Characteristics of Forensic Imaging Performance--An Analysis of Forensic Imaging Bottlenecks

Disk imaging involves copying all of the data from a source disk drive to a target. Typically, the target for the copy is another disk drive. Forensic processes developed years ago do not appear to be adequate for current storage technology. For example, with disk drive capacities now exceeding 1 Terabyte, a typical disk imaging can take over 8 hours at typical rates. With disk drive capacities increasing, forensic copying is expected to take even longer. Along with increase in disk capacity, the industry has also seen an increase in data transfer rates. In many cases, forensic imaging is taking longer than necessary. To identify the bottlenecks, an examination of different methods used to transfer data from a source disk was performed. Factors considered were differing disk access technologies. One finding is that the USB disk access technology version 2.0 and earlier is a significant bottleneck for data transfer rates, especially when the USB device is a write-blocker. Other factors that contribute to the efficiency of a forensic copy are the file system used to write a forensic image and the data transfer size used when reading from a disk drive. Optimal parameters for performing a forensic acquisition from a disk drive are identified.