Both the fields of digital forensics and electronic discovery generally rely on a phased approach to preservation of evidential data; first the evidential data is “preserved” or “acquired”, that is, a reasonably complete copy of the evidence is made, while preserving evidential integrity (minimising, or entirely preventing changes due to the operation of the acquisition technique on original target data storage device). Such activity is called by those versed in the art “forensic acquisition” and such a copy a “forensic image”. A forensic image generally includes, along with the copied source data, a fingerprint (generally a cryptographic hash) of the source data, sufficient to detect any change in the copy. A forensic image is generally stored as a file or set of files known as an “Evidence Container”. Following this, the forensic image may be either directly investigated using a range of examination techniques or processed using a range of Input-Output (IO) and compute intensive interpretation techniques supporting functions such as data recovery and search operations.
Traditionally, forensic images are complete copies of every storage block of a target device, and are acquired sequentially (linearly) from the first storage block to the last storage block on a device. Such an image is referred to as a “physical image”, as it is a copy of the data in near physical form. Optionally the content of the image may be compressed in a manner that supports random access to image content. Such a forensic image is generally stored in a specific format of file or group of file, commonly referred to as an “Evidence Storage Container”.
For example, traditional forensic practice is to power off the suspect system and physically remove permanent storage devices (e.g. Hard drives) for acquisition. The storage device is then attached to a computer by External Serial ATA (eSATA), Universal Serial Bus (USB3) or another high speed storage interface, in such a manner that writing is prevented to the storage device (keeping its integrity intact). The contents of the storage device are then read from beginning to end, while copying the contents of each block of data to another attached storage device (the destination). Such copying techniques are generally limited by maximum bandwidth of either the source or destination device.
Such a sequential acquisition technique is (assuming no bottleneck on output) the fastest method to produce a complete image, as reading from spinning disk hard drive storage is most efficient when read sequentially from the start address to end address. In 2014, commodity spinning platter (magnetic) drives may yield data at a rate of around 100-150 MB/s, and RAID arrays data rates of upwards of 300 MB/s. For such disks, non-sequential reads impose a latency penalty that can, in the worst cases, result in read rates in the realm of Kilobytes per second, slowing the ability to acquire and analyse by orders of magnitude. Acquisition of the Random Access Memory (RAM) of a computer produces data rates orders of magnitude more. Even at maximal read rates today's large drives take many hours to copy, deferring the ability to undertake analysis activities until the acquisition task is finished, and interrupting business operations in a significant way.
It follows that a significant challenge in the practice of forensics is the time lag between acquisition and the subsequent undertaking of analysis tasks, resulting in delays in understanding whether there is relevant evidence stored in a particular computing device.
The challenges with existing forensic approaches include: delays in analysing a digital environment; potential loss of evidence due to incomplete or absent preservation; and destruction of evidence.
It will be clearly understood that, if a prior art publication is referred to herein, this reference does not constitute an admission that the publication forms part of the common general knowledge in the art in Australia or in any other country.