Advertisement

File System Support for Digital Evidence Bags

  • Golden RichardIII
  • Vassil Roussev
Part of the IFIP Advances in Information and Communication book series (IFIPAICT, volume 222)

Abstract

Digital Evidence Bags (DEBs) are a mechanism for bundling digital evidence, associated metadata and audit logs into a single structure. DEB-compliant applications can update a DEB’s audit log as evidence is introduced into the bag and as data in the bag is processed. This paper investigates native file system support for DEBs, which has a number of benefits over ad hoc modification of digital evidence bags. The paper also describes an API for DEB-enabled applications and methods for providing DEB access to legacy applications through a DEB-aware file system. The paper addresses an urgent need for digital-forensics-aware operating system components that can enhance the consistency, security and performance of investigations.

Keywords

Operating system internals file systems digital evidence bags 

References

  1. [1]
    AccessData Corporation, Forensic Toolkit (FTK) (www.accessdata.com).Google Scholar
  2. [2]
    V. Roussev and G. Richard III, Breaking the performance wall: The case for distributed digital forensics, Proceedings of the Fourth Digital Forensics Research Workshop, 2004.Google Scholar
  3. [3]
    B. Schneier and J. Kelsey, Secure audit logs to support computer forensics, ACM Transactions on Information and System Security, vol. 2(2), pp. 159–176, 1999.CrossRefGoogle Scholar
  4. [4]
    Sleuthkit.org, Autopsy (www.sleuthkit.org).Google Scholar
  5. [5]
    Sleuthkit.org, Sleuth Kit (www.sleuthkit.org).Google Scholar
  6. [6]
    R. Snodgrass, S. Yao and C. Collberg, Tamper detection in audit logs, Proceedings of the Thirtieth International Conference on Very Large Databases, pp. 504–515, 2004.Google Scholar
  7. [7]
    SourceForge.net, FUSE: Filesystem in user space (fuse.sourceforge.net).Google Scholar
  8. [8]
    P. Turner, Unification of digital evidence from disparate sources (digital evidence bags), Proceedings of the Fifth Annual Digital Forensics Research Workshop, 2005.Google Scholar

Copyright information

© IFIP Internatonal Federation for Information Processing 2006

Authors and Affiliations

  • Golden RichardIII
    • 1
    • 2
  • Vassil Roussev
    • 1
  1. 1.University of New OrleansNew OrleansUSA
  2. 2.Digital Forensics Solutions, LLCUSA

Personalised recommendations