earticle

영어

In digital forensics, searching for specific patterns in binary data is a crucial task almost always performed following data acquisition. As the volume of digital data surges and the capacity of storage media expands, there is an increasing demand for search techniques that ensure accuracy, completeness, and speed. In this paper, we explore methods to enhance search efficiency through multi-threading and memory-mapped files, while also improving the completeness of searches in corrupted data by adjusting the search resumption position after a match is found. By employing multi-threading, the parallel utilization of multiple processor cores increases the computational speed. Additionally, while some threads occupy the processor, others can access the storage medium, reducing idle times for the storage medium, and thereby maximizing the utility of the storage medium's read speed. Memory-mapped files enable direct access to the operating system’s memory region associated with the storage medium, minimizing the caching and copying stages. This reduces computational overhead and memory load compared to standard file input/output operations. In 64-bit systems, memory-mapped files allow access to files larger than physical memory as a contiguous virtual memory space of up to 2⁶⁴ bytes (16,777,216 terabytes), enabling memory-based implementations of search algorithms to be applied to large files without modification. Experimental results show that the proposed approach significantly enhances both the speed and accuracy of searches in large files, outperforming a method that relies on single-threading and standard file input/output.