Content triage with similarity digests: The M57 case study

In this work we illustrate the use of similarity digests for the purposes of forensic triage. We use a case that consists of 1.5 TB of raw data, including disk images, network captures, RAM snapshots, and USB flash media. We demonstrate that by applying similarity digests in a systematic manner, the scope of examination can be narrowed down within a matter of minutes to hours. In contrast, conventional manual examination of all the data may require several days, and its effectiveness relies substantially on the experience of the investigator.