Wednesday, 4 November 2009

Digital Evidence Bags

There are currently fundamental differences in the treatment of digital and non-digital (physical) forensic evidence in our legal system. All examination of non-digital evidence is logged through the use of evidence bags, whilst for digital evidence the only requirements are generally to provide evidence that the data being worked upon and presented:
  • has been collected in a manner consistent with the ACPO guidelines on digital evidence collection; and,
  • matches, through verification against the output of an agreed hashing algorithm, the data collected from the original source.
Another key issue affecting digital evidence gathering is the sheer size of the datasets. With terabyte drives available for less than £60, the amount of data that needs to be processed, investigated, stored and presented is on the verge of being unmanageable.

Others also acknowledge this:
“Traditional computer forensics is on the edge of a precipice … The reason for this imminent doomsday is the sheer volume of data that has to be processed during the course of a digital forensic investigation.”
Turner, p. 223

Turner proposes an alternative; a set of file formats that mimic the structure of non-digital evidence bags in a digital environment. A base implementation has been developed, however there is no evidence to suggest that any further development has occurred either by Turner or by third parties; it is feasible that this initial implementation only exists to facilitate Turner's related patent application.

There is little argument against the concept - as opposed to Turner's implementation - of Digital Evidence Bags; after all, if there is a bloodstain on a wall nobody would ever suggest taking the entire building as evidence. However, it should be noted that Turner's solution is not the only one that exists. We also have to examine the Digital Evidence Exchange (DEX) format.

See: Turner, P. (2005). Unification of digital evidence from disparate sources (Digital Evidence Bags). Digital Investigation, Volume 2, Issue 3, September 2005, p.223-228

No comments:

Post a comment