XML in Forensics: XIRAF

In 2005, Turner published his paper 'Unification of digital evidence from disparate sources (Digital Evidence Bags)'. He described an XML data format that could be used in a similar form to normal evidence bags, and concludes by stating:

"The digital forensic community is in need of a new approach to the way in which the information from digital devices is gathered and processed."

Turner, 2005

XML is also the subject of a 2006 paper by Alink et al, "XIRAF - XML-based indexing and querying for digital forensics". Based upon Alink's own MSc thesis, an architecture is described that links between forensic analysis elements by a shared XML format. One example given is that of a forensically captured image:

[case id="test-case"]
    [image id="1" name="A" start="0" end="15000000"]
        [volume type="FAT32" start="0" end="10000000"/]
        [volume type="NTFS" start="10000000" end="15000000"/]
    [/image]
    [image id="2" name="B" start="15000000" end="35000000"/]
    [image id="3" name="C" start="35000000" end="40000000"]
        [volume type="EXT2" start="35000000" end="40000000"/]
    [/image]
[/case]

(the blog software appears to have problems with angle brackets, hence the odd XML above.)

Although the formats may not be of direct use, Alink et al go on to describe how individual tools can register themselves as being for specific sets of files through XPath queries:

Description: Lists recently deleted files by looking at the recycle bin log files (usually named "INFO2")
Input selection: Selects all files named INFO2
Input query:  //file[@name[ends-with(.,"/INFO2")]]

 They have also used the query language to generate timeline data incorporating file times, EXIF data and other sources of date-related data; the author goes on to state:

"[The investigator] could see, for example, that movie files are created in the file system at approximately the same time that suspects are discussing a transfer of those files using a chat program."

and notes that the timeline software could allow the user to drill down from the displayed data back to the source of that data. However, like Turner's DEB, XIRAF's format appear to have gained little support in the past 4 years with no obvious tools having appeared.

It is possible that a newer format, DEX, may take off where both DEB and XIRAF appear to have failed; it is this that will be investigated next as part of the VeRa project.