±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35520
New Yesterday: 1 Visitors: 141

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Logical evidence file size reduction

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

xandstorm
Member
 

Logical evidence file size reduction

Post Posted: Apr 17, 19 18:30

Hi all,

Having a 3TB network disk that the suspect tempered with and deleted files from prior to the device being seized for examination.
Conducted a file carve operation on the disk and subsequently applied some regex search patterns to it.

Nothing complicated so far.

However, upon exporting the search results to a logical evidence file, the size of the LEF export exceeds 300TB.
This is an unworkable amount of data and just exporting it will require weeks of not longer to complete.

Challenge here is that the majority of all search pattern hits are related to the unallocated disk space of the disk.
The LEF export process copies big chunks of the same part of the unallocated disk space with it.
Leading to the 300TB+ in LEF size.

I was wondering if it would be possible to just have that same chunk of unallocated disk space exported just once instead of re-copying / re-exporting the same chunk over and over again.

Is there anyone on this list that has a solution for this LEF size problem in particular or the reduction of LEF size in general?

Thanks!

Rg,
Lex  
 

Page 1 of 1