fastdd: an Open Source Forensic Imaging Tool

Introduction to forensic imaging and brief description of fastdd

In last years, storage devices exceed the Terabyte limit, reaching the 4 TB of capability. On the other hand, the reading and writing bandwidth is not grown of such a big factor and is actually around 150 MB/sec. . If we have to search a certain information in such a disk or simply to make a back-up copy it, we have a best case for the access time of 4*103 GB / 0.15 GB/sec = 7.4 hours, using the maximum available bandwidth. So it is very important to perform the simple disk imaging task in the most efficient way possible.
An important field relying on these considerations is the forensic imaging. This discipline performs the task of making exact copies of storage devices for forensic purposes. In fact, the first of a digital investigation is the creation of several copies of the inquired storage device, so that further analysis are possible without the risk of corrupting or breaking the original support.
We need some integrity proof of the copies, for example the hashing of the original disk data, so that in every moment we can check the copies quality. We can obtain this result wisely using Linux command line, with combination of commands like

       dd if=/dev/input iflag=direct | tee /dev/output | sha1sum,

however, in last years several tools have been proposed to solve this task more specifically and efficently (for example dc3dd).

We should note that if we not only have to copy the data but also we have to perform some operation on it, we pay at least twice the reading price, unless we perform the desired operation during the copy.

In this work, Nicola Zago and I reviewed the problem of reliably and efficiently copying data, recalling all the hardware and software mechanisms which intervene and interfer in the copying process. Our consideration have been coded in fastdd, a C++ program able to copy data very efficiently, as we show in our test.
Moreover fastdd capabilities can be increased, easily writing and inserting C++ modules to process the data during the copy. We use this feature to provide pattern matching, compression and data charset transformation modules.


Paper abstract

Nowadays electronic devices are ubiquitous and their storage capacity has steadily grown over time. It is not surprising that acquiring a copy of the storage of such devices has become a crucial task in digital forensics, resulting in the development of fast and still reliable tools. In this work we introduce fastdd, a new disk imaging tool that achieves unmatched performance while having lesser resource requirements than the currently available tools and being designed to be easily extendable. After reviewing the existing programs for disk image acquisition, we will compare their functionalities and performance to fastdd, demonstrating that our tool is fast and lightweight.

Paper pre-print version

Pre-print version of the paper appeared in WSDF 13.
Nicola’s slides

Source code

github repository

Advertisements