SPARTA: System for Portable Acquisition with Real-Time Analysis
The aim of this thesis is to design, develop and test a new portable system for digital forensics imaging with real-time analysis over every live file. Currently large magnetic hard drives are infeasible to perform sequential imaging taking over 40 hours to complete before beginning with any forensic analysis. Attempted approaches included performing a limited (sparse) collection and performing a distributed live analysis using a high-end server environment, neither of which would be sufficient for field use. I designed and developed the code to test the system and developed comprehensive testing scenarios. I show that magnetic disk fragmentation has a direct, mostly linear impact over the speed at which a disk can be imaged and every live file be processed simultaneously. I show that RAM has a near exponential impact on simultaneous magnetic disk forensic imaging with all live file processing. I demonstrate that CASE/UCO has the potential to be the interoperable file format for digital forensics metadata exchange. I also demonstrate that a system for simultaneous forensic disk imaging with all live file analysis can be assembled with commercial off-the-shelf parts for less than $1000.
"SPARTA: System for Portable Acquisition with Real-Time Analysis"
Dissertations and Master's Theses (Campus Access).