Standardizing digital evidence storage

nvestigators have an increasing need to share digital evidence between different organizations and analysis tools. But today’s investigators are hindered by a variety of independently developed and incompatible formats used to store digital evidence. Problems arise when dealing with different disk image formats, and the difficulties are exacerbated when dealing with diverse kinds of evidence, such as nework logs and the contents of mobile devices. Without standards that are both open and technically sound, the risk is that evidence may be lost, cases may be compromised, and innocent people may be improperly convicted—or guilty parties let free. Forensic copies of storage media provide an illustrative example of weak standardization. The current de facto standard for storing information copied from a disk drive or memory stick under investigation is the socalled “raw” format: a sector-by-sector copy of the data on the device into a file. However, the raw format does not store metadata that can be vital to an investigation, such as the drive’s serial number, the date and place that the drive was imaged, and a digital signature or cryptographic checksum to verify the data’s integrity. Nor is the raw format error tolerant—if a portion of the evidence file becomes corrupt, we cannot isolate the damage and still use the intact remainder. The raw format cannot even distinguish between sectors that are blank and those that are inaccessible because of hardware error. From a practical viewpoint, the biggest problem with raw files is their size. Raw files are not compressed. A raw file from a 200GB hard drive, for example, requires 200GB to store, even if the drive only had 100MB of actual files. Proprietary formats that address some of EVIDENCE STORAGE I By THE COMMON DIGITAL EVIDENCE STORAGE FORMAT WORKING GROUP