WP5 EVIDENCE Workshop during DFRWS EU 2016 Annual Conference

The annual DFRWS conference allows leading digital forensics researchers from government, industry, and academia to present their work and results to fellow researchers and practitioners. Many of the most cited digital forensics papers have been presented at DFRWS and the annual challenge has spawned research in important areas. Initial results and tool prototypes are also presented during the Works in Progress and demo sessions.

The third annual DFRWS EU conference was held from March 29 to 31, 2016 in Lausanne, Switzerland.

During the first day of the conference, the EVIDENCE project organized an “Evidence Exchange between Courts in Europe: a Standard Proposal to be Discussed” Workshop logically divided into three parts. The first part served as an introductory lecture covering the standard proposal with some examples and analysis over possible extensions. The second part covered the technical perspective and issues and presented the technical solution with a hands-on demo session, while the third part of the workshop was dedicated to the discussion on weaknesses and strengths of the proposed solutions, possible improvements and the way forward: collaboration, practical solution, implementation synergies involving participants.

The objectives of the workshop were the following:

  • Validate the adequacy of the proposed standards (DFAX/CybOX/UCO) for the representation of data and metadata involved in a digital evidence exchange, including the whole evidence life-cycle (from chain of custody to the output of a forensics analysis).
  • Identify how the proposed standards (DFAX/CybOX/UCO) may have to be adapted for improving for improving the Electronic Evidence exchange. For instance,
    • By complementing CybOX with additional elements specific to forensic analysis
    • By providing a library of forensic actions
  • Which technical solutions may be more suitable for improving the exchange of electronic evidence in terms of efficiency, reliability and trust?
  • Review how a software proof of concept achieves implementing the DFAX standard and evaluate how it facilitates an efficient, reliable and trusted exchange of electronic evidence.

The EVIDENCE WP5 Proof of Concept Application (in draft version) that was developed with the aim to facilitate the evidence exchange with chain of custody by using the DFAX/CybOX formalisms was presented. The main functionality offered by the PoC application is:

  • Developing a software tool for creating and managing the case flow document to allow adding Actions performed by the forensic expert or other actors.
  • Support adding Actions that don't have any interactions with forensics tools (e.g. searching, seizing, transferring actions, etc.) along with the related Provenance Records.
  • Capturing the Action data and metadata that is performed using forensic tools including: Description, Time, Place, Forensic Tool used; Provenance Record as Input and/or Output; the Observables related to that Output.
  • Store the information as a DFAX document and allow searching, importing and sharing documents with access control.

Forensics tools produce some parts of the case flow information in various formats. The PoC application is to support converting this information to the proposed format by software libraries and importing it to the PoC DFAX document. Such libraries could be used internally to a forensic tool, as a plugin, or external tool. The development of software connectors to produce output following the DFAX/CybOX/UCO standards can be explored by the EVIDENCE project for a limited set of tools to serve as an example, for instance:

  • an acquisition tool, such as Guymager that is present in most Linux distributions and produces a plain text output; and
  • some analysis tools, like Autopsy or Plaso.