Premium
Characteristics of Forensic Imaging Performance—An Analysis of Forensic Imaging Bottlenecks
Author(s) -
Branigan Steven
Publication year - 2013
Publication title -
journal of forensic sciences
Language(s) - English
Resource type - Journals
SCImago Journal Rank - 0.715
H-Index - 96
eISSN - 1556-4029
pISSN - 0022-1198
DOI - 10.1111/1556-4029.12083
Subject(s) - terabyte , usb , copying , computer science , digital forensics , bottleneck , reading (process) , transfer (computing) , computer forensics , computer hardware , operating system , embedded system , software , political science , law
Disk imaging involves copying all of the data from a source disk drive to a target. Typically, the target for the copy is another disk drive. Forensic processes developed years ago do not appear to be adequate for current storage technology. For example, with disk drive capacities now exceeding 1 Terabyte, a typical disk imaging can take over 8 hours at typical rates. With disk drive capacities increasing, forensic copying is expected to take even longer. Along with increase in disk capacity, the industry has also seen an increase in data transfer rates. In many cases, forensic imaging is taking longer than necessary. To identify the bottlenecks, an examination of different methods used to transfer data from a source disk was performed. Factors considered were differing disk access technologies. One finding is that the USB disk access technology (version 2.0 and earlier) is a significant bottleneck for data transfer rates, especially when the USB device is a write‐blocker. Other factors that contribute to the efficiency of a forensic copy are the file system used to write a forensic image and the data transfer size used when reading from a disk drive. Optimal parameters for performing a forensic acquisition from a disk drive are identified.