Review: Digital Forensics Innovation: Searching a Terabyte of Data in 10 Minutes

DC ACM’s first presentation of the year, “Digital Forensics Innovation: Searching a Terabyte of Data in 10 Minutes”, was held at Google DC in Washington on January 7.  The presentation, given by Dr. Simson Garfinkel, Associate Professor at the Naval Postgraduate School in Monterey, California and ACM Fellow, focused on the analysis of digital data extracted from computers and electronic devices for legal reporting and testimony.

According to Garfinkel, the majority of the work in the digital forensics field has been in the first part of the data extraction process, which includes preparing policies, training, and tools, collecting and preserving data, and extracting saved data.  Garfinkel’s work focuses on improving the step that follows: the analysis of the extracted data.  As such, his presentation focused on the methods he uses to search extracted data and the challenges he faces when trying to do so.

Garfinkel explained that three principles form the basis of his research:  the importance of automation, the necessity of concentrating on invisible data (deleted and partially overwritten files, fragments of memory, and tool marks), and the importance of working with large amounts of data because a larger amount of data is more challenging to accurately analyze.

He continued by discussing the challenges facing those within the digital forensics field.  The diversity of the systems that must be analyzed and the continuous growth in the diversity of these systems over time makes it increasingly harder to create and maintain digital forensics software.  At the same time that the systems are becoming more diverse, they’re also storing more data, which means more data needs to be analyzed in the same short period of time.

Additionally, the deficiencies in human capital, including the abundance of under-qualified digital forensics developers, must be overcome.  The last challenge Garfinkel specified, unrealistic expectations, is the result of the ubiquity of crime shows in which digital forensics work is quickly performed and always successful.  The last segment of the presentation was focused on random sampling and sector hashing, the methods Garfinkel uses to analyze data.

For more details on this presentation, Garfinkel’s slides are available here: http://simson.net/ref/2013/2013-01-07%20Forensics%20Innovation.pdf.