The ever increasing capacity of storage devices is becoming a formidable obstruction to the digital forensic community due to its substantial investigation time and preservation space requirements. However, the investigation process becomes more complicated, whenever the fragmented or partially overwritten drives need forensic consideration. It is becoming extremely necessary to unfold novel methods the examination of storage drives involving a bulk volume of data. In this paper, the differential evolution (DE) technique is utilized with an unsupervised mean-shift clustering approach in the field of digital forensics for intelligently locating the traces of target file in suspected storage drives or raw images. The proposed methodology leverages the drives' geometrical information in DE for obtaining random sector samples followed by fitness value and sector hash computation. The clustering algorithm evaluates the obtained intelligence and assists in estimating the regions of forensic significance in the drive, instead of considering the entire drive contents. As an outcome, a proof-of-concept Python based command line tool has been developed and released to support the study and further enhancement. The experiments and case studies demonstrated using the drives of different capacities demonstrates the efficacy of the proposed method.
K E Y W O R D Sdifferential evolution, digital forensics, huge data volumes, mean shift clustering, storage drive, target file 1 Security Privacy. 2019;2:e71.wileyonlinelibrary.com/journal/spy2