The selective imaging and distributed analysis concepts have been introduced in the literature to reduce the digital evidences collection and analysis costs (resources and time). Using the selective imaging concept, the investigator first has to select the relevant data items and then the selected data items are imaged according to their selection order not according to their offsets (physical position or address on the storage). The output of the selective imaging process is a partial forensics image. In the paper, we proposed an efficient selective imaging process that first ordered the selected data items based on their offsets. Based on the selected data size and available time, the ...view middle of the document...
This means that the analysis will need one day more.
For addressing this issue, selective imaging and distributed analysis concepts are proposed. The idea behind the selective imaging concept is to collect only pre-identified relevant data. A pre-imaging analysis is used for identifying first the data items that seem to be relevant to the crime. In additions, distributing computer forensic analysis task among different machines and several investigators is highly required today [Roussev and Richard, 2005] to come out with an evidence in acceptable time.
In this research paper, a computer forensics investigation process with an efficient imaging and scalable analysis is proposed. The imaging process is based on the selective imaging concept. The selected data items are first ordered according to their offsets. The AFF4 forensic image format is used as evidence container. Based on the size of the user data and investigation time, the user data is imaged to one or more AFF4 image file. Each file will be then analyzed using a separated machine and by a responsible investigator.
The structure of this paper is as follows. Section 2 presents a brief review of the literature on selective imaging in computer forensics. Section 3 presents the proposed selective imaging model and its implementation. Section 4 presents the discussion and critical evaluation of the proposed model. Finally, Section 5 concludes the paper with future directions to enhance the proposed work.
2. Related Works
Researchers have tried to address the issue of increase user storage and data size issue first by reducing the required amount of storage space using what is called block based compression [Kloet et al., 2008 and Garfinkel et al., 2006] to the data stream. Another solution is hash-based disk imaging [Cohen and Schatz, 2010] in which the amount of the collected data is reduced using data de-duplication and reduction technologies.
Recent research works consider this issue by separating the digital evidence collection or imaging step from digital evidence analysis. In the former step, the selective imaging [Tuner, 2005a; Tunner, 2005b; Richard and Roussev, 2006; Turner, 2006; Turner, 2007] concept is used to image or collect only relevant data to a crime, instead of making a physical bit-by-bit image from whole user storage device. Researchers on selective imaging concept have proposed several methods such as risk sensitive digital evidence collection [Kenneally and Brown, 2005] and digital evidence bags [Tuner, 2005a; Tunner, 2005b; Richard and Roussev, 2006; Turner, 2006; Turner, 2007]. In [Johannes Stüttgen, 2011; and Stüttgen et al., 2013], the first implemented selective imaging model is proposed . This model enables the investigator to use the selective imaging concept in a forensically sound manner.
According to Turner , these items can be identified through manual, semi-automatic and fully automatic selections. Using the manual selection method, an...