Advertisement

It has now reached the point that it is no longer practical for an examiner to forensically analyze each and every piece of evidence. Depending upon the alleged crime, often the incriminating evidence can be found in an e-mail, a document, the browser history, an SMS, or some other source. This leads to the obvious conclusion that examiners are going to need a new approach to streamline their workflow.Too Much Data
An incredible amount of digital data is created yearly by individuals, businesses, and governments, all of which has to be stored somewhere. The question arises as to just how much digital data is currently stored on personal electronic devices or in archival storage systems. No one really knows for sure, but it was estimated that the amount of data that was generated world-wide in 2013 reached 4 Zettabytes.1 One Zettabyte (1021 bytes) of data is probably equivalent to all the grains of sand found on all the beaches on Earth. As immeasurable and incomprehensible as this number is, the government’s “Brain Research through Advancing Innovative Neurotechnologies Initiative,” a plan to essentially map the human brain, could eventually entail storing Yottabytes (1024 bytes) of data!2 Management of data will continue to accelerate the need for faster processing and increased storage capacity on individual personal electronic devices and greater archival storage capacities for business and government. (See the “Data Storage Issues” columns in DFI News Digital Forensic Investigator Magazine: Fall 2013, Spring 2014, and Summer 2014 issues).

There are hundreds of millions of desktops and laptops already in use, any of which could be the target of an investigation. In many instances, examiners are already overwhelmed with the number of these devices requiring analysis, directly leading to large case backlogs. Similarly, there are hundreds of millions of smartphones and tablets that could also be the target of an investigation. Unlike desktops and laptops, their use continues to proliferate. In 2013, the sales of smartphones and tablets reached 225 million3 and 184 million4 units respectively. As this trend continues, smartphones and tablets will eventually become the prevalent communication devices used by individuals, exponentially increasing the amount of potential probative data. The stored data could not only include e-mails, SMS, contact lists, geo-location information, and call histories, but also data such as stored pictures and videos, documents, mapping search histories, and facial images (which are stored in images and videos), all of which could be probative evidence. This will only increase the pressure on examiners to analyze the data for evidentiary purposes in an efficient and timely manner.

Likewise, archival business storage is increasing daily as businesses collect vast amounts of data from customer interactions, internal operations, and many other sources. When analyzed, this data often leads to useful predictions, business trends, recommendations to R&D departments, increased products and services, and other competitive advantages. Much of the data is proprietary, making it a potential target for internal security breaches, insider trading, and external hackers. The task of examining archival storage systems for instances of security intrusions is generally well beyond the scope of what can be accomplished by most examiners using common forensic tools.

The Challenge
The era of “Big Data” is already upon us and the continued exponential growth of electronic devices and archival storage capacity will soon reach a crises point regarding digital forensic analysis and investigations. Overworked examiners and investigators are already fighting a losing battle having to deal with the number of devices involved in current investigations and the sheer volume of data they contain (which has grown much faster than the traditional methodology and forensic tools for evaluating and examining the data). Also, examiners face a number of considerable shortcomings and difficulties when using some of the commercially available forensic tools. Many of them are costly, extremely complex to use, can only analyze one data source at a time, and require extensive examiner training in order to use them effectively. As data sources continually increase in size, complexity, and type, forensic tools have begun to take longer to perform specific functionalities. In some instances, a forensic tool of choice is not able to analyze a source at all, forcing the examiner to use another forensic tool. Additionally, the more sophisticated and diversified the forensic tools become, the less efficient they seem to be in being able to analyze a sufficient volume of evidence each day in a timely manner, which leads to further increases in case backlogs. Just maintaining the status-quo for many agencies can become a cost-prohibitive venture as they have to purchase multiple licenses for a given forensic tool, purchase different forensic tools, budget for examiner training, and so forth. Yet this is the norm in today’s digital forensics environment. Many examiners continue to analyze data using common forensic tools and then end up having to try to manually correlate the evidence to present it in a meaningful manner to an investigator. Not only is this time consuming and inefficient, it also contributes to further case backlogs.  

Every day, examiners are expected to analyze evidence submitted in a case in a timely manner even though a typical case may contain several computer hard drives, flash drives, SD cards, and cell phones. Normally, examiners do not know where the evidence of the crime may be found and therefore they end up having to analyze all of the submitted evidence. (Indeed, many agencies require that all the evidence be analyzed as this could lead to additional charges being filed against a subject). This situation has only gotten worse over the past number of years with the proliferation of smartphones, tablets, large capacity HDDs, and SSDs (which create a number of forensic issues regarding their analyses. See the “Solid State Drives” columns at “www.forensicmag.com/topics/digital-forensic-insider”). The problem only becomes compounded when an examiner has to capture and examine evidence that may be in archival storage systems or stored somewhere in the “cloud” as oftentimes this evidence is beyond the technical capabilities of many examiners and the forensic tools themselves.

It has now reached the point that it is no longer practical for an examiner to forensically analyze each and every piece of evidence. Depending upon the alleged crime, often the incriminating evidence can be found in an e-mail, a document, the browser history, an SMS, or some other source. This leads to the obvious conclusion that examiners are going to need a new approach to streamline their workflow. Likewise, they are going to need a new generation of more suitable forensic tools to enable them to focus on and rapidly extract the most relevant evidence.

References

  1. http://vsatglobalseriesblog.wordpress.com/2013/06/21/in-2013-the-amount-of-data-generated-worldwide-will-reach-four-zettabytes/.
  2. http://www.forbes.com/sites/oracle/2013/06/21/as-big-data-explodes-are-you-ready-for-yottabytes/.
  3. http://www.gartner.com/newsroom/id/2573415. “Gartner Says Smartphone Sales Grew 46.5 Percent in Second Quarter of 2013 and Exceeded Feature Phone Sales for First Time.” August 14, 2013.
  4. http://techcrunch.com/2013/10/21/tablets-vs-pcs/. “Tablets to Grow 53.4% This Year, Says Gartner, as the Traditional PC Declines 11.2%.” October 21, 2013 (TechCrunch).

John J. Barbara owns Digital Forensics Consulting, LLC, providing consulting services for companies and laboratories seeking digital forensics accreditation. An ASCLD/LAB inspector since 1993, John has conducted inspections in several forensic disciplines including Digital Evidence. jjb@digforcon.com

Advertisement
Advertisement