Towards the Leveraging of Data Deduplication to Break the Disk Acquisition Speed Limit

TL;DR

This paper investigates using data deduplication techniques to overcome the physical read speed limits during digital evidence acquisition, aiming to reduce investigation backlogs and improve efficiency.

Contribution

It introduces a novel approach leveraging forensic data deduplication to enhance acquisition speed beyond traditional physical constraints.

Findings

Preliminary prototype shows potential speed improvements.

Deduplication reduces data transfer volume.

Potential to decrease investigation backlog.

Abstract

Digital forensic evidence acquisition speed is traditionally limited by two main factors: the read speed of the storage device being investigated, i.e., the read speed of the disk, memory, remote storage, mobile device, etc.), and the write speed of the system used for storing the acquired data. Digital forensic investigators can somewhat mitigate the latter issue through the use of high-speed storage options, such as networked RAID storage, in the controlled environment of the forensic laboratory. However, traditionally, little can be done to improve the acquisition speed past its physical read speed from the target device itself. The protracted time taken for data acquisition wastes digital forensic experts' time, contributes to digital forensic investigation backlogs worldwide, and delays pertinent information from potentially influencing the direction of an investigation. In a remote acquisition scenario, a third contributing factor can also become a detriment to the overall acquisition time - typically the Internet upload speed of the acquisition system. This paper explores an alternative to the traditional evidence acquisition model through the leveraging of a forensic data deduplication system. The advantages that a deduplicated approach can provide over the current digital forensic evidence acquisition process are outlined and some preliminary results of a prototype implementation are discussed.