Entities (e.g., law enforcement entities) often obtain hard drive images for analysis over bandwidth limited WAN connections. When no additional technologies can be applied to increase the speed of the connection and no additional bandwidth can be attained, critical operations that rely on intelligence gathered from the timely analysis of drives are hindered. Improving the transmission process can result, for example, in tactical gains for law enforcement.
Although it might seem that one solution would compare files on the remote client hard drive to a list of existing files at the server side and send the difference, this approach would not create a forensic duplicate of the drive image and would miss analytically significant information that is outside of the file system, such as slack space data or deleted/partial files.