard drives proved barely enough capacity to hold the working copies of data acquired last weekend, even after I compressed some of it. It took two days to consolidate the various target media onto a pair of 2TB drives and thirteen hours to clone and hash each drive using the very latest drive-to-drive tools. Kudos to Voom Technologies, Inc. (voomtech.com) for its terrific Hardcopy 3P hard drive data capture unit. At 5+GB per minute, it’s a data moving marvel. I shudder to think how long the imaging and cloning would have taken using the usual software imaging tools over USB 2.0, but I’m certain I’d still be freezing my ass off in a server room in Louisiana but for Hardcopy.
The upside of a hardware imager is that it’s incredibly fast. The downside is that you’ve got to grab the entire drive. So you’re offsite faster, but the data volume to process back in the lab is huge now that we’re encountering terabyte drives in the field. Seek to acquire anything less than the entire drive (as is common in e-discovery collection efforts), and you’re relegated to the interface speed–typically USB 2.0 for an external hard drive unless you crack the enclosure and get the drive write blocked and on bus, USB 3.0 or eSATA. Note to self: Add glue to field kit for when plastic tabs break off while opening shoddy enclosures.
At USB 2.0 transfer speeds, multi-terabyte acquisitions are measured in days, not hours. I’m a good lawyer, but I haven’t found a loophole in the laws of physics that govern transfer speeds. Moving lots of data takes too long.
Of course, terabyte data volumes also slow search, indexing, volume refinement, file carving and other key tasks. Most of the volume is nulls, but you have to read those nulls at least once to identify and ignore them. If you acquire drives raw and fast, you’ll invest time back at the lab to compress the data. It all ratchets up the cost of digital forensics, tending to make it less accessible in civil cases and adding to budget burdens of law enforcement.
If you’re thinking, “more hours mean more money to me,” beware. That’s golden goose money. Like the now-struggling e-discovery service providers who were profitable only while gouging customers, profiting near-term from what destroys your business long term is not sustainable. In the end, the commercial viability of computer forensics flows from its broad acceptance and use, fostered by reducing its cost.
We need faster ways to leave those nulls behind, or those predicting the end of forensics may end up being right…finally.
Click here to discuss this article.
Craig Ball is a globetrotting Texas lawyer who limits his practice to service as a court-appointed special master and consultant in computer forensics and electronic discovery. Notwithstanding formal training and multiple certifications in computer forensics, Craig credits a lifelong passion to understand how things work and be able to explain it to others as his most cherished credential. Craig writes the award-winning Ball in Your Court column on electronic discovery for Law Technology News and is the author of numerous articles on e-discovery and computer forensics, many available at www.craigball.com