Rapid Forensic Acquisition of Large Media with Sifting Collectors

This award was competitively made in response to a proposal submitted by the Grier Forensic to a National Institute of Justice FY 2014 solicitation: "New Approaches to Digital Evidence Processing and Storage". The purpose of this award is develop a tool for forensic acquisition of digital media that only images regions expected to contain evidence while bypassing irrelevant regions, such as unallocated space. Forensic acquisition using this method will result in a sifted, compressed disk image, which can be used by existing forensic tools in place of a standard disk image. Grier Forensics proposes to carry out this work in partnership with the Louisiana chapter of the United States Secret Service's Cybercrime Task Force. The proposed work has significant value to law enforcement at all levels, by providing the means to substantially accelerate and focus forensic acquisition and therefore to store large volumes of digital evidence, all while preserving probative value, compatibility with existing tools, and workflows.
This project contains a research and/or development component, as defined in applicable law. nca/ncf

As submitted by the proposer: RAPID FORENSIC ACQUISITION OF LARGE MEDIA WITH SIFTING COLLECTORS. The standard process of forensic acquisition reads and duplicates every sector of every region of a drive. However, not all regions are of equal forensic value. Approximately half of a typical disk is completely blank—in its factory default state, never having been written to (Agrawal et al. 2007). Moreover, much of the disk that has been written to consists of files of little forensic relevance, such as unmodified standard operating system files (see Figure 1). Indeed, the first Grier Forensics Response to NIJ-2014-3727 Rapid Forensic Acquisition of Large Media with Sifting Collectors Page 4 part of forensic analysis typically consists of identifying and ignoring these standard files, using tools such as the National Institute of Standards and Technology’s National Software Reference Library Hash Set (NIST NSRL). Although forensic examiners may eventually remove these standard files from the acquired image, the process of acquiring them only to remove them slows acquisition by hours. Indeed, with current technology, most of the acquisition process is time wasted collecting blank space or irrelevant, standard files that will eventually be discarded. nca/ncf