![]() At the time of this experiment, this was one of the fastest spinning disks on the market, so your results may vary depending on your hardware. The destination hard drive for imaging/searching was an empty 1TB 10000 RPM Western Digital SATA hard drive. This particular hard drive was utilized in a real-world DVR and was entirely allocated (full). We’ll use a 500 GB 7200 RPM Western Digital SATA hard drive (approximately 466 GB of actual capacity). Let’s do a short test to illustrate the above points. Experiment Creating Forensic Images for DVR Analysis That loss in performance might be worth it if you are achieving 50% space savings, but if your drive is full of already-compressed data, your space savings won’t come close to that number. More importantly, the process of compressing/decompressing isn’t free – there is overhead associated with it. First, if the original data is already compressed, the space savings won’t amount to much. Lossless compression (the type used in E01, ZIP, and many other applications) does a great job of offering the ability to save space while being able to recreate the original data exactly. In addition, the data recorded is heavily compressed (with lossy technologies like H.264 and JPEG). The devices generally run 24/7 and overwrite themselves constantly. First, there is usually little to no free space. Now consider what is typically contained on a hard drive from a DVR. Among other things, an examiner is likely to encounter two things: free space and compressible data (high quality pictures, videos, etc.). Think for a moment about a typical computer hard drive that might be subjected to computer forensics examination. It offers additional metadata and space savings, so what isn’t to like? As you’ll see, for those of us examining hard drives from DVRs, using E01s may not be the best choice. Secondly, E01s natively support compression which typically results in a much smaller image file size.Īt face value, E01 seems to be the superior format. ![]() They are simply an exact raw copy of the original data. First, raw image files do not contain any metadata. There are two main differences between the two formats. ![]() This format is often referred to as the DD format due to the tool which originally generated such images. While somewhat lesser known, the raw image file format also produces a bit for bit copy of the contents of a drive. Digital investigators and examiners creating forensic images for DVR analysis utilize two main file formats to store bit-for-bit copies of hard drives used in their examinations.Į01 forensic image file format is the default imaging option for many computer forensics tools and has become a de-facto standard of sorts.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |