Benefits of combining forensic image creation and file carving

Typical tasks in a forensic investigation are data acquisition, checksum calculation, file recovery, or content identification. These tasks can be performed mostly without user interaction but are still time-consuming, especially when a large amount of data has to be processed. Individual tasks (or sub-tasks they have in common) often do not perform efficiently and the corresponding implementations could be improved. In this paper we present stream carving, an approach to speed up tasks that are typically performed in a forensic investigation. By identifying and combining similar or identical subtasks and parallelizing most data processing, we are able to decrease the overall processing time significantly. We implemented a stream carving tool that is able to copy, recover, and identify known visual content. The general idea behind stream carving can help developing forensic multi-purpose tools that run several tasks very efficiently.