An open architecture for digital evidence integration
Schatz, Bradley & Clark, Andrew J. (2006) An open architecture for digital evidence integration. In Clark, Andrew J., McPherson, Mark, & Mohay, George M. (Eds.) AusCERT Asia Pacific Information Technology Security Conference : Refereed R&D Stream, 21-26 May 2006, Gold Coast, Queensland.
Recently the need for “digital evidence bags” – a common storage format for digital evidence – has been identified as a key requirement for enabling inter-organisational sharing of digital evidence, and interoperability between forensic analysis tools. Recent work has described an ontology based approach to correlation of event log based evidence, using semantic web technologies for describing and representing event log based digital evidence. In this paper we apply the representational approach to the integration of metadata related to digital evidence, and propose a globally unique identification scheme for digital evidence and related metadata. We relate the representational approach to the digital evidence bags concept identifying a number of shortcomings. We propose an alternative architecture for digital evidence bags, which we call the sealed digital evidence bags architecture. This approach treats bags as immutable objects, and facilitates the building of a corpus of digital evidence by composition and referencing between evidence bags. This architecture facilitates modular forensic tool development and interoperability between forensics tools.
Impact and interest:
Citation counts are sourced monthly from and citation databases.
Citations counts from theindexing service can be viewed at the linked Google Scholar™ search.
Full-text downloads displays the total number of times this work’s files (e.g., a PDF) have been downloaded from QUT ePrints as well as the number of downloads in the previous 365 days. The count includes downloads for all files if a work has more than one.
|Item Type:||Conference Paper|
|Keywords:||digital forensics, computer forensics, digital evidence, evidence integration|
|Subjects:||Australian and New Zealand Standard Research Classification > INFORMATION AND COMPUTING SCIENCES (080000) > COMPUTER SOFTWARE (080300) > Computer System Security (080303)|
|Divisions:||Past > QUT Faculties & Divisions > Faculty of Science and Technology
Past > Institutes > Information Security Institute
|Copyright Owner:||Copyright 2006 [please consult the authors]|
|Deposited On:||14 Jun 2009 23:43|
|Last Modified:||29 Feb 2012 13:18|
Repository Staff Only: item control page