November 10, 2008, 1:37 PM — Disk deduplication (dedupe) and thin provisioning within the virtualization space is a forensically untried technology. It does not mean that dedupe and thin provisioning is not forensically sound, it is just that there have been no court cases around the use of the technology.
Dedupe works by looking for identical blocks of data across all files on a disk. The blocks are hashed and then the hash is used to redirect access to that block of data to the appropriate location on the disk. This will allow compression of disk data and is incredibly useful for virtualization. Once the data is changed however a copy on write is used to make a duplicate of the block before the block of data is changed. Thereby breaking the link for that block of data.
Disk dedupe should be forensically sounds as long as the hash algorithm used for the amount of data within the block (usually 4K) is forensically sound. This implies that the file allocation table should not be part of the dedupe as it will constantly change as the meta data about disk files is modified yet blocks of data for each file could end up being just a hash.
The other issue with dedupe is the forensic duplication of disk devices. Forensic duplication requires bit by bit copies of the data from one disk to another. If the forensic workstation does not understand dedupe then it may have trouble understanding the data. If the data is manipulated by undoing the dedupe for a forensic duplication, this duplication is changing the bits on the fly and the copy would no longer be forensically sound.
Forensics needs to catch up with the technology and understand and work with these new concepts.