File System Support for Digital Evidence Bags

  • Golden RichardIII
  • Vassil Roussev
Part of the IFIP Advances in Information and Communication book series (IFIPAICT, volume 222)


Digital Evidence Bags (DEBs) are a mechanism for bundling digital evidence, associated metadata and audit logs into a single structure. DEB-compliant applications can update a DEB’s audit log as evidence is introduced into the bag and as data in the bag is processed. This paper investigates native file system support for DEBs, which has a number of benefits over ad hoc modification of digital evidence bags. The paper also describes an API for DEB-enabled applications and methods for providing DEB access to legacy applications through a DEB-aware file system. The paper addresses an urgent need for digital-forensics-aware operating system components that can enhance the consistency, security and performance of investigations.


Operating system internals file systems digital evidence bags 


  1. [1]
    AccessData Corporation, Forensic Toolkit (FTK) ( Scholar
  2. [2]
    V. Roussev and G. Richard III, Breaking the performance wall: The case for distributed digital forensics, Proceedings of the Fourth Digital Forensics Research Workshop, 2004.Google Scholar
  3. [3]
    B. Schneier and J. Kelsey, Secure audit logs to support computer forensics, ACM Transactions on Information and System Security, vol. 2(2), pp. 159–176, 1999.CrossRefGoogle Scholar
  4. [4], Autopsy ( Scholar
  5. [5], Sleuth Kit ( Scholar
  6. [6]
    R. Snodgrass, S. Yao and C. Collberg, Tamper detection in audit logs, Proceedings of the Thirtieth International Conference on Very Large Databases, pp. 504–515, 2004.Google Scholar
  7. [7], FUSE: Filesystem in user space ( Scholar
  8. [8]
    P. Turner, Unification of digital evidence from disparate sources (digital evidence bags), Proceedings of the Fifth Annual Digital Forensics Research Workshop, 2005.Google Scholar

Copyright information

© IFIP Internatonal Federation for Information Processing 2006

Authors and Affiliations

  • Golden RichardIII
    • 1
    • 2
  • Vassil Roussev
    • 1
  1. 1.University of New OrleansNew OrleansUSA
  2. 2.Digital Forensics Solutions, LLCUSA

Personalised recommendations