In the field of computer forensics, forensics practitioners generally begin by identifying a collection of evidence stored in one or more digital formats. This collection of evidence may be stored on one or more digital storage devices, such as computer hard disks, flash memory cards, digital cameras, multimedia players, etc. In some of these cases, the original information storage device, for example one or more types of the above-mentioned digital storage devices, has been seized by law enforcement authorities and made available for data acquisition.
Typically, after identifying the subject storage devices related to the collection of evidence, the forensics practitioner makes duplicate copies of the data stored on the subject devices by placing the duplicated data on a new destination set of storage devices, possibly different in nature from the original storage device. This process is termed the acquisition phase. Because the subject storage devices are often read and copied sequentially from beginning to end, the acquisition phase may involve the transfer of large quantities of data. As such, the acquisition phase typically requires hardware having a high sequential data throughput. Consequently, forensics practitioners often use specialized computer hardware to perform acquisitions. This specialized computer hardware may also be used with data compression algorithms to facilitate the data acquisition and reduce the amount of memory needed for storage on the destination storage device.
Data compression has become fairly commonplace among computer users, and there are a variety of different data compression algorithms. One particular type of data compression algorithm, lossless data compression, allows the exact original data to be reconstructed from the compressed data. But, for any lossless data compression algorithm, there is a possibility that the data compression process will actually expand a given block of data rather than compress it.
In a computer forensics application, to make the most efficient use of electronic memory in the destination storage device, it is then advantageous to selectively compress only those portions, or blocks, of data that can be reduced in size by the compression algorithm. When a particular block of data expands, rather than contracts, after being subjected to the compression process, it is more efficient to simply copy the original data to the destination storage device unchanged. However, to make such a determination while maintaining the requisite high sequential data throughput, the specialized forensics device must be capable of quickly comparing the memory needed for both the compressed and the original representations of the given block of data, and copying the version requiring the least memory to the destination storage device.
It would therefore be desirable to have a system and method for quickly and accurately determining whether the data compression process will produce an expanded or compressed version of the original data, before the data is saved to the destination storage device. Embodiments of the invention provide such a system and method. These and other advantages of the invention, as well as additional inventive features, will be apparent from the description of the invention provided herein.