Gradually Improving the Forensic Process

Sebastian Neuner, Martin Mulazzani, Sebastian Schrittwieser, Edgar Weippl
2015 2015 10th International Conference on Availability, Reliability and Security  
At the time of writing, one of the most pressing problems for forensic investigators is the huge amount of data to analyze per case. Not only the number of devices increases due to the advancing computerization of everydays life, but also the storage capacity of each and every device raises into multiterabyte storage requirements per case for forensic working images. In this paper we improve the standardized forensic process by proposing to use file deduplication across devices as well as file
more » ... hitelisting rigorously in investigations, to reduce the amount of data that needs to be stored for analysis as early as during data acquisition. These improvements happen in an automatic fashion and completely transparent to the forensic investigator. They furthermore be added without negative effects to the chain of custody or artefact validity in court, and are evaluated in a realistic use case.
doi:10.1109/ares.2015.32 dblp:conf/IEEEares/NeunerMSW15 fatcat:t3ywfiy3gvfrngagsg5et5cbsy