Making Molehills Out of Mountains: Data Reduction Using Sleuth Kit Tools

A session at 4th Annual Open Source Digital Forensics Conference & Workshops

  • Tobin Craig

Tuesday 5th November, 2013

1:40pm to 2:15pm (EST)

Historically, a computer examiner would be tasked to identify files within acquired data sets which contained keywords. Identified file were reported to the investigating agent, who would then supply additional keywords, and the process would continue. This cyclic approach is impracticable for larger acquisitions. The DOT OIG CCU routinely sees data sets in excess of 5TB per case. To meet this challenge, a means of identifying those files of potential investigative interest has been developed. Extracted data is provided to the investigator, who can review the data without the need to learn specialized reviewing tools, in a forensically sound manner.

This method is best suited to investigations involving several computers across a company network, ideally in the investigation of white collar crime, although it may also be applied with examiner discretion to other case types.

In addition, the proposed solution makes use of open source forensic software, and is currently deployed by DOT CCU as part of a portable examination. The script provides the means to conduct an automated extraction of those files most likely to be of investigative interest. Extraction is conducted across all forensically acquired images, and extensive examination notes are generated automatically.

About the speaker

This person is speaking at this event.
Tobin Craig

Next session in Track 1

2:20pm FIREBrick: Open Source Forensic Hardware Platform by Pavel Gladyshev

Sign in to add slides, notes or videos to this session

Tell your friends!


Time 1:40pm2:15pm EST

Date Tue 5th November 2013

Short URL


Official event site


View the schedule


See something wrong?

Report an issue with this session