Sub-Linear Drive Analysis

From Simson Garfinkel
Revision as of 00:11, 3 May 2009 by Simson (talk | contribs) (1 revision)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

High Speed Media Forensics

Frequently US forces do not have the time to analyze all of the data on drives that are encountered during the course of operations other than war. For example, a person may present themselves at a border crossing with a 1TB hard drive. It takes 3-4 hours to simply read the data on a 1TB drive: how can you make a determination about the drive in 3-4 minutes???

We are working on technologies to solve this problem. Our initial plan consists of a multi-step process:

  1. Randomly sample the a few thousand sectors on the hard drive.
  2. Classify the sectors that are read using a sector discriminator. Because this is a representative statistical sample, the statistics of the randomly chosen sectors should match the statistics of the drive as a whole.
  3. Use the sectors to build a model of the drive and its user(s).
  4. Perform additional random sampling to verify the model that you have constructed.
  5. Present the results of the sampling and theory construction to the user in an easy-to-understand form.