Note:
This awardee has received supplemental funding. This award detail page includes information about the supplemental awards but the information about the original award is unavailable.
Award Information
Description of original award (Fiscal Year 2016, $149,933)
As submitted by the proposer: RAPID FORENSIC ACQUISITION OF LARGE MEDIA WITH SIFTING COLLECTORS. The standard process of forensic acquisition reads and duplicates every sector of every region of a drive. However, not all regions are of equal forensic value. Approximately half of a typical disk is completely blankin its factory default state, never having been written to (Agrawal et al. 2007). Moreover, much of the disk that has been written to consists of files of little forensic relevance, such as unmodified standard operating system files (see Figure 1). Indeed, the first Grier Forensics Response to NIJ-2014-3727 Rapid Forensic Acquisition of Large Media with Sifting Collectors Page 4 part of forensic analysis typically consists of identifying and ignoring these standard files, using tools such as the National Institute of Standards and Technologys National Software Reference Library Hash Set (NIST NSRL). Although forensic examiners may eventually remove these standard files from the acquired image, the process of acquiring them only to remove them slows acquisition by hours. Indeed, with current technology, most of the acquisition process is time wasted collecting blank space or irrelevant, standard files that will eventually be discarded. nca/ncf