Effectiveness of file-based deduplication in digital forensics

摘要

Over the last decades, the increasing amount of storage became a pressing problem for forensic investigators. This is caused by the computerization of everyday life and the associated increasing number of different devices in typical households. Considering multi-terabyte storage on the suspects' side, even more storage requirements emerge on the side of the investigator for secure backup and working copies. In this paper, we improve the standardized forensic process by proposing to rigorously use file deduplication across devices as well as file whitelisting in investigations in order to reduce the amount of data that needs to be stored for analysis as early as during data acquisition. These improvements happen in an automatic fashion and are completely transparent to the forensic investigator. They may furthermore be added without negative effects to the chain of custody or artifact validity in court and are evaluated in a realistic use case. Additionally, we illustrate the effectivity of our proposed approach on a real-world corpus by showing a notable reduction in number of reduced files as well as storage. Copyright (c) 2016 John Wiley & Sons, Ltd.