Digital evidence

About: Digital evidence is a research topic. Over the lifetime, 1621 publications have been published within this topic receiving 18476 citations.

Embedding Hercule Poirot in networks: addressing inefficiencies in digital forensic investigations

Abstract: Forensic investigations on networks are not scalable in terms of time and money [1]. Those investigations that do occur consume months of attention from the very experts who should be investing in more productive activities, like designing and improving network performance [1]. Given these circumstances, organizations often must select which cases to pursue, ignoring many that could be prosecuted, if time allowed. Recognizing the exponential growth in the number of crimes that employ computers and networks that become subject to digital evidence procedures, researchers and practitioners, alike, have called for embedding forensics-essentially integrating the cognitive skills of a detective into the network [2, 3, 4]. The premise is that the level of effort required to document incidents can thus be reduced, significantly. This paper introduces what technical factors might reflect those detecting skills, leading to solutions that could offset the inefficiencies of current practice.

Implementing Chain of Custody Requirements in Database Audit Records for Forensic Purposes

Abstract: During forensic database investigations, audit records become a crucial evidential element; particularly, when certain events can be attributed to insider activity. However, traditional reactive forensic methods may not be suitable, urging the adoption of proactive approaches that can be used to ensure accountability through audit records whilst satisfying Chain of Custody (CoC) requirements for forensic purposes. In this paper, role segregation, evidence provenance, event timeliness and causality are considered as CoC requirements in order to implement a forensically ready architecture for the proactive generation, collection and preservation of database audit records that can be used as digital evidence for the investigation of insider activity. Our proposal implements triggers and stored procedures as forensic routines in order to build a vector-clock-based timeline for explaining causality in transactional events recorded in audit tables. We expect to encourage further work in the field of proactive digital forensics and forensic readiness; in particular, for justifying admissibility of audit records under CoC restrictions.

The Value of Metadata in Digital Forensics

Abstract: Metadata is not visible when viewing data in a number of forms such as a word document or an image. It is, however, an important consideration in the discovery of information for use in digital forensic investigations. Different types of documents and files have a number of formats and types of metadata, which can be used to discover the properties of a file, document or network activity. Moreover, Metadata is useful in many circumstances, where it can provide collaboration evidence of between groups of people, because some of them are not aware of which type of information is stored within their document. Thus, the digital forensics investigator can access to this hidden document information. In legal cases, the identification of relevant digital evidence is crucial for supporting the case, verification and an examination existing legal argument forms. In this work, we show how to use the different formats and types of metadata in order to validate the legal argument for relevant evidence.