Advertisement

An Efficient Computer Forensics Selective Imaging Model

  • Waleed Halboob
  • Khaled S. Alghathbar
  • Ramlan Mahmod
  • Nur Izura Udzir
  • Mohd. Taufik Abdullah
  • Ali Deghantanha
Part of the Lecture Notes in Electrical Engineering book series (LNEE, volume 276)

Abstract

Selective imaging is a new concept in computer forensics. It is used for collecting only the data that is relevant to the crime and helps in improves the scalability of the investigation process. However, the current selective imaging approaches directly image the identified data without considering their offsets on the targeted user storage. This paper investigates the impact of the relevant data offsets on the efficiency of the selective imaging process. A practical selective imaging model is presented which includes a digital evidence ordering algorithm (DEOA) for ordering the selected relevant data items. The proposed selective imaging model has been implemented and evaluated in different types of storage devices. The evaluation result shows that even if our proposed algorithm has a small efficiency negative impact before the imaging process starts; it has a large positive effect on the efficiency of the selective imaging process itself.

Keywords

Computer forensics digital evidence selective imaging efficiency ordering algorithm 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Kenneallya, E.E., Brown, C.L.T.: Risk sensitive digital evidence collection. Digital Investigation 2(2), 101–119 (2005)CrossRefGoogle Scholar
  2. 2.
    Turner, P.: Selective and intelligent imaging using digital evidence bags. Digital Investigation 3(1), 559–564 (2006)Google Scholar
  3. 3.
    Stüttgen, J.: Selective Imaging: Creating Efficient Forensic Images by Selecting Content First. Mannheim University (2011)Google Scholar
  4. 4.
    Turner, P.: Digital provenance - interpretation, verification and corroboration. Digital Investigation 2(1), 45–49 (2005)CrossRefGoogle Scholar
  5. 5.
    Turner, P.: Unification of digital evidence from disparate sources (Digital Evidence Bags). Digital Investigation 2(3), 223–228 (2005)CrossRefGoogle Scholar
  6. 6.
    Richard, G., Roussev, V.: Breaking the performance wall: The case for distributed digital forensics. Paper presented at the Proceedings of the 2004 Digital Forensics Research Workshop (DFRWS 2004), Baltimore, Maryland (2004)Google Scholar
  7. 7.
    Turner, P.: Applying a forensic approach to incident response, network investigation and system administration using Digital Evidence Bags. Digital Investigation 4(1), 30–35 (2007)CrossRefGoogle Scholar
  8. 8.
    Kloet, B., Metz, J., Mora, R.-J., Loveall, D., Schreiber, D.: libewf: project info. (2008), http://www.uitwisselplatform.nl/projects/libewf/
  9. 9.
    Garfinkel, S., Malan, D.J., Dubec, K.-A., Stevens, C.C., Pham, C.: Disk imaging with the advanced forensic format, library and tools. In: Research Advances in Digital Forensics (Second Annual IFIP WG 11.9 International Conference on Digital Forensics). Springer (January 2006)Google Scholar
  10. 10.
    Cohen, M., Schatz, B.: Hash based disk imaging using AFF4. Digital Investigation 7, 121–128 (2010)CrossRefGoogle Scholar
  11. 11.
    Beebe, N.: Digital Forensics Research: The Bad, The God and the Unaddressed. In: Advances in Digital Forensics V - IFIP International Conference on Digital Forensics, Orlando, Florida, USA, pp. 17–36 (2009)Google Scholar
  12. 12.
    Beebe, N., Clark, J.: Dealing with Terabyte Data Sets in Digital Investigations. In: Pollitt, M., Shenoi, S. (eds.) Advances in Digital Forensics V. IFIP, vol. 194, pp. 3–16. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  13. 13.
    Sanderson, P.: Mass image classification. Digital Investigation 3(4), 190–195 (2006)MathSciNetCrossRefGoogle Scholar
  14. 14.
    Beebe, N.L., Clark, J.G.: Digital forensic text string searching: Improving information retrieval effectiveness by thematically clustering search results. Digital Investigation 4(1), 49–54 (2007)CrossRefGoogle Scholar
  15. 15.
    Richard, G., Roussev, V.: File System Support for Digital Evidence Bags. In: Olivier, M., Shenoi, S. (eds.) Internation al Federation for Information Processing. IFIP AICT, vol. 222, pp. 29–40. Springer, Boston (2006)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2014

Authors and Affiliations

  • Waleed Halboob
    • 1
    • 3
  • Khaled S. Alghathbar
    • 1
    • 2
  • Ramlan Mahmod
    • 3
  • Nur Izura Udzir
    • 3
  • Mohd. Taufik Abdullah
    • 3
  • Ali Deghantanha
    • 3
  1. 1.Center of Excellence in Information AssuranceKing Saud UniversityRiyadhSaudi Arabia
  2. 2.Departments of Information Systems, Collage of Computer and Information SciencesKing Saud UniversityRiyadhSaudi Arabia
  3. 3.Faculty of Computer Science and Information TechnologyUniversiti Putra MalaysiaSerdangMalaysia

Personalised recommendations