As our society becomes increasingly digitalized, there is an ever-increasing need for forensic tools to become faster and faster. This paper was made to help the Police and other digital forensic investigators choose the fastest disk imaging tool while still maintaining the integrity of the imaged disk. To answer this, an experiment including 162 disk imaging tests was done, with an active imaging and verification time of over 160 hours. The results were analyzed with the help of a scoring system and statistical significance tests. The paper also aimed to show if there is any difference when making images of disks that are filled to 100% compared to disks filled to 50%, and which of the disk imaging tools that handles it best. The results of the experiment showed that Guymager was the fastest disk imaging tool among the tested alternatives. It also illustrated that the speed was affected by the disks being filled to 50% as opposed to 100%. Guymager showed the best performance improvement using the EWF_E01 format, and OSForensics showed the biggest improvement when imaging using the DD format.
| Identifer | oai:union.ndltd.org:UPSALLA1/oai:DiVA.org:hh-47045 |
| Date | January 2022 |
| Creators | Stewart, Dawid, Arvidsson, Alex |
| Publisher | Högskolan i Halmstad, Akademin för informationsteknologi |
| Source Sets | DiVA Archive at Upsalla University |
| Language | English |
| Detected Language | English |
| Type | Student thesis, info:eu-repo/semantics/bachelorThesis, text |
| Format | application/pdf |
| Rights | info:eu-repo/semantics/openAccess |
Page generated in 0.0041 seconds