This paper presents a new approach to digital forensic evidence acquisition and disk imaging called “sifting collectors,” that images only those regions of a disk with expected forensic value.
Sifting collectors produce a sector-by-sector, bit-identical AFF v3 image of selected disk regions that can be mounted and is fully compatible with existing forensic tools and methods. In the authors’ test cases, they have achieved an acceleration of >3× while collecting >95% of the evidence, and in some cases, they have observed acceleration of up to 13×. Sifting collectors challenge many conventional notions about forensic acquisition and may help tame the volume challenge by enabling examiners to rapidly acquire and easily store large disks without sacrificing the many benefits of imaging. (Published abstract provided)