Browse > Article

A New Design and Implementation of Digital Evidence Container for Triage and Effective Investigation  

Lim, Kyung-Soo (Cyber Security-Convergence Research Laboratory, Electronics and Telecommunication Research Institute)
Lee, Chang-Hoon (Dept. of Computer Engineering, Seoul National University of Science and Technology)
Lee, Sang-In (Cyber Security-Convergence Research Laboratory, Electronics and Telecommunication Research Institute)
Publication Information
Journal of the Institute of Electronics Engineers of Korea CI / v.49, no.4, 2012 , pp. 31-41 More about this Journal
Abstract
The law enforcement agencies in the worldwide are confiscating or retaining computer systems involved in a crime/civil case, if there are any, at the preliminary investigation stage, even though the case does not involve a cyber-crime. They are collecting digital evidences from the suspects's systems and using them in the essential investigation procedure. It requires much time, though, to collect, duplicate and analyze disk images in general crime cases, especially in cases in which rapid response must be taken such as kidnapping and murder cases. The enterprise forensics, moreover, it is impossible to acquire and duplicate hard disk drives in mass storage server, database server and cloud environments. Therefore, it is efficient and effective to selectively collect only traces of the behavior of the user activities on operating systems or particular files in focus of triage investigation. On the other hand, if we acquire essential digital evidences from target computer, it is not forensically sound to collect just files. We need to use standard digital evidence container from various sources to prove integrity and probative of evidence. In this article, we describe a new digital evidence container, we called Xebeg, which is easily able to preserve collected digital evidences selectively for using general technology such as XML and PKZIP compression technology, which is satisfied with generality, integrity, unification, scalability and security.
Keywords
Digital Forensics; Digital Evidence Container; Evidence Management; Triage Investigation;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Philip Turner, "Unification of Digital Evidence from Disparate Sources(Digital Evidence Bags)",Digital Forensic Research Workshop (DFRWS), New Orleans, 2005.
2 Philip Turner, "Selective and intelligent imaging using digital evidence bags ", Digital Investigation, Volume 3, Supplement 1, September 2006, Pages 59-64
3 Philip Turner, "Applying a forensic approach to incident response, network investigation and system administration using Digital Evidence Bags", Digital Investigation, Volume 4, Issue 1, March 2007, Pages 30-35   DOI   ScienceOn
4 Golden G. Richard III, Vassil Roussev, Lodovico Marziale. "Forensic discovery auditing of digital evidence containers", Digital Investigation, Volume 4, Issue 1, March 2007, Pages 88-97   DOI
5 EnCase Portable, Gudiance Soft http://www.guidancesoftware.com/encase-portable.htm
6 FISA-File System Analyzer, (주)포앤식스테크 http://www.4n6tech.com/pro_kr/info/info.php?pn=1 &sn=1&dn=1
7 임경수, 이상진, "신속한 사건 대응을 위한 휴대용 포렌식 도구 설계 및 구현," 2009 디지털 포렌식워크샵, 2009년 8월
8 임경수, "디지털 증거 수집을 위한 XML 기반 프 레임워크의 설계 및 구현", 고려대학교 정보경영공학전문대학원, 석사 학위 논문 2008.
9 Kyungsoo Lim, Seokhee Lee, Jong Hyuk Park, Sangiin Lee "XFRAME: XML-baed framework for efficient acquiring digital evidence on Windows live system", Proceedings of 4th Annual IFIP WG11.9 International Conference on Digital Forensics, Kyoto, Japan, 2008.
10 Kyung-soo Lim, SeungBong Lee nd Sangjin Lee,"Applying a Stepwise Forensic Approach to Incident Response and Computer Usage Analysis",2nd International Conference on Computer Science and its Application,(CSA 2009)
11 Marcus K. Rogers, James Goldman, Rick Mislan, Timothy Wedge,Steve Debrot, "Computer Forensics Field Triage Process Model", Conference on Digital Forensics, Security and Law, 2006.