Lessons Learned Writing High-Performance Multi-Threaded Digital Forensic Tools for Analyzing Hard Drives and Network Intercepts
Simson Garfinkel
Abstract:
Writing digital forensics (DF) tools is difficult because of the diversity of data types that needs to be processed, the need for high performance, the skill set of most users, and the requirement that the software run without crashing. Developing this software is dramatically easier when one possesses a few thousand disks of other people’s data for testing purposes. This talk presents the internal design of two high-performance computer forensics tools --- bulk_extractor and tcpflow --- discussing the algorithmic and C++ coding techniques that were employed.
Come see how we peg at 64 cores on our test machine!
(Loosely based on my 2012 DFRWS paper, http://simson.net/clips/academic/2012.DFRWS.DIIN382.pdf)