Authors: Vassil Roussev, Ph.D. (University of New Orleans) and Golden Richard III, Ph.D. (University of New Orleans)
DFRWS USA 2004
Current trends in computing and communications technologies are putting vast amounts of disk storage and abundant bandwidth in the hands of ordinary computer users. These trends will very soon completely overwhelm digital forensics investigators attempting investigations using a single workstation as a platform. The symptoms: Performing simple preprocessing operations such as indexing of keywords and image thumbnail generation against a captured image will consume vast amounts of time before an investigation can even begin. Non-indexed, “live” searches, such as those involving regular expressions, are already unbearably slow and will become completely intolerable. Even worse, it will be impossible to raise the level of sophistication of digital forensics analysis because single forensics workstations will simply not be up to the task. It is therefore inevitable that forensic investigation tools will have to employ the distributed resources of a pool of computer systems in order to make investigations manageable. In this paper, we make the case for distributed digital forensic (DDF) tools and provide several real-world examples where traditional investigative tools executing on a single workstation have clearly reached their limits, severely hampering timely processing of digital evidence. Based on our observations about the typical tasks carried out in the investigative process, we outline a set of system requirements for DDF software. Next, we propose a lightweight distributed framework designed to meet these requirements and describe an early prototype implementation of it. Finally, we present some performance comparisons of single- versus multiple-machine implementations of several typical tasks and describe some more sophisticated forensics analysis techniques, which will be enabled by a transition to DDF tools.