Mr. Kelley, I am
trying to hijack anything.
Like on any other board or listserve on the Net, I am trying to add to the discussion about the END Of Digital Forensics. This is the topic title. If this information is not considered as part of the same discussion and within the known rules. Then it is MY BAD and I respectful request the members understanding and apologies. I was unaware.
Did Craig's original article feature different font colors and sizes?
BTW, the various colors and making your words bigger for emphasis is not really professional. Go through most all other posts and look for someone else posting things like that, you wont find it.
It is apparent to me that "rjpear's" and "gkelley's" comments do not take-in consideration of the presented articles within the above message, and that these supportive articles present a technology shift with the use of Solid State Drives. I am trying to
addto the scope of this discussion thread.
You are seeing these drive are being used wherever performance within a system is of great concern. They are being used to help speed-up Vista and Win 7 systems and also to help with Gaming systems performance. They have been used within Enterprise's SANs, too. We will probably see their usage grow with the advent of Cloud interests due to performance issue also.
Rjpear's says,
"I guess we said the same when the Megabyte drives jumpted to Gigabyte drives."
BUTif you had read the quote from the message and also reviewed the supplied articles, you would see that he is truly guessing and Not commenting on the presented information. Megabyte drives are still using the same Hard Drive Technology. How is this the same as my added information about SSDs with NO Moving Parts and differing internal processes technology ? These drives are still NOT into Terabyte sizes, YET. This seems to be what he is NOT talking about.
gkelley's statement,
"that this article, though, is an extension of "the sky is falling" scenario …"
This statement should actual be directed to how this Threaded Discussion
started.
I am presenting information on how the underlying technology of the storage technology industry is changing in which the same Forensic tools can NOT reliably be used (as presented in the included article's experimentation).
rjpear says,
" I assume the tool manufacturers will adjust to what the community needs and come up with something to make the job "do able"..
I hope.. "
If you read the included articles and then follow these changes you will see that standards will be needed to be applied to this technology's coming shift. I do not for see this immediate need happening in the near term.
The issues presented regarding the growth of storage size and inspection time to gather evidence will still be in play, but the largest difference that I see is the changing underlying technology that CF relies upon in investigating for evidence.
I hope that this helps to bring the presented information to the open and not just skipped over and ignored. I
thankthe readers for their patience in presenting this new research and information.
Dragging the discussion back to the article just for a moment if I may…
the now-struggling e-discovery service providers who were profitable only while gouging customers
Nail, meet head. This last paragraph particularly resonates with my experiences…
Hmm… as others have implied, forensics is not just imaging. Collection, cull, deduplication, reviews, correlation, and even lack of information still requires forensics.
It is disheartening to hear an attorney suggesting that e-discovery (the collection of visible, and readily available data) is the future of forensics, when there is ample evidence to the contrary.
Yes, many will give up at e-D. (It is the fattest cow and everyone wants a steak!) I venture to say the ones that hop on FF and ask "how do I…", when the answer is readily available will be the ones who become e-D wizards, sages and gurus - often touted by the industry vendors.
I also think that the speed issue is a canard. Just as size of drives increase, so does speed of systems, and 'quantity of systems' increase, in my opinion. Does anyone remember how long it took to image a Seagate ST-225?
The rest of us, who do not jump to eD permanently, will find a niche in reviewing surface mount memory chips, correlate logs, recognize artifacts (despite self destruction) plot relationship charts, track missing data and so on . . .
Not sure how much comfort we can take in the increasing use of hand-held and other small form-factor devices (with the implication of storage limitations).
The 64-GB iPhone is already a reality, and I think we can all guess where it's going from there. In a few years, you'll have a TB of storage in some format that will be the size of a grain of rice, requiring a nanowatt of power.
http//
I the argument of having to parse through the null values in an image to just get to what we all are here for (the data) there is a soulution. ASR Data uses sprase files for imaging. In the relm of Linux the OS can understand that one null is just like the next null. It will wirte out the actual data only when you aquire your image, and make reference the the amoutn of null space there was on the drive. In doing that if you blow the image back out it will write the nulls in the correct palce and give you a true bit by bit copy of the oringinal. Yet your 1TB drive that has only 300GB of actual data allocated and unallocated will only be a 300 GB image, but still be a true and acurate copy.
Now the trick is get Windows to be able to use these sparse files D
Craig, thanks for a great article that summed up the fears that I see in our projects as well. Simply put, the copy speed has not kept up with the increase in drive size.
We do a lot of domestic work which requires field acquisitions. Many times these have to be done stealthily. With a tweaked forensic computer we can reliably get a 500GB drive or less in 2 hours. That is the limit I am willing to spend if I am worried about a suspect returning etc.
Now that we are encountering these 1.5 and 2tb drives in the field it changes our ability to do that.
Here is my point, in the past the interface speeds have kept up with the drive sizes but not anymore, in fact many of these 1.5 drives only run at 5400 rpm which compounds the problem. Sata3 doesn't help you copy a 2tb 5400 sata 2 drive any faster.
Are there some options with Smart images or other algorithms that can speed up these larger drives when 75% of the drive is null space?
I get frustrated having to image a 2tb drive with 80gb of data on it.
thx
Edit For processing, storage and archiving we do convert the field DD images to Hashed Smart images. IMHO everyone should be doing that as the storage sizes are a lot smaller. It saves room on our lab systems to do it in Smart. We can convert back to DD if need be and the hashes are the same. AD FTK imager does a great job with that.
Two points;
1. Overly dramatic headlines like "The End of Digital Forensics?" followed by an article which dismisses the headline are rather disingenuous
2. The discussion has centered on the speed of acquisition of ever larger drives. Rather than work harder and rely on technological advancement why not work smarter? Where appropriate forensic triage, memory acquisition and live forensics can help focus imaging and analysis.
Jonathan,
I agree with point two from a practical standpoint. But here in the US the law and the education of Judges and Attorneys lag behind technical realities.
If I don't copy an entire hard drive, then I took a shortcut and I obviously missed something / didn't do my job right.
I do fear that our jobs will get harder with encryption being commonplace, secure deletion being built into programs, and garbage data clouding relevant data to make investigative time/costs prohibitive. I would hate to have to rely solely on unspoiled subpoenaed evidence. . . .
Jonathan,
I agree with point two from a practical standpoint. But here in the US the law and the education of Judges and Attorneys lag behind technical realities.
If I don't copy an entire hard drive, then I took a shortcut and I obviously missed something / didn't do my job right.
I do fear that our jobs will get harder with encryption being commonplace, secure deletion being built into programs, and garbage data clouding relevant data to make investigative time/costs prohibitive. I would hate to have to rely solely on unspoiled subpoenaed evidence. . . .
As an expert, if you document your reasoning for not copying an entire job and back it up with solid scientific reasoning, you shouldn't have a problem explaining it in court.
