Over the last ten years there has been rapid growth in the digital forensics field. Forensically sound computer analysis and testimony is becoming a requirement during investigations related to frauds, missing persons, homicides etc. One of the phases of the digital forensic process is data preservation, where a copy of data from an original electronic storage device is collected in a verifiable manner, producing a forensic copy of the data. A best practice for digital forensics is to capture a bit for bit or physical copy of the source device. However, the sizes of hard drive volumes have been increasing exponentially and in 2011, volume sizes for a single hard drive have reached the three terabyte threshold. The increase in volume size equates to an increase in processing time to collect the data and an increase in media capacity to store the acquired data.

The purpose of this research is to explore new tools and methods that will allow an examiner to collect data from a source device in a time-efficient manner. Prior research has been conducted by the author, who concluded that data collection processing times can be reduced by the use of compression algorithms during data collection activities. However, the amount of time reduction depends on the type of data that is resident on the storage device. A reduction in processing time is observed when collecting highly compressible data. Conversely, an increase in processing time can occur when attempting to compress data that does not compress well, during a collection process.

The focus of the research was to develop a means that would be able to determine and report the type of data residing on a storage device. A fast and easy to use scanning tool is developed during the research. The scanning tool is capable of processing a storage device in four minutes and provides a report that accurately details the type of stored data in terms of its compressibility. The information in the report regarding the data’s compressibility can assist the examiner when making decisions concerning the use of compression to reduce processing time during data collection activities.