Gradually Improving the Forensic Process

S. Neuner, M. Mulazzani, S. Schrittwieser, E. Weippl:
"Gradually Improving the Forensic Process";
Vortrag: 4th International Workshop on Cyber Crime (IWCC), 2015, Toulouse, France; 24.08.2015 - 28.08.2015; in:"Proceedings of the 10th International Conference on Availability, Reliability and Security (ARES)", IEEE, (2015), S. 404 - 410.

[ Publication Database ]

Abstract:


At the time of writing, one of the most pressing problems for forensic investigators is the huge amount of data to analyze per case. Not only the number of devices increases due to the advancing computerization of every days life, but also the storage capacity of each and every device raises into multi-terabyte storage requirements per case for forensic working images. In this paper we improve the standardized forensic process by proposing to use file deduplication across devices as well as file white listing rigorously in investigations, to reduce the amount of data that needs to be stored for analysis as early as during data acquisition. These improvements happen in an automatic fashion and completely transparent to the forensic investigator. They furthermore be added without negative effects to the chain of custody or artefact validity in court, and are evaluated in a realistic use case.