Inproceedings
Deduplicated Disk Image Evidence Acquisition and Forensically-Sound Reconstruction
Contribution Summary
This research addresses the significant issue of the growing digital evidence backlog in law enforcement by presenting a system for deduplicated disk image evidence acquisition and forensically-sound reconstruction. The proposed system leverages a centralized deduplicated acquisition and processing approach, enabling automated, forensically-sound complete disk image reconstruction. The system reduces storage and bandwidth requirements, facilitates non-expert evidence processing, and enables efficient processing of each new case. The authors focus on the implementation of the proposed system, testing and analyzing its performance, and providing a platform for non-expert evidence processing. The system's benefits include reduced storage and bandwidth requirements, improved transmission times for remote acquisitions, and the ability to enable non-expert evidence processing.
Keywords: deduplicated disk image evidence acquisition; forensically-sound reconstruction; digital evidence backlog; centralized acquisition and processing; automated analysis; non-expert evidence processing; storage and bandwidth reduction
Abstract
The ever-growing backlog of digital evidence waiting for analysis has become a significant issue for law enforcement agencies throughout the world. This is due to an increase in the number of cases required digital forensic analysis coupled with the increasing volume of data to process per case. This has created a demand for a paradigm shift in the method that evidence is acquired, stored, and analyzed. The ultimate goal of the research presented in this paper is to revolutionize the current digital forensic process through the leveraging of centralized deduplicated acquisition and processing approach. Focusing on this first step in digital evidence processing, acquisition, a system is presented enabling deduplicated evidence acquisition with the capability of automated, forensically-sound complete disk image reconstruction. As the number of cases acquired by the proposed system increases, the more duplicate artifacts will be encountered, and the more efficient the processing of each new case will become. This results in a time saving for digital investigators, and provides a platform to enable non-expert evidence processing, alongside the benefits of reduced storage and bandwidth requirements.
BibTeX
@inproceedings{du2018reconstruction,
author={Du, Xiaoyu and Ledwith, Paul and Scanlon, Mark},
title="{Deduplicated Disk Image Evidence Acquisition and Forensically-Sound Reconstruction}",
booktitle="{Proceedings of the 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications (TrustCom-18)}",
year=2018,
month=08,
address={New York, USA},
publisher={IEEE},
pages="1674-1679",
abstract="The ever-growing backlog of digital evidence waiting for analysis has become a significant issue for law enforcement agencies throughout the world. This is due to an increase in the number of cases required digital forensic analysis coupled with the increasing volume of data to process per case. This has created a demand for a paradigm shift in the method that evidence is acquired, stored, and analyzed. The ultimate goal of the research presented in this paper is to revolutionize the current digital forensic process through the leveraging of centralized deduplicated acquisition and processing approach. Focusing on this first step in digital evidence processing, acquisition, a system is presented enabling deduplicated evidence acquisition with the capability of automated, forensically-sound complete disk image reconstruction. As the number of cases acquired by the proposed system increases, the more duplicate artifacts will be encountered, and the more efficient the processing of each new case will become. This results in a time saving for digital investigators, and provides a platform to enable non-expert evidence processing, alongside the benefits of reduced storage and bandwidth requirements.",
doi={10.1109/TrustCom/BigDataSE.2018.00249},
}