Video Transcription

00:00
This is computer forensics file formats. Why you should be using a F F four.
00:06
All right, so problems with standard for forensic file formats that we use nowadays. It's the same problem. The speed and the speed and the speed of the current forensic file Formats are slow when it comes to to collecting data.
00:23
You're in the business of collecting data forensic acquisitions, whether it's for, you know, computer forensics, or it's any discovery situation or in a just instant response. Speed is everything. That's that's what we care about, you know, is it that we do this as quickly as we possibly can and, you know, isn't a verifiable manner possible.
00:42
Um,
00:44
so some of the problems are is the compression format on the most commonly used form at which is the easier? One format, you know, calmly called in case format for forensic images is that he uses that deflate algorithm, which is very slow, your typical easier one creating compressed image tool
01:02
is getting somewhere between 70 and 100 megabits of data
01:07
per second.
01:08
That's not great. That's over a long enough time on it. That's going to really slow you up on dhe then this. The same thing goes when When you're doing a hash, validate a verification. Those images also Sorry. Slow because its CPU bottlenecked. And so you're getting somewhere between 130
01:26
in a 300 made per second
01:30
of hash verification. So, you know, over time line, that's it. It's a long, slow process for Yuri. 01 images. Then if you're using raw or D D images, So you're using some open source tools or your or things like this at the store in a raw format,
01:44
you've got no compression at all in those. So you're gonna have these really huge forensic image files are gonna be every bit as big as the disk that you started with Andi. Of course, those are going to require a lot more time thio hash and copy around because they're they're gigantic.
01:59
So, in mostly scenarios we have here in the real world situations and we do thousands a year, um,
02:06
you know, you're gonna take four hours to acquire and verify a 500 gig image, you know? Ah, nonstandard hardware. Everybody has. I know there's always edge cases. Well, I have this, you know, fancy flash ray of whatever. Okay? Yeah, you have one and nobody else does.
02:23
But for everybody else, it's collecting two real discs using real hardware and things like this
02:28
in your standard easier one or raw D D images type thing. You're really looking like that about about four hours to collect a 500 gig disc, which means if I'm collecting a terabyte aura to tear, abide or you know something is a large external disk. I mean, we could be talking about, You know,
02:45
I'll come back tomorrow to get this image type thing,
02:49
you know, so speeds a problem on Gwen. This is your business. Speed is everything.
02:55
So advantages of a F F four. It's fast. Technically, it's it's capable of doing gigabytes,
03:04
uh, per per second of collection. You know, it's multi corps capable. It's a more up to date format built on, you know, years with the work in the space,
03:15
um, Rhea world. We acquire and verify regularly at about 500 gig of data per hour. So a significant advantage over what we're doing with the easier one or Dede based tools and things like this.
03:30
Um, in some instances, you know, on uh,
03:32
flash based memory and and things like this or very fast. Envy me drives things like this. We get almost a terabyte an hour of of collection and the verification. I mean, sometimes we've we've actually collected disk so fast that we thought there was something wrong.
03:50
But it turns out it's just, you know, incredibly fast storage media. And we were able thio
03:53
collecting and validated a lot faster than what we're expecting on, um, on some of the most recent very thin, you know, Mac book pro laptops and and, uh, other high end, you know, Lenovo's and things like this.
04:10
We've collected 250 gig discs in, you know, in the West. It just I'm talking about, you know, envy me and
04:15
SST drives things like this in his little as, you know, 15 20 minutes. I mean, just some amazing speeds come off those,
04:23
um, the f f four file itself. The container file is a zip 64 based container file, which is really cool on another may not mean not tease. Why is it going? Does it follow? It's not true, is it? File? But it is, um
04:38
it also uses Ah, snappy compression, which is much faster than the deflate compression
04:44
Ah, that's used by your standard in case image type things. You see ah, much faster compress and decompress with it. It also doesn't better compression, so you end up a lot smaller files.
04:55
So you know you have compressed block has information of your system information, your disk information, your acquisition information. All of that gets put into that,
05:02
you know, Zip 64 base container file, and it's all compressed. You know, with this the snappy compression algorithm that's just significantly faster,
05:12
Um, then what you can get from the older formats. Huge advantage.
05:17
Other advantages. Current tools for creating 1/2 of four images allow, I said, for bit stream images that are made really fast.
05:29
We love that we can, also to things like allocated only allocated storage on Lee so I can create a forensic image of a distant says Okay, I'm only interested in the space where there's actually dated, because maybe I have a situation where you know, carving unused or unallocated space just
05:48
just isn't gonna be important.
05:49
That's a huge advantage. If I'm in that situation and say there's terabyte discs and all these these workstations or something like that?
05:59
Well, in most cases, a big chunk of that. It's just empty space, you know, actually, space it's probably never even been written to ever It's all zeros.
06:08
So if I could avoid collecting that space, I'm gonna have much smaller images by just collecting the allocated space
06:14
and, ah, and it's gonna happen. It'll much faster time. We also do things like perform file type, specific collection. So to say, it's on some sort of e discovery matter. And frequently discovery matters air about, you know, the email in the word documents in the pediatrics and and things like this. You know, you know,
06:31
you're not doing in depth forensic investigations. You're just
06:34
I can take getting all the data around a particular topic in a time frame.
06:39
Um, so the current set of tools for doing this allow us to perform these file type specific collections.
06:46
Um, and and they're all based off Ah yeah, mo configuration file. Yeah, mo being yet another mark up language real. Simply read and edit configuration file so I can have a configuration, Father says. Well, these are the only types of documents that I need. Go ahead and just run through the disk real quick and grab those for me.
07:03
Um, lots of cases where that's that's really super useful on Dhe. Just again. Then lightning fast performance on something like that. And then, you know, the great part is everything is stored in the same
07:16
FF four container, no matter how you did the collection. So I did a full bit stream collection. I've got an F four container. If I've got allocated, only it's in the same container file. And, you know, even if I did only file types, you know it's still in the same container. Fonda dealing with different file formats based on how I collected all great things.

Up Next

Computer Forensics File Formats: Why you Should be Using AFF4

If you’re not using AFF4 (Advanced Forensics File Format v4) then your forensics process is stuck in the past. In this course we’ll be discussing the performance problems associated with the Expert Witness Format (E01/EX01) and raw or DD forensic images.

Instructed By

Instructor Profile Image
Brian Dykstra
CEO and President of Atlanta Data Forensics
Instructor