AccessData and Distributed Processing

AccessData has announced the release of distributed processing capabilities with its Forensic Toolkit® 3.0.4 (FTK®) release. When analyzing digital evidence, investigators must process the captured data to break out compound files and index documents and email, so they can be searched effectively. Now, each FTK user can leverage up to four processing workers, one on the local examiner computer and three distributed computers…However, the enterprise-class solutions allow customers to scale out their distributed processing capabilities to leverage a centralized database and distributed processing farm. This allows them process terabytes of computer evidence in a fraction of the time it would take normally—without having to break the data into smaller batches to prevent their computers from crashing.

For example, in testing, AccessData processed a massive data set, including 62,649,383 items, of which there were well over 2 million emails and a total of 97,431 archive files that needed to be broken out. The compressed size of this data set was 1.28 terabytes. A data set this large would normally be divided into batches, with each batch being processed separately on stand-alone machines. This could take a month to process, using traditional tools, depending on the hardware used. However with AccessData’s distributed processing technology, it only took 6 days, 5 hours. After processing, the physical size of the resulting index alone was an impressive 800GB. Reducing the processing time of complex and large data sets by more than half is an invaluable capability for investigative organizations, federal agencies and corporations inundated with forensic analysis and eDiscovery case loads.

“This new capability will be integral in enabling investigative organizations at the state, local and federal level to get a handle on their overwhelming caseload,” said Brian Karney, COO of AccessData. Corporate, law enforcement and government investigators traditionally find themselves waiting for days to process data, in order to effectively search and analyze the evidence. Through the use of distributed processing, these investigators will be able to get to the analysis phase faster, thereby completing their investigations faster. Over the last few months this technology has been utilized by select organizations around the world, as AccessData worked to finalize its development, and today distributed processing is available to all AccessData customers. To view testing metrics and learn more about distributed processing, please visit: www.accessdata.com/processing

About AccessData
AccessData has pioneered digital investigations for more than twenty years, providing the technology and training that empower law enforcement, government agencies and corporations to perform thorough computer investigations of any kind with speed and efficiency. Recognized throughout the world as an industry leader, AccessData delivers state of-the-art computer forensic, network forensic, password cracking and decryption solutions. Its Forensic Toolkit® and network-enabled enterprise solutions allow organizations to preview, search for, forensically preserve, process and analyze electronic evidence. AccessData’s solutions address criminal and internal investigations, incident response, eDiscovery and information assurance. In addition, AccessData is a leading provider of digital forensics training and certification with its much sought after AccessData Certified Examiner® (ACE®) program. For more information on AccessData visit www.accessdata.com.

Get The Latest DFIR News!

Top DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

Leave a Comment

Latest Videos

Quantifying Data Volatility for IoT Forensics With Examples From Contiki OS

Forensic Focus 22nd June 2022 5:00 am

File timestamps are used by forensics practitioners as a fundamental artifact. For example, the creation of user files can show traces of user activity, while system files, like configuration and log files, typically reveal when a program was run. 

Despite timestamps being ubiquitous, the understanding of their exact meaning is mostly overlooked in favor of fully-automated, correlation-based approaches. Existing work for practitioners aims at understanding Windows and is not directly applicable to Unix-like systems. 

In this paper, we review how each layer of the software stack (kernel, file system, libraries, application) influences MACB timestamps on Unix systems such as Linux, OpenBSD, FreeBSD and macOS.

We examine how POSIX specifies the timestamp behavior and propose a framework for automatically profiling OS kernels, user mode libraries and applications, including compliance checks against POSIX.

Our implementation covers four different operating systems, the GIO and Qt library, as well as several user mode applications and is released as open-source.

Based on 187 compliance tests and automated profiling covering common file operations, we found multiple unexpected and non-compliant behaviors, both on common operations and in edge cases.

Furthermore, we provide tables summarizing timestamp behavior aimed to be used by practitioners as a quick-reference.

Learn more: https://dfrws.org/presentation/a-systematic-approach-to-understanding-macb-timestamps-on-unixlike-systems/

File timestamps are used by forensics practitioners as a fundamental artifact. For example, the creation of user files can show traces of user activity, while system files, like configuration and log files, typically reveal when a program was run.

Despite timestamps being ubiquitous, the understanding of their exact meaning is mostly overlooked in favor of fully-automated, correlation-based approaches. Existing work for practitioners aims at understanding Windows and is not directly applicable to Unix-like systems.

In this paper, we review how each layer of the software stack (kernel, file system, libraries, application) influences MACB timestamps on Unix systems such as Linux, OpenBSD, FreeBSD and macOS.

We examine how POSIX specifies the timestamp behavior and propose a framework for automatically profiling OS kernels, user mode libraries and applications, including compliance checks against POSIX.

Our implementation covers four different operating systems, the GIO and Qt library, as well as several user mode applications and is released as open-source.

Based on 187 compliance tests and automated profiling covering common file operations, we found multiple unexpected and non-compliant behaviors, both on common operations and in edge cases.

Furthermore, we provide tables summarizing timestamp behavior aimed to be used by practitioners as a quick-reference.

Learn more: https://dfrws.org/presentation/a-systematic-approach-to-understanding-macb-timestamps-on-unixlike-systems/

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_i0zd7HtluzY

A Systematic Approach to Understanding MACB Timestamps on Unixlike Systems

Forensic Focus 21st June 2022 5:00 am

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...