Rob Meijer

Abstract

While the growing use of triage in the computer forensic process has mitigated the growth of the amount of data reaching computer forensic labs, and while SSD technology result in largely CPU restrained forensic data processing for small size investigations, for medium to large investigations the use of traditional harddisks remains dominant and combined with advanced in CPU processing power, has shifted bottlenecks from being largely CPU-based to being increasingly more IO-based. The pervasive use of secure hashing in the lab side forensic process combines CPU bound aspects important in small scale investigations run with SSD technology as well as IO bound aspects in medium to large investigation run with traditional harddisks. Further, anti-forensics form a growing concern in (semi-) automated forensic processing. MattockFS aims to provide a local message bus and data archive building block for use in (semi-) automated lab-side digital forensic media-data processing. A building block that considers IO concerns that come with message bus based asynchronous processing, hashing related performance concerns and anti-forensics related integrity concerns. The presented building block will be illustrated with both a native and a python based walkthrough, which the attendees will be able to follow hands-on using MattockFS on their laptops. The intended audience is digital forensic practitioners and researchers. Some investigative experience, and a working knowledge of Linux and Python is required. A familiarity with semi automated lab-side processing as well as asynchronous data processing models would be an advantage although not strictly required. https://github.com/pibara/MattockFS