Forensic Hard Drive Imager ComparisonsTechnical Report MSU-081110-2November 2008Jack Wesley Riley, Dr. David Dampier, Dr. Rayford Vaughn*Mississippi State [email protected] The current trend of hard drives rapidly increasing in capacity presents a challenge regarding the expedient analysis of digital evidence. Forensic investigators must sift through enormous amounts of data to discover information useful to an investigation. However, before this analysis can be conducted, and authenticated working copy of the suspect hard drive must be obtained. With the size of hard drives increasing, the time taken to produce effective results in greatly increased. This technical report investigates the current state of forensic hard drive practices by conducting a timing analysis of the two foremost hard drive imagers.Keywords: digital forensics, forensic imaging, hard drive imaging* Readers may contact the authors through Jack Wesley Riley, Department of Computer Science and Engineering, P.O. Box 9637, Mississippi State University, Mississippi 39762, (662)610-4700, [email protected]. IntroductionDigital forensics activities, at the highest practical level of abstraction, can be grouped into three basic activities: acquisition, authentication, and analysis. [6] We commonly refer to these as the three A's of forensics. Acquisition is the process of acquiring evidence that must be analyzed. It involves seizing media and equipment that might contain digital evidence and processing it for exploitation. It is commonly accepted as best practice to create two copies of all source media while the original evidence is then catalogued and stored for protection. The copies are then used for analysis. Since the original evidence is not used for analysis, a forensically acceptable process is necessary for proving that the copies used for analysis are identical to the original. Authentication is necessary to prove that the working copies of the digital evidence are identical to the original source media. This is generally done through the computation of a cryptographic hash of both the original and the copy. If the hash values are equal, then the copies are accepted as identical. Analysis is the process of exploring the copies of the original media to identify potential evidence and provide corroborating support for non-digital evidence. This technical report focuses primarily on the first of these processes, acquisition and secondarily on the process of authentication as it further describes the work of [8], [9], and [10].Hard disk imaging devices can create an exact bit for bit duplicate of an original hard drive and at the same time calculate a cryptographic hash of the original and copies. With legislation such as the Sarbanes-Oxley Act requiring mandatory document retention [1], and large, public cases like those against Enron, Microsoft, and MCI WorldCom, where huge amounts of data had to be analyzed, the need for high-speed disk imaging is paramount. In a panel presentation on digital forensics at the 2005 Colloquium on Information Systems Security Education, an FBI agent that worked on the Enron case reported approximately 43 terabytes of digital data that had to be acquired. [2] Analysis of digitalforensic data is time intensive, so time saved during the acquisition phase can be used for analysis. With the current trend of growth in cyber crime coupled with a shortage of skilled forensic examiners, there is a large backlog in processing and analyzing evidence. As the amount of evidence increases, the time required to make duplicate copies of media increases rapidly. The need for quick and reliable imaging has produced a number of software and hardware products designed specifically for hard drive imaging. These products have greatly varying capabilities. In the past, no research findings have been published documenting these differences. This technical report presents a study comparing two of the most commonly used hardware-based forensic hard drive imagers and provides comparative results. These results are presented in order to determine a practitioner’s best option between the devices. Specifically, this technical report details the results obtained from timing experiments conducted on the Image MASSter Solo III from Intelligent Computing Systems (ICS) and the Talon from Logicube. The paper also serves as an overview of other research efforts designed to improve imaging science.2. Storage as an Issue for Forensic AnalystsA trend over the last ten years has been ever increasing hard disk storage availability. The amount of data a subject can store (and investigators have to sort through) has and will continue to increase with time. At the time of this writing, any end-user can obtain two terabytes of storage for under $500.[7] With the increase of affordable network bandwidth available to end-users, most will consider a large amount of storage necessary for the copious amounts of data that are available for download. These two trends pose significant challenges for forensics analysts, not the least of which is determining increasingly efficient methods for obtaining and analyzing data. Researchers at the University of New Orleans reported that using one of the most widely accepted forensic examination systems to index an eighty gigabyte hard drive for examination, it took more than four days to organize the data enough to open a case. [5] Their results state that the time taken to perform this organization is due to I/Olimitations in large storage capacities. This same limitation exists and presents a challenge for investigators when analyzing the aforementioned two terabytes of user storage capacity. Only when the case is opened and indexed can the investigator begin an investigation and analysis. This step often takes a considerable amount of time. From these results, an examiner could expect the indexing of two terabytes of storage to take over two months. In reality, the system resources of the forensics workstation would be expended, and the indexing would fail. As the size of available data storage and the amount of network bandwidth available to users increases, the ability to obtain authenticated copies of data necessary to begin the forensic process quickly is becoming much more difficult. 3. Current Research EffortsThere are research efforts focused on making forensic analysis more efficient. One such effort is being led by Dandass and is