Selective Imaging Revisited

The standard procedure for the acquisition of digital evidence in forensic investigations is to produce a bit-wise 1:1 copy of the original data on a digital storage device. This is often called imaging and becoming a bottleneck in modern digital investigations. The notion of selective imaging was introduced by Turner in 2005 and associated with the decision not to acquire all possible information during the evidence capture process. In this paper, we precisely define the term selective imaging, thereby generalizing the concept to allow acquisition of data objects in any combination and from any level of abstraction. We have implemented this approach as a plugin for the open source Digital Forensics Framework (DFF) using a container format based on the Advanced Forensic Framework 4 (AFF4). We present some design and implementation details as well as a performance evaluation.

[1]  Felix C. Freiling,et al.  Selektion vor der Sicherung , 2010, Datenschutz und Datensicherheit - DuD.

[2]  Vassil Roussev,et al.  Digital Forensic Tools: The Next Generation , 2006 .

[3]  David A. Patterson,et al.  Latency lags bandwith , 2004, CACM.

[4]  Philip Turner,et al.  Digital provenance - interpretation, verification and corroboration , 2005, Digit. Investig..

[5]  Michael Cohen,et al.  Hash based disk imaging using AFF4 , 2010 .

[6]  Philip Turner,et al.  Unification of Digital Evidence from Disparate Sources (Digital Evidence Bags) , 2005, DFRWS.

[7]  Felix C. Freiling,et al.  Selektion vor der Sicherung : Methoden zur effizienten forensischen Sicherung von digitalen Speichermedien (Schwerpunkt) , 2010 .

[8]  Philip Turner,et al.  Selective and intelligent imaging using digital evidence bags , 2006, Digit. Investig..

[9]  Philip Turner,et al.  Applying a forensic approach to incident response, network investigation and system administration using Digital Evidence Bags , 2007, Digit. Investig..

[10]  Bradley L. Schatz,et al.  Extending the advanced forensic format to accommodate multiple data sources, logical evidence, arbitrary information and forensic workflow , 2009, Digit. Investig..

[11]  Eoghan Casey,et al.  Digital Evidence and Computer Crime - Forensic Science, Computers and the Internet, 3rd Edition , 2011 .

[12]  Edward Grochowski,et al.  Technological impact of magnetic hard disk drives on storage systems , 2003, IBM Syst. J..

[13]  Brian D. Carrier,et al.  File System Forensic Analysis , 2005 .

[14]  Graeme R. Cole Estimating Drive Reliability in Desktop Computers and Consumer Electronics , 2003 .