Challenges with Big (Data) Storage During Forensic Investigations

Big Data

By Detective Michael Yu, Electronic Crimes Unit Montgomery County Police Department

I have been a digital forensic examiner for several years and have found this work to be very rewarding, yet challenging. The constant innovations in this field present unique issues for us as practitioners. Rather than focus on theoretical issues, below I discuss the issue of challenges with big data storage.

Just a few years ago, it was common for most computers to contain a small 120GB to 500GB hard drive. However, it is now common for many computers to contain a 1TB or larger hard drive. Many households also have hard drives in their desktop computers or external storage drives of 2TB or even 3TB. Where cost was once a factor in limiting the usage of such large storage devices, they have now become fairly inexpensive. A recent check of common internet retailers showed 3 TB hard drives selling for a little over $100 US. Additionally, Western Digital recently unveiled the world’s first 10TB hard drive.

Forensic examiners are all taught to make a forensic image or copy of a suspect’s hard drive to a secure storage device. This means the examiner needs a mechanism to store the relevant data on another hard drive, possibly one as large as the original hard drive. It is common on a search warrant of a home for one suspect to have multiple hard drives. Moreover, for certain crimes such as child pornography where the suspect has a need for large data storage, it is not unusual to see ten hard drives or more. If each is 3 TB, that is now 30TB of data where there is potential evidence!

Proper training and use of triage tools by front line investigators onsite, to determine which items are the most likely to contain data of evidentiary value is critical. No longer can investigators simply do a quick search warrant, seize everything in sight and dump them on their forensic examiners. These examiners are often already overloaded with large backlogs of evidence. Additionally, labs need to have secure, dedicated servers with large storage solutions and large data bandwidth throughput. A large storage array on a single forensic machine forces each case to only be worked by one examiner at that particular machine. This limits resources and efficiency. Examiners and investigators need to also collaborate to fine tune searches as there is no way to view every bit and byte of data on a case.

IACP Conference