Storage and exchange formats for digital evidence

Abstract Digital evidence is becoming increasingly important in a wide variety of criminal investigations. The formats used to store and exchange evidence can have a large impact on both the trustworthiness of evidence and the efficiency of the tools processing the evidence. Many digital evidence formats exist today, and it is important to evaluate the suitability of these formats based on their technical capabilities. We perform a comparative evaluation of the suitability of different formats by evaluating them against a set of evaluation criteria. Further, we discuss research based storage and exchange formats that aim to improve the representation, processing, and presentation of the evidence. These formats are key initiatives in developing new and more intelligent forensic analysis tools that take advantage of cloud computing and service oriented systems.

[1]  Golden G. Richard,et al.  Next-generation digital forensics , 2006, CACM.

[2]  Katrin Franke,et al.  Identifying Malware Using Cross-Evidence Correlation , 2011, IFIP Int. Conf. Digital Forensics.

[3]  Eugene H. Spafford,et al.  On the role of file system metadata in digital forensics , 2004, Digit. Investig..

[4]  Steve Bunting,et al.  EnCase Computer Forensics -- The Official EnCE: EnCase Certified Examiner Study Guide , 2006 .

[5]  Simson L. Garfinkel,et al.  Automating Disk Forensic Processing with SleuthKit, XML and Python , 2009, 2009 Fourth International IEEE Workshop on Systematic Approaches to Digital Forensic Engineering.

[6]  Daniel Ayers,et al.  A second generation computer forensic analysis system , 2009, Digit. Investig..

[7]  Václav Rajlich,et al.  Changing the paradigm of software engineering , 2006, CACM.

[8]  The Common Digital Evidence Storage Format Working Standardizing digital evidence storage , 2006, CACM.

[9]  Linda Volonino Electronic Evidence and Computer Forensics , 2003, Commun. Assoc. Inf. Syst..

[10]  Arjen P. de Vries,et al.  XIRAF - XML-based indexing and querying for digital forensics , 2006, Digit. Investig..

[11]  Linda Volonino Computer Forensics and Electronic Evidence , 2003, AMCIS.

[12]  Bradley L. Schatz,et al.  Extending the advanced forensic format to accommodate multiple data sources, logical evidence, arbitrary information and forensic workflow , 2009, Digit. Investig..

[13]  Matthew Meyers,et al.  Computer Forensics: The Need for Standardization and Certification , 2004, Int. J. Digit. EVid..

[14]  Philip Turner,et al.  Applying a forensic approach to incident response, network investigation and system administration using Digital Evidence Bags , 2007, Digit. Investig..

[15]  David W. J. Stringer-Calvert,et al.  Digital Evidence , 2002, Commun. ACM.