Greetings,
Allow me to contribute another two pieces of the puzzle
1) As data volumes and the number of devices increase, clients need to be willing to pay more for the analysis. The cost of the work isn't nearly proportional to the number of custodians these days.
2) Approaching the problem as a team rather than as an individual will yield better results. In addition to splitting the problem over multiple cores, split the problem over multiple people, each with deep domain knowledge and appropriate skills. The amount of work done by each individual may go down a bit, the total work done by the team will scale with the volume of data and number of devices, and there will be some additional overhead due to coordination. The overall efficiency, given a good team, should increase quite a bit. I know I'm much more efficient with additional eyes on the problem working in concert.
-David
I just use a forensic physic.
Opps, my physic tells me this might be off topic.
I also live in Austin, TX and must compete with Craig. Life is unfair like that.
Ciao,
Doc
Interestingly, I just ran into a problem relating to presumed "disproportional" analysis compared to data size growth.
The growth of analysis is exponential compared to a linear growth of data to analyze.
Are you suggesting . . . forensic crowd sourcing? mrgreen
Greetings,
Allow me to contribute another two pieces of the puzzle
1) As data volumes and the number of devices increase, clients need to be willing to pay more for the analysis. The cost of the work isn't nearly proportional to the number of custodians these days.
2) Approaching the problem as a team rather than as an individual will yield better results. In addition to splitting the problem over multiple cores, split the problem over multiple people, each with deep domain knowledge and appropriate skills. The amount of work done by each individual may go down a bit, the total work done by the team will scale with the volume of data and number of devices, and there will be some additional overhead due to coordination. The overall efficiency, given a good team, should increase quite a bit. I know I'm much more efficient with additional eyes on the problem working in concert.
-David
Merchanical Turk Computer Forensics Services.
Alas, I have passed that body size decades ago.
Merchanical Turk Computer Forensics Services.
In my experience, the data storage capacity of most personal computers that land on my desk has increased from 60GB to an average of 500GB in the last three years. Every now and then, maybe once every two weeks, I am presented with a personal computer containing 2 maybe 3TB of data, most of the data consists of commercial movie or music files and frankly the size of the personal user related data seems to remain at a reasonable constant and has done so for the last year or two with the odd exception. I wonder if this is as a result of your average person just being able to deal with a limited amount of data and as a consequence this data set has an upper limit?
We regularly perform preview triage type exams on exhibits with low intel (other items in the case will have passed for full exam) and have found that this type of limited exam is very successful at separating exhibits that are of no value to an inquiry from those that are of some value and can be a good time and money saving excercise.
I have a theory that the ubiquity of locked down systems like the iPad, iPhone and tablet devices will result in most of these type of devices being virtually identical in nature from one case to the next and as a result standard forensic processes could be applied releasing time for analysts to work on the large data stuff. I base this on my impression that your average end user just wants the thing to work and have no desire to change systems that have been designed very well and do as asked. It's a bit like people always buying a Ford Focus if you see what I mean!
So I don’t see it as the end of digital forensics, just a new beginning maybe.
More I think about it, who cares how big the physical disks are. The only real issue I encounter with this is disk imaging, copying verifying etc. Once I start taking it apart it really doesn't matter. If you are cutting up the data, parsing, processing, filtering properly then its a somewhat non-existent issue.
I think you are right.
The primary time constraints I run into is getting the data into a format I can analyze - that is, imaging, indexing, deculling, removing known data chunks, etc.
I think both forensic tools and equipment increased in speed and efficiency, but not as fast as data storage size has.