When examining a massive target drive (e.g., 200 TiB) for the existence of specific content (e.g., 1 TiB), a straightforward linear scan of all files can be time-consuming and inefficient. Additionally, corrupted file systems may hinder analysis, leaving only raw byte sectors to investigate.
Small block forensics addresses these challenges by sampling blocks from the target drive, applying cryptographic hash functions, and comparing the resulting hashes to the hashes of known content. As demonstrated in Garfinkel's paper, sampling approximately 3000 4 KiB blocks from a 200 TiB drive provides a less than 1% chance of missing all relevant blocks from a 1 TiB dataset.
https://simson.net/clips/academic/2012.IEEE.SectorHashing.pdf