Abstract
Within the activities of the Evidence Project, it has been proposed a standard for the representation of the data and metadata involved in the electronic evidence exchange process. The main aim is to consider the widest range of forensic information and processing results including legal requirements. The standard consists of a set of data and metadata for describing all actions (i.e., tasks), actors (e.g., subjects, victims, authorities, examiners, etc.), tools (i.e., digital tools for carrying out different forensic processes), digital and physical objects involved in the investigative case (e.g., hard disk, smartphone, memory dump, etc.) and objects relationships (e.g., contains, extracted from, etc.); formal languages for representing in a standard way all the elements above cited; a platform for implementing the exchange process in terms of functionalities along with a recommendation for an integration with existing platforms already in place and run by European/international public bodies.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
Evidence Project—“European Informatics Data Exchange Framework for Courts and Evidence”, www.evidenceproject.eu.
- 2.
In the forensics community there is no a general agreement on the exact meaning of the evidence provenance, although all experts unanimously consider the great importance of the provenance in digital forensics investigation. Some experts see the provenance as chain of custody documentation (Turner, 2005a), other interpret the provenance as the “the set of tools and transformations that led from acquired raw data to the final findings” (Levine and Liberatore, 2009).
- 3.
Public Prosecutor speech during a 2 days meeting held in Florence, on 8–9 April 2015.
- 4.
The main important system in the evidence exchange is SIENA, that stands for Secure Information Exchange Network Application. It is a secure communication system managed by EUROPOL and dedicated to the EU law enforcement community. The storage and exchange of information through SIENA is properly governed by legal framework, observing strong data protection regime. SIENA is used for exchanging personal information related to the crime areas within the mandate of EUROPOL, including EU restricted information. Basically, the SIENA application is a tool used for exchanging case relevant information (operational information).
- 5.
See section Forensic Toolkit in the Digital Forensic Tools Catalogue at http://wp4.evidenceproject.eu.
- 6.
See, for example, the File Carving or Application Forensics categories in the Digital Forensic Tools Catalogue.
- 7.
MAC times are pieces of file system metadata that record when certain events pertaining to a computer file occurred most recently. M stands for Modify, A for Access and C for Change or Create.
- 8.
The MITRE Corporation is a not-for-profit company that operates multiple federally funded research and development centers (FFRDCs), https://www.mitre.org.
- 9.
- 10.
- 11.
- 12.
- 13.
- 14.
- 15.
- 16.
For the current list of objects, see https://cyboxproject.github.io/documentation/objects.
- 17.
For a complete list see https://cyboxproject.github.io/documentation/object-relationships.
- 18.
The UCO element ucoCommon:InformationSourceType that details the source of a given data entry.
- 19.
A basic example, called basic_example.xml has been provided, by the DFAX developers, on the Github site—the well-known a web-based Git repository hosting service—via the http://github.com/DFAX/dfax/tree/master/examples.
- 20.
Plaso is a Python-based backend engine for the tool log2timeline, developed and maintained by Google. log2timeline is a tool designed to extract timestamps from various files found on a typical computer system(s) and aggregate them.
- 21.
psort is a command line tool to post-process plaso storage files. It allows you to filter, sort and run automatic analysis on the contents of plaso storage files.
- 22.
A format similar to the Comma Separated Value.
References
Alink W, Bhoedjang R, Boncz P, de Vries A (2006) XIRAF - XML-based indexing and querying for digital forensics. Digit Invest 3(Suppl):50–58
Barnum S, Martin R, Worrell B, Kirillov I (2012) The CybOX language specification, Version 1.0. MITRE. https://cybox.mitre.org/language/specifications/CybOX_Language_Core_Specification_v1.0.pdf
Bhoedjang RAF, van Ballegooij AR, van Beek HMA et al (2012) Engineering an online computer forensic service. Digit Invest 9(2):96–108
Casey E, Back G, Barnum S (2015) Leveraging CybOX to standardize representation and exchange of digital forensic information. Digit Invest 12:102–110. https://www.sciencedirect.com/science/article/pii/S1742287615000158
Chabot Y, Bertaux A, Nicolle C, Kechadi T (2015) An ontology-based approach for the reconstruction and analysis of digital incidents timelines. Digit Investig 15:83–100. https://doi.org/10.1016/j.diin.2015.07.005
Cohen M, Schatz B, Garfinkel S (2009) Extending the advanced forensic format to accommodate multiple data sources, logical evidence, arbitrary information and forensic workflow. Digit Invest 6(Suppl):57–68
Danyliw (2007) tools.ietf.org/html/rfc5070
Garfinkel S (2006) Forensic feature extraction and cross-drive analysis. Digit Invest 3(Suppl) :71–81
Garfinkel S (2009) Automating disk forensic processing with SleuthKit. In: XML and Python, Systematic approaches to digital forensics engineering (IEEE/SADFE 2009), Oakland
Garfinkel S (2012a) Digital forensics XML and the DFXML toolset. Digit Invest 8:161–174
Garfinkel S (2012b) Digital forensics XML and the DFXML toolset. Digit Invest 9(3–4):161–174
Inacio (2012) tools.ietf.org/html/draft-inacio-mile-forensics-00
ISO/IEC 27037:2012 (2012) Information technology—Security techniques—Guidelines for identification, collection, acquisition and preservation of digital evidence
ISO/IEC 27042:2015 (2015) Information technology—Security techniques—Guidelines for the analysis and interpretation of digital evidence
Levine BN, Liberatore M (2009) DEX: Digital evidence provenance supporting reproducibility and comparison. Digit Invest 6:48–56. github.com/umass-forensics/DEX-forensics
Schatz B (2007) Digital evidence: representation and assurance, PhD dissertation, Queensland University of Technology. eprints.qut.edu.au/16507/1/Bradley_Schatz_Thesis.pdf
Turner P (2005a) Digital provenance—interpretation, verification and corroboration. Digit Invest 2(1):45–49
Turner P (2005b) Unification of digital evidence from disparate sources (digital evidence bags). Digit Invest 2(3):223–228
Turner P (2006) Selective and intelligent imaging using digital evidence bags. Digit Invest 3(Suppl):59–64
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this chapter
Cite this chapter
Epifani, M., Turchi, F. (2018). Standard for the Electronic Evidence Exchange. In: Biasiotti, M., Mifsud Bonnici, J., Cannataci, J., Turchi, F. (eds) Handling and Exchanging Electronic Evidence Across Europe. Law, Governance and Technology Series, vol 39. Springer, Cham. https://doi.org/10.1007/978-3-319-74872-6_15
Download citation
DOI: https://doi.org/10.1007/978-3-319-74872-6_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-74871-9
Online ISBN: 978-3-319-74872-6
eBook Packages: Law and CriminologyLaw and Criminology (R0)