Legal Technology News - E-Discovery and Compliance Blog

« Mixing International Arbitration With U.S. Discovery | Main | Discovery WorkFlow Automates ESI Processing »

April 08, 2009

Terror Bites

Apple-Time-Capsule_1 I knew this day would come, and I wasn't looking forward to it.  I encountered my first 1 terabyte drive "in the wild" this week, and the time it takes to image its contents is something of a game changer for computer forensics. 

Ordinarily, it requires a scant few hours of (mostly) machine time to create a compressed forensic image of the 80GB to 250GB drives routinely seen in desktops and laptops.   You inspect, photograph, dig out the drive, photograph some more, write protect it, do the paperwork and kick off the imaging process.  Then, it's Miller time (or, more likely, time to process the next machine). 

Before the advent of the 1TB drive, I could turn around a machine in the same day working onsite or via overnight courier.  It was ample time for a bulletproof chain-of-custody.  Sufficient time to bring a balky drive to heel or re-image to resolve some flaky sectors.  Time even for making two self-authenticating, compressed segmented image sets housed on separate physical drives.

But the drive before me--a 1TB Western Digital SATA gingerly extracted from the elegant guts of an Apple Time Capsule wireless NAS--has been imaging for more than 15 hours, and that image must yet undergo hash authentication. 

A trillion Apple bytes to reap,
But I have promises to keep,
And hours to go before I sleep,
And hours to go before I sleep.

The unsurprising thing about this 1TB drive is that when its contents are compressed as a drive image, they're not notably larger than the image of a much smaller drive.  In general, the bigger the drive, the sparser the data.  An ocean of zeros is time consuming to read, but quick and easy to compress.  Forensic imaging demands that every sector be read--even all those zeros representing unused space, and even when all those hundreds of sparse gigabytes will ultimately compress to just a few kilobytes . 

So, as 1TB and 1.5TB drives proliferate, know that a full-blown forensic preservation is going to cost incrementally more; and more costly still, users must be deprived of their machines for longer intervals.  For the computer forensic practitioner, imaging platforms in the lab will be tied up longer, and larger, costlier hard drives must be deployed to house the collected data because, though you may expect a drive's contents to substantially compress, you have to be ready with sufficient capacity if it doesn't.


TrackBack URL for this entry:

Listed below are links to weblogs that reference Terror Bites:


This brings to mind the sage advice of Ralph Losey and Tom O'Connor, among others about having some basic technology training in law school. I find that the concept of drive size as it equates to the speed at which it can be imaged is not exactly understood by many lawyers. For that matter, data size as it equates to processing time/costs isn't always factored in to deadlines either. I cant help wonder how many cases of an attorney telling a client they would have their drive back in "x" hours long before they get the drive to you and you give them a more accurate estimate you've run into. I imagine that will get worse as drives grow, with the thinking being "you imaged a drive in one afternoon before, why do I have to wait until tomorrow now?"

[disclaimer - I'm IT not Legal]
I'm not surprised at all that this terabyte drive is taking significantly longer, and it's not because of its size.

The Apple Time Capsule is a backup device, so chances are:
1. It's storing information from multiple PCs (be they Mac or Windows), so don't expect a similar amount of content to the average desktop.
2. Chances are, it's using some form of compression, so your "compressed" image, is unlikely to compress all that much.
3. As it's a "restore to a point in time" device, it's probably got multiple copies of documents/file on it, as they change over time, which introduces even more data to be imaged.
4. While I'm not particularly familiar with the Time Capsule, I'm guessing that encryption is probably an option, which further reduces the effectiveness of your image compression, and in fact, may render it useless unless you have both the encryption keys and the appropriate software (the original Time Capsule?).
5. Wild guess, but what are the odds the drive also contains music and other media (mp3, mpg, mov, etc), none of which are likely to compress.

I'm not a forensic person, but I do know that it's more than just blindly imaging hard drives. You have to understand the technology your attempting to replicate/preserve/discover.

Sounds like it's time to do some benchmarking of your forensic system, to get a better idea of how long it takes, on average, to image different sized disks, different densities of data, different levels of compressible content.

Just my 50c.

The comments to this entry are closed.

Sign Up for the E-Discovery and Compliance Newsletter

An Affiliate of the Network

From the Newswire

Sign up to receive Legal Blog Watch by email
View a Sample

Contact EDD Update

Subscribe to this blog's feed

RSS Feed: LTN Podcast

Monica Bay's Law Technology Now Podcasts are also available as an RSS feed.

Go to RSS Subscribe page

March 2013

Sun Mon Tue Wed Thu Fri Sat
          1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30

Blog Directory - Blogged