Digital Investigation (2005) 2, 223e228

www.elsevier.com/locate/diin

Unification of digital evidence from disparatesources (Digital Evidence Bags)

Philip Turner a,b,*

a QinetiQ e Trusted Information Management Malvern Technology Centre, Digital InvestigationServices, G Building Room 311, St. Andrews Road, Malvern, Worcestershire WR14 3PS, UKb School of Technology, Oxford Brookes University, Oxford OX33 1HX, UK

Received 3 June 2005; revised 14 July 2005; accepted 15 July 2005

KEYWORDSComputer forensics;Digital forensics;Selective imaging;Intelligent imaging;Real-time evidencecapture

Abstract This paper outlines a new approach to the acquisition and processing ofdigital evidence obtained from disparate digital devices and sources. To date thecapture of digital based evidence has always been in its entirety from the sourcedevice and different methods and containers (file types) are used for differenttypes of digital device (e.g. computer, PDA, mobile phone). This paper definesa new approach called a Digital Evidence Bag (DEB) that is a universal container forthe capture of digital evidence. Furthermore, the Digital Evidence Bag conceptcould be used to permit the streamlining of data capture and allow multiple sourcesof evidence to be processed in a multiprocessor distributed environment andthereby maximizing the use of available processing power. The approach describedin this paper allows for the first time the forensic process to be extended beyondthe traditional static forensic capture of evidence into the real-time ‘live’ captureof evidence. In addition to this the Digital Evidence Bag can be used to provide anaudit trail of processes performed upon the evidence as well as integrated integritychecking.ª 2005 Published by Elsevier Ltd.

Introduction

Traditional computer forensics is on the edge ofa precipice. Some practitioners might actually say

* QinetiQ e Trusted Information Management Malvern Tech-nology Centre, Digital Investigation Services, G Building Room311, St. Andrews Road, Malvern, Worcestershire WR14 3PS, UK.Tel.: C44 1684 895777; fax: C44 1684 894365.

E-mail address: pbturner@qinetiq.com

1742-2876/$ - see front matter ª 2005 Published by Elsevier Ltd.doi:10.1016/j.diin.2005.07.001

that we have gone over the edge and areplummeting into the depths of oblivion with noend in sight. The reason for this imminentdoomsday is the sheer volume of data that hasto be processed during the course of a digitalforensic investigation. For example, it is notuncommon to see single hard disk drives in excessof 350 Gb. This is compounded by the fact thatcurrent forensic tools are being stretched pastthe limit of what they were designed to do thus

224 P. Turner

resulting in the whole forensic process becomingproblematic.

Furthermore, the situation still does not get anybetter when you take into account the diversenumber of devices that process digital informationand are capable of having digital informationextracted from them. This just means that evenmore specialised applications have to be learnt,understood and used by the forensic practitionersin order to capture the information.

So why are we in this woeful state of affairs?Well, there is not a single reason, but perhaps themain one is the fact that when digital forensics isundertaken the only actual forensic task is thecapture of the image from the original media. Thisis the source of our troubles, well, to be precisethe actual containers that we capture the infor-mation into is the problem. The reason for this isthat to process the captured information, theforensic image has to be processed as a singleentity by the analysis tool.

The second reason why we are having difficultyis that each forensic capture utility for the diverserange of digital devices captures the informationinto differing format containers. That is not to saythat a single format container should be used tocapture data from a computer as from a PDA or livenetwork packet capture, just that the wrapperused should be consistent.

Traditional evidence capture

In theworld of law enforcementwhen a crime sceneis visited in the course of an enquiry or investiga-tion, the law enforcement officers use bags andseals to store the items of evidence that are foundwhich are considered relevant at the time. Notethat not everything can be captured, for examplethey very rarely dismantle a building brick by brickand take it away for analysis. In the digital forensicworld however, we have the advantage that, shouldwe wish, it is possible to capture everything. Theitem would then be placed into a bag that is sealedat the scene. The seal number is recorded and a tagis attached which may include details such as:

Investigating Agency/Police Force;Exhibit reference number;Property reference number;Case/Suspect name;Brief description of the item;Date and time when the item was seized/produced;Location of where the item was seized/pro-duced;

Name of the person that is producing the itemas evidence;Signature of the person that is producing theitem;Incident/Crime reference number;Laboratory reference number.

The tag also contains sections for continuitypurposes that can be signed when other peopletake custody of the item. This is used to providecontinuity and assure provenance of the item fromthe time the item was seized to the time the itemis used as evidence in court, restored to the owneror destroyed.

The continuity sections usually show the follow-ing details:

Name/Rank and number of person taking cus-tody of the item;Signature of the person that is taking custody ofthe item;Date and time the person takes custody of theitem.

It is not uncommon for many bags of evidence tobe seized when a crime scene is visited and thesize, shape and type of those bags vary dependingupon the contents and type of article. For thisreason different capacity bags are used.

This individual wrapping also permits variousarticles to be distributed between the variousspecialist laboratories that can process that item.For example some items may require fingerprintanalysis, others may require DNA analysis, whilstothers may just require interpretation of theircontents by the investigating officer.

So how can the tried and tested method ofevidence capture described above be undertakenin the rapidly changing digital world?

Digital evidence capture

Currently in the digital world the closest equiva-lent to the physical evidence capture process iseither the plain ‘dd’ image file (Kornblum, 2004) orthe proprietary format produced by the forensictool vendors.

The ‘dd’ raw file capture contains no method ofattaching details such as the date and time ofcapture, the person performing the capture pro-cess, or any mechanism to help assure the integrityof what has been captured. These features can begenerated after the capture but usually requireadditional actions of the person carrying out theprocess as separate distinct functions.

Unification of digital evidence from disparate sources 225

In contrast to this, some proprietary formats(Guidance Software Inc.) allow some of thesedetails to be entered when the capture commen-ces. In addition to this, values are written atregular intervals to permit the identification oferrors that could occur within that stream of data.A digital fingerprint (hash) is also generated to giveassurance at a later date that the contents are thesame as when the data was first captured.

These methods tend to attempt to capture thewhole of the evidence into a single one-size fits allbag ‘entity’. If the item being captured is too largeto fit into one file, as it often is with the capacityof modern hard disk drives, then the file isfragmented into ‘chunks’. This is to allow the fileto be backed up later, or to be split betweenmultiple smaller media if insufficient capacitysingle storage devices are not available at thetime of capture.

However, in order to be able to process thecontents of either of these types of data captureoutput, the totality of the fragmented files usuallyhas to be made available again to the singleapplication that is going to be used to process thatevidence.

Digital Evidence Bags (DEBs)

A new approach

What is required to help solve these problems isa new approach. That is not to say that we shouldimmediately throw away all of our current toolsand use something else, but the current tools andtechniques should be adapted to work in a moreflexible way. This may eventually lead to a newway of capturing and processing digital informa-tion in a forensically sound manner.

To help solve some of these problems theconcept of a Digital Evidence Bag (DEB) is demon-strated. A digital evidence bag is a wrapper for anytype of digital based evidence or information. Thebag has potentially an infinite capacity (althoughin practice the size will be limited) and dependingupon the user requirements can store informationthat could be captured in both a static or real-timeenvironment. Furthermore each bag contains itsown tag information, complete with integrityassurance information and continuity sections.

Basic DEB structure

Digital Information Source

.tag

.index01

.bag01

.index02 .indexnn

.bag02 .bagnn

Digital Evidence Bag

The above scenario gets even more complicatedif data is being captured in real-time, for exampleas a network packet capture. This type of appli-cation is similar in principle to the ‘dd’ captureprocess with the difference that the amount ofdata to be captured is unknown when the processis commenced.

The following lists the DEB files that are createdas part of the capture process, hence for a singleevidence capture three types of files are created:

� .tag file;� .indexnn file;� .bagnn file.

226 P. Turner

The tag file is a plain text file containing thefollowing information:

� DEB reference identifier;� details of the evidence contained in the DEB;� the name and organisation of person capturingthe information;

� the date and time the capture process started;� a list of Evidence Units (EUs) contained in theDEB. An EU is the name given to an .indexnn fileand its corresponding .bagnn file;

� a hash of the captured information containedin the DEB;

� tag seal number comprised a hash of the tagfile to date, this is equivalent to the traditionalseal number;

� Tag Continuity Blocks (TCBs) containing conti-nuity information of when any DEB applicationaccesses the DEB;

� the format definition of the .index file.

DEB applications update the tag file with a TagContinuity Block (TCB) so that its contents reflectthe history of operations performed on the .bagnnfiles. Such information includes the date and timethe application was used against the .bagnn,includes an application signature so that it isknown what category of application and whatversion of application was used. The DEB applica-tion also updates the tag seal number.

The index file is a text based tab delimited filedetailing the contents of the corresponding .bagnnfile. The index may contain details such as a list offilenames, folder paths, and timestamp informa-tion relating to the contents of the digital in-formation in the bag. Alternatively it may containdetails of the physical device, for example themake, model and serial number of the devicecaptured. The exact contents and format of thisfile vary depending upon the content type of theEU. Its format is specified in the format definitionin the tag file and is comprised a series of Meta Taglabels that define its contents.

The bag file is the file containing the actualevidence captured. The contents of this bag filemay be either raw binary information (e.g. fromraw device capture), files (e.g. from logical volumeacquisition), structured text (e.g. from networkpacket capture) or categorised files (e.g. one bagcontaining all text files, another containing all MSword docs, another containing all JPEG files etc.).

DEB evidence capture scenarios

Traditionally digital forensic evidence capture isa static single process that is used to acquire the

evidence material from beginning to end (dumbfull capture) of the media concerned. With theimplementation of a DEB structure a number ofalternative scenarios become possible.

The traditional static full evidence capture(dumb full capture) is still catered for byimplementing an index file with the followingcolumns:

DeviceDesc. Manuf. Model Serial# Capacity Hash

In addition to the static full evidence capture anintelligent approach can be adopted. This wouldbe implemented using an index file with thefollowing columns:

Filename Extn. Attrib. TimeMod TimeAcc Time-Cre LogSzPhySz Provenance Hash

This allows every file found in the originalevidence to have an entry in the index file. Afurther enhancement of this is to create an EUcontaining only files of one particular type. Thisallows a more streamlined evidence analysis pro-cess to be undertaken.

Another scenario that DEBs bring to the evi-dence capture process is that of selective evidencecapture. This involves only capturing files ofa specific type or with a particular filename. Thistype of approach permits a forensic triage processto be performed and yet still allows the output tobe captured in a forensically sound manner. Thiswould be implemented using an index of the sameform as that used for an intelligent mode fullevidence capture.

One of the most important additions to thedigital forensic capture process that DEBs permitis that of real-time evidence capture. DEBs allowthe output of real-time commands and processesto be captured in a format that is compatiblewith that used in a static environment. Inaddition to this it can be performed with allthe integrity checking mechanisms normally onlyassociated with evidence capture in a staticenvironment.

DEB prototype implementations

A number of prototype implementations of the DEBscenarios have been produced to demonstrate theconcept and assist in the validation of this ap-proach to evidence capture.

These applications have been written in Delphiand operate on the Microsoft Windows platform.They demonstrate the mechanics of creating and

Unification of digital evidence from disparate sources 227

using Digital Evidence Bags. The applications writ-ten to date include:

Application Wrapper e a windows command lineapplication wrapper. It accepts windows com-mand line input and then processes and cap-tures the command entered and the outputgenerated from that command and createsa DEB. Multiple commands can be entered andall the output is contained in the DEB.Digital Evidence Bag Viewer e allows thecontents of a DEB to be viewed by the user. Itdemonstrates all the mechanisms required ofDEB analysis applications and how they shouldinteract with the DEB and update the tag fileaccordingly.Selective Imager e allows the logical filestructure of a disk to be viewed and theselected files to be captured in a DEB.

DEB experience

The implementations created to date have allowedthe concepts presented in this paper to be imple-mented, albeit in a prototype environment. Theyhave proven that the concepts of being able tocreate a common structure that is capable ofcontaining evidence sourced from both static andreal-time environments can be achieved.

In addition to this it is possible to createapplications that can maintain continuity of in-formation in a similar fashion to that used in thephysical world of evidence preservation outside ofthe digital environment.

DEB future work

Having created DEBs from various sources, thenext phase of the work will be to create moreadvanced DEB processing and analysis applica-tions. These will not only be able to process theinformation contained in a DEB but allow distribu-tion of the Evidence Units in a multiprocessordistributed environment. This could be achievedin a similar way to that already implemented(Roussev and Richard, 2004).

The capture process can also be refined furtherby integration of more intelligence. This can bedone by directing the capture process with the aimsof the investigation inmindat theoutset of thecase.

DEBs e enhancing best practice

There is no manual on how to be an investigator,and passing on the knowledge of best practice is

very difficult. In the digital world just keeping upwith the current technological advances is exceed-ingly difficult and time consuming.

The DEB approach of recording what applicationsand processes have been carried out on the evi-dence, and the sequence those analysis tasks areperformed in an automated process, allows for theability to learn the most effective order to un-dertake tasks. It also allows us to more quicklyidentify the shortcomings of the current applicationsets and recognize what additional applicationswould be most useful in the investigators toolbox.

Furthermore, this type of mechanism could alsoassist in the testing and certification of investiga-tors, as it would permit trainees to undertake testcases and automatically record how investigatorstackled them.

In addition, this type of approach allows us tobridge the gulf between the digital forensic prac-titioner and academia by giving the digital forensicworld a metric that can be used to show how,where and when evidence was found.

Conclusions

The digital forensic community is in need of a newapproach to the way in which the information fromdigital devices is gathered and processed. TheDigital Evidence Bag concept demonstrated inthis paper meets both the current and futureneeds of that community, and is capable ofhandling the large volumes of data associated withsuch enquiries.

The following advantages are immediately evi-dent from such an implementation:

� Scaleable approach to evidence acquisition;� Scalable approach to forensic processing, al-lowing for the first time the digital evidence tobe processed across multiprocessor and dis-tributed systems;

� Increased evidential material throughput, di-recting the most applicable techniques at theappropriate types of evidence;

� Incorporate some of the current evidencecapture and analysis methods thus not negatingthe financial investment in current tools andmethods;

� The ability to process evidence from a diverserange of digital devices;

� Allow the integration of real-time data acqui-sition into a sound forensic framework;

� Permit a selective and/or intelligent dataacquisition approach to be implemented as

228 P. Turner

opposed to the current collect everythingapproach;

� The ability to automatically create an audittrail of processes carried out on an item ofevidence. The metric from which could allowanalysis of the most effective way to processdigital evidence and be used to educate newpractitioners in the best way to undertakea forensic investigation.

References

Guidance Software Inc. Encase� Legal Journal, !http://www.encase.com/corporate/whitepapers/downloads/LegalJournal.pdfO.

Kornblum Jesse D. The Linux kernel and the forensic acquisitionof hard disks with an odd number of sectors. InternationalJournal of Digital Evidence Fall 2004;3(2).

Roussev Vassil, Richard III Golden G. Breaking the performancewall: the case for distributed digital forensics. Departmentof Computer Science, University of New Orleans, LA70148;2004. {vassil, golden}@cs.uno.edu.

Philip Turner has worked at QinetiQ (formerly known as theDefence Evaluation and Research Agency) for 20 years. Heoriginally studied electronics and then moved into the area ofinformation security and computer networking. He graduatedfrom the Cheltenham and Gloucester College of HigherEducation with a Bachelor of Science with Honors Degree inComputing and Real-Time Computer Systems in 1995. He iscurrently studying for a Ph.D. at Oxford Brookes University. Hehas been working in the field of computer forensics and datarecovery for over 7 years as Technical Manager in the DigitalInvestigation Services, Trusted Information Management de-partment at QinetiQ.