Philip Penrose
Fast contraband detection in large capacity disk drives
Penrose, Philip; Buchanan, William J; Macfarlane, Richard
Authors
Prof Bill Buchanan B.Buchanan@napier.ac.uk
Professor
Rich Macfarlane R.Macfarlane@napier.ac.uk
Associate Professor
Abstract
In recent years the capacity of digital storage devices has been increasing at a rate that has left digital forensic services struggling to cope. There is an acknowledgement that current forensic tools have failed to keep up. The workload is such that a form of ‘administrative triage’ takes place in many labs where perceived low priority jobs are delayed or dropped without reference to the data itself. In this paper we investigate the feasibility of first responders performing a fast initial scan of a device by sampling on the device itself. A Bloom filter is used to store the block hashes of large collections of contraband data. We show that by sampling disk clusters, we can achieve 99.9% accuracy scanning for contraband data in minutes. Even under the constraints imposed by low specification legacy equipment, it is possible to scan a device for contraband with a known and controllable margin of error in a reasonable time. We conclude that in this type of case it is feasible to boot the device into a forensically sound environment and do a pre-imaging scan to prioritise the device for further detailed investigation.
Citation
Penrose, P., Buchanan, W. J., & Macfarlane, R. (2015). Fast contraband detection in large capacity disk drives. Digital Investigation, 12(S1), S22-S29. https://doi.org/10.1016/j.diin.2015.01.007
| Journal Article Type | Conference Paper |
|---|---|
| Online Publication Date | Mar 6, 2015 |
| Publication Date | 2015-03 |
| Deposit Date | Mar 11, 2015 |
| Publicly Available Date | May 15, 2017 |
| Journal | Digital Investigation |
| Print ISSN | 1742-2876 |
| Publisher | Elsevier |
| Peer Reviewed | Peer Reviewed |
| Volume | 12 |
| Issue | S1 |
| Pages | S22-S29 |
| DOI | https://doi.org/10.1016/j.diin.2015.01.007 |
| Keywords | Disk sampling; Contraband detection; Digital forensics; Triage; Bloom filter; Sampling; Sample size; |
| Public URL | http://researchrepository.napier.ac.uk/id/eprint/7670 |
Files
Fast contraband in large capacity disk drives
(355 Kb)
PDF
Copyright Statement
© 2015 The Authors. Published by Elsevier Ltd on behalf of DFRWS. This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/).
You might also like
System and method for management of confidential data
(2018)
Patent
Method for identification of digital content
(2018)
Patent
Approaches to the classification of high entropy file fragments.
(2013)
Journal Article
Downloadable Citations
About Edinburgh Napier Research Repository
Administrator e-mail: repository@napier.ac.uk
This application uses the following open-source libraries:
SheetJS Community Edition
Apache License Version 2.0 (http://www.apache.org/licenses/)
PDF.js
Apache License Version 2.0 (http://www.apache.org/licenses/)
Font Awesome
SIL OFL 1.1 (http://scripts.sil.org/OFL)
MIT License (http://opensource.org/licenses/mit-license.html)
CC BY 3.0 ( http://creativecommons.org/licenses/by/3.0/)
Powered by Worktribe © 2024
Advanced Search