HomeComputer ForensicsComputer Forensics And The Rapid Increase In Hard Drive Storage Capacity

Computer Forensics And The Rapid Increase In Hard Drive Storage Capacity

17 July 2009

The storage size of the average hard drive is increasing rapidly. Five years ago, 100 GBP would have bought a drive with a capacity of 100 gigabytes (GB), but today, the same money would buy a drive with a one terabyte (TB) capacity – over 10 times the storage space. In cases where a person is suspected of committing a crime involving a computer, this growth in storage capacity has correspondingly increased the time computer forensic analysts need to examine the hard drive for evidence.

When a computer arrives at a computer forensics laboratory, the first step is to ‘forensically image’ the drive, which involves creating an exact copy. The time it takes to generate a forensic image depends largely on the physical connection between the suspect drive and the working drive. With a ‘FireWire’ connection, an analyst might expect an imaging time of approximately 1GB per minute, but if the drive is connected using specialist hardware, imaging might run at an average of 4GB per minute. This means that a 1TB drive would take around 5 to 18 hours to image.

Once a forensic image has been created, analysts must carry out a process of ‘verification’ to ensure that the drive and its copy match exactly. If they do not, the forensic imaging process must begin again. Verification takes a similar amount of time to imaging, so even if a 1TB drive was successfully imaged on first attempt, it would still take analysts 10 to 36 hours to successfully complete the imaging and verification stages. If a drive contains corrupted sectors or is in a poor state of repair, this may further slow the speed at which analysts are able to image the drive.

After verification, the ‘pre-analysis’ stage involves organising the data, which includes locating and mapping deleted partitions, files, folders and email archives and analysing unmapped data for flags that will give a clue as to their contents. The nature of the case then determines what further steps are performed. For example, in cases involving indecent images of children, the analysts will aim to locate all images, movies, internet browsing histories and chat logs for review.

Once the pre-analysis stage is complete, every file must be analysed. To put this in perspective, 1TB of information is roughly equivalent to 400 million pages of written information – enough to fill 12,800 standard four-drawer filing cabinets. But while text files can be scanned for key words, movie files must be viewed in their entirety, as it is not unheard of for a movie file to start and end innocently, but contain short bursts of indecent images halfway through. On a 1TB drive filled with movies, this could take over 2,000 man hours.

It seems that as hard drive capacities increase, it will become increasingly difficult for computer forensic analysts to produce findings as quickly as may be required. In urgent cases where an image is needed overnight, it may even be impossible. However, as storage technology develops apace, so too does the technology behind computer forensics, and while large drives may present a problem to analysts periodically, it is unlikely that sheer storage size will ever cause delays significant enough to allow a criminal to walk free.

Categories

Talk to our consultation team today

Contact Us

I can honestly say that your excellent customer service and communication has made our forensic instructions to you exceptionally easy. I am very conscious of the amount of time I must have taken up with various queries, requests, and then changed requests but you have always been very patient, polite and extremely helpful.

Case Review Manager - Criminal Cases Review Commission