CyanLine's High Speed Forensics

Research into Forensic Acquisition Performance

This research was funded by the National Institute of Justice under grant 2010-DN-BX-K254

The acquisition of digital evidence has needed more time than in the past, even though the maximum forensic acquisition rates of systems have increased. Certainly, one of the causes of longer acquisition times has been that disk capacities have increased at a greater rate than data transfer rates. However, it appears that inefficient techniques are another cause of slower forensic acquisitions.

The goal of the research has been to identify performance bottlenecks in forensic acquisitions. I have recently published a paper entitled Characteristics of Forensic Imaging Performance in the Journal of Forensic Sciences on some of the findings of this research.

This website is based upon that research, and provides a summary of some of the key findings. The menubar above provides access to charts highlighting the research findings, along with the raw data and software created to perform the testing. Available data includes acquisition timing data for dd and ewf on SSD and traditional hard disk drives. Data is also available for the impact of the output filesystem on overall acquisition time.

This research revealed that the factors listed below contribute greatly to the overall performance of a forensic acquisition. As an example, consider this chart showing the impact on performance when using a writeblocker.

Some highlights of the research revealed that:

  • The output format of the forensic image impacted throughput. DD was faster than E01, as shown in the estimator.
  • The filesystem used to store the forensic copy impacted throughput. FAT32 and Linux EXT4 were more efficient that NTFS.
  • The method used to access the output disk drive impacted througput. The SATA interface was most efficient, while USB 1.1 and 2.0 were least efficient
  • The use of a USB based writeblocker impacted performance. The writeblocker chart in results highlights the impact for the writeblocker tested.
  • The use of compression in EWF significantly impacted performance. Compression was found to significantly slow a forensic acquisition.
  • The block size of a data transfer impacted performance. (4096 appeared to be extremely efficient, especially when errors are present.)
  • The uniformity of the data impacted performance when acquiring using EWF and compression.

For more on the research detail, click here.

Try it out - estimate the performance time for an acquisition using dd and ewf based upon your paramters.
 comments powered by Disqus