acm-header
Sign In

Communications of the ACM

Next-generation cyber forensics

Digital Evidence Bag


The process of digital investigation and analysis is complex and arduous at best. The dramatic increase in the capacity of hard drives and the availability of firewire devices in just the past few years has necessitated a new requirement for digital investigation. There is currently a need to capture and analyze transmissions from portable computing devices, and access and investigate high-capacity memory sticks, not only to prosecute dangerous criminals and terrorists, but to attempt to preempt their actions.

Today when digital investigators discuss preserving digital evidence they are typically referring to "imaging" the media. As the practicality of using this method becomes obsolete, and live investigation emerges, we must quickly move from the arcane drive image to the next generation, which would be intelligent digital evidence storage.

The concept of a digital evidence bag (DEB) to address advanced evidence storage, preservation, and investigation emerged from a research project funded by the U.S. Air Force Research Laboratory. The concept was to develop a digital evidence container that would metaphorically mimic the familiar plastic evidence bag used by crime scene investigators to collect fibers, hair, blood, and other physical crime scene artifacts. Physical evidence containers are trusted because of a well-understood and practiced process called "chain-of-custody." Simply put, this is a process used to maintain and document the chronological history of the evidence once in possession and secured.

How does a digital container differ from a physical container? The most important distinction is that a digital container can be duplicated, copied, shared, and distributed and potentially manipulated unless the container itself is secure. One important advantage, however, is the ability to examine the contents of the digital container without altering any of it. For example, in the physical world if the evidence bag contains suspected narcotics collected at a drug bust, a sample of the substance is removed from the bag in order to verify that it is, in fact, an illegal narcotic. That sample is weighed, analyzed, and typically destroyed during the examination. As a result, the content of the bag has been altered.


It is important to audit every operation associated with a DEB throughout its life cycle and maintain permanent records of these operations. These audit records will serve as the primary chain-of-custody equivalents in the digital world.


In the digital world, however, if a DEB contains digital photographs, we can remove copies of the digital photographs, and analyze them without changing or altering the contents of the bag. In order to accomplish this, the bag must have intrinsic security elements that permanently preserve and protect the contents of the bag. The specific intrinsic security elements crucial to DEB security include:

Authentication. The authenticity of the digital evidence contained in a DEB is multifaceted. First, the verification of the digital authenticity of those creating a DEB and placing digital evidence into a DEB is critical. In practice, we have taken a trimodal approach to authenticity—including something held (a smartcard or cryptographic token), something known (the pin or passphrase used to unlock the capabilities of the token devices), and something you are (a biometric). Since digital evidence may, in fact, outlive the investigator, the biometric element may prove critical.

Integrity. Once a DEB has been created, our ability to validate the bag also becomes critical. Obviously, verifying the exact contents of the bag is important, and this can be accomplished using digital signature technology. However, the element of time is also essential, and the source of that time must be traceable to international official time. Most importantly, in live digital data acquisition, both the accuracy and source of the time must be irrefutable. In order to accomplish this, a secure, auditable digital timestamp is used. In 2003, the U.S. Air Force Research Laboratory completed work on a method of binding a secure source of digital time to any digital data element.

Access Control. Providing authorized access to a DEB in order to examine evidence, perform analysis of the data, and to generate reports and findings related to the content necessary. Various sections of the DEB require differing levels of access and authentication.

Non-Repudiation/Audit. Digital signatures and digital timestamps provide the basic protection from unauthorized altering of the bag. However, it is important to audit every operation associated with a DEB throughout its life cycle and maintain permanent records of these operations. These audit records will serve as the primary chain-of-custody equivalents in the digital world.

The implementation of such a concept is still being researched and explored. Current research and development projects have produced both a prototype demonstration and most notably an XML Document Type Definition for a proposed DEB. Some additional work is necessary to perfect the DEB, and the associated security model acceptable to the courts and to our own scientific scrutiny.

Back to Top

Author

Chet Hosmer ([email protected]) is the CEO and Chief Scientist at WetStone Technologies, Inc., Cortland, NY.


©2006 ACM  0001-0782/06/0200  $5.00

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.

The Digital Library is published by the Association for Computing Machinery. Copyright © 2006 ACM, Inc.


 

No entries found

Sign In for Full Access
» Forgot Password? » Create an ACM Web Account
Article Contents: