Research and Advances
Computing Applications Next-generation cyber forensics

Digital Evidence Bag

Posted
  1. Article
  2. Author

The process of digital investigation and analysis is complex and arduous at best. The dramatic increase in the capacity of hard drives and the availability of firewire devices in just the past few years has necessitated a new requirement for digital investigation. There is currently a need to capture and analyze transmissions from portable computing devices, and access and investigate high-capacity memory sticks, not only to prosecute dangerous criminals and terrorists, but to attempt to preempt their actions.

Today when digital investigators discuss preserving digital evidence they are typically referring to "imaging" the media. As the practicality of using this method becomes obsolete, and live investigation emerges, we must quickly move from the arcane drive image to the next generation, which would be intelligent digital evidence storage.

The concept of a digital evidence bag (DEB) to address advanced evidence storage, preservation, and investigation emerged from a research project funded by the U.S. Air Force Research Laboratory. The concept was to develop a digital evidence container that would metaphorically mimic the familiar plastic evidence bag used by crime scene investigators to collect fibers, hair, blood, and other physical crime scene artifacts. Physical evidence containers are trusted because of a well-understood and practiced process called "chain-of-custody." Simply put, this is a process used to maintain and document the chronological history of the evidence once in possession and secured.

How does a digital container differ from a physical container? The most important distinction is that a digital container can be duplicated, copied, shared, and distributed and potentially manipulated unless the container itself is secure. One important advantage, however, is the ability to examine the contents of the digital container without altering any of it. For example, in the physical world if the evidence bag contains suspected narcotics collected at a drug bust, a sample of the substance is removed from the bag in order to verify that it is, in fact, an illegal narcotic. That sample is weighed, analyzed, and typically destroyed during the examination. As a result, the content of the bag has been altered.


It is important to audit every operation associated with a DEB throughout its life cycle and maintain permanent records of these operations. These audit records will serve as the primary chain-of-custody equivalents in the digital world.


In the digital world, however, if a DEB contains digital photographs, we can remove copies of the digital photographs, and analyze them without changing or altering the contents of the bag. In order to accomplish this, the bag must have intrinsic security elements that permanently preserve and protect the contents of the bag. The specific intrinsic security elements crucial to DEB security include:

Authentication. The authenticity of the digital evidence contained in a DEB is multifaceted. First, the verification of the digital authenticity of those creating a DEB and placing digital evidence into a DEB is critical. In practice, we have taken a trimodal approach to authenticity—including something held (a smartcard or cryptographic token), something known (the pin or passphrase used to unlock the capabilities of the token devices), and something you are (a biometric). Since digital evidence may, in fact, outlive the investigator, the biometric element may prove critical.

Integrity. Once a DEB has been created, our ability to validate the bag also becomes critical. Obviously, verifying the exact contents of the bag is important, and this can be accomplished using digital signature technology. However, the element of time is also essential, and the source of that time must be traceable to international official time. Most importantly, in live digital data acquisition, both the accuracy and source of the time must be irrefutable. In order to accomplish this, a secure, auditable digital timestamp is used. In 2003, the U.S. Air Force Research Laboratory completed work on a method of binding a secure source of digital time to any digital data element.

Access Control. Providing authorized access to a DEB in order to examine evidence, perform analysis of the data, and to generate reports and findings related to the content necessary. Various sections of the DEB require differing levels of access and authentication.

Non-Repudiation/Audit. Digital signatures and digital timestamps provide the basic protection from unauthorized altering of the bag. However, it is important to audit every operation associated with a DEB throughout its life cycle and maintain permanent records of these operations. These audit records will serve as the primary chain-of-custody equivalents in the digital world.

The implementation of such a concept is still being researched and explored. Current research and development projects have produced both a prototype demonstration and most notably an XML Document Type Definition for a proposed DEB. Some additional work is necessary to perfect the DEB, and the associated security model acceptable to the courts and to our own scientific scrutiny.

Back to Top

Join the Discussion (0)

Become a Member or Sign In to Post a Comment

The Latest from CACM

Shape the Future of Computing

ACM encourages its members to take a direct hand in shaping the future of the association. There are more ways than ever to get involved.

Get Involved

Communications of the ACM (CACM) is now a fully Open Access publication.

By opening CACM to the world, we hope to increase engagement among the broader computer science community and encourage non-members to discover the rich resources ACM has to offer.

Learn More