Currently, the collection, storage, analysis, and presentation of digital evidence occurs in a single geographic location, typically in a small digital evidence lab within the jurisdiction where the electronic crime occurred. This is an inefficient model in that local and state law enforcement agencies typically and unnecessarily duplicate resources that may be available elsewhere. A further problem is that each law enforcement agency must verify and validate examination tools, a process duplicated by all law enforcement agencies for all tools used in digital forensic examinations.

Digital evidence labs of the future will not be constrained to a specific geographic location. Instead we propose the concept of the virtual lab. A virtual lab consists of the tools and resources required for digital forensic examinations, but these resources may be located in various geographic locations, and administered and maintained by different entities (see Figure 1 below). These geographic locations are connected via a high-speed network. Examiners access the virtual lab through a single portal, over the Internet. Examiners can upload evidence for secure storage to one location and analyze the evidence using tools from a second location. Reports could be located at a third location. Prosecutors and attorneys would access the results through the same portal.

The advantages of this new model over the traditional digital evidence lab include:

1. Reducing or eliminating unnecessary duplication of resources (examination machines, digital forensic tools, terabyte storage, secure storage, etc.)
   
   
2. Reducing or eliminating unnecessary duplication of tasks (verification and validation of all tools in a single location, etc.).
   
   
3. Provide expert assistance through certified digital evidence examiner specialists (e.g., Mac OS X, Solaris, network forensics, etc.).

The largest benefit of virtual labs would be for smaller law enforcement agencies, even more so in rural areas, which often have to decide whether to buy ammunition or computers.

Virtual Digital Forensics Lab Promo Video: click here

Research questions to be addressed include:

1. Identifying best methods for authenticating users (examiners, attorneys, prosecutors, etc.) across multiple geographic locations
   
   
2. Identifying best methods for securing transfer of raw and reduced evidence across publicly accessible networks
   
   
3. Identifying bottlenecks in network communications across disparate networks.
   
   
4. Validation and verification of digital forensics tool suites.
   
   
5. Identifying methods for providing remote assistance for examiners.
   
   
6. Estimating storage and network requirements, and identifying salability issues.
   
   

The market has seen a flood of new Windows-based software offering to delete files securely and inhibit their recovery by digital forensics programs. Demand for this software has emerged because traditional file deletion does not actually remove the file data from the media, but rather marks the space as available to be used again. While such secure delete programs often erase the actual contents of the file, most leave behind digital artifacts on the file system. This trace evidence can be used by forensic examiners to determine whether a secure delete program was employed, in addition to providing additional information about the original file (metadata). This paper examines five different programs currently on the market to discern what trace evidence remains after a secure delete operation is performed.

The programs were examined in a forensically sound environment using a standardized protocol. The results were confirmed using several Windows- and Linux-based forensic programs. Analysis showed that each secure delete program left predictable trace evidence when overwriting a file's contents. These traces varied in prominence with some more identifiable than others. In addition to this some of the programs did not completely erase file metadata, making it possible to extract the filename, file size, date created and date deleted in certain instances. While these results are promising they remain preliminary; further testing is needed to determine if these results generalize to other file systems.

Residual data left by a secure delete program in $LogFile. Note the entire contents of the file remained in the $LogFile even though the original contents of the file was deleted by a secure delete program.

Experts have argued that technologies that allow disparate law enforcement jurisdictions to share crime-related information will greatly facilitate fighting crime. One of these technologies is the Global Justice XML Data Model (GJXDM).

One of its limitations at its current level of development is the lack of a “model,” or a method to model, digital evidence. As a solution the National Center for Forensic Science and the UCF Department of Engineering Technology have proposed the digital evidence markup language (DEML), an extensible plug-in to Global JXDM. Global JXDM is intended to be a data reference model for the exchange of information within the justice and public safety communities (NIJ, 2004). The Global JXDM is a product of the Global Justice Information Sharing Initiative's (Global) Infrastructure and Standards Working Group (ISWG) and was developed by the Global ISWG's XML Structure Task Force (NIJ, 2004).

DEML is a schema based on XML that supports the standardization of digital evidence-related artifacts. Below we provide an overview of DEML. DEML must be built with extensibility and flexibility in mind as technology changes will require consistent and continual changes in the language to appropriately model changes in the technologies used in computer-related crime.

The SWGDE definition of digital evidence was meant to encompass digital artifacts; by definition this excludes certain crime scene-related that might be important to law enforcement for use in arrests and subsequent prosecutions. For instance, hardware and the processes that a criminal uses, which are relevant to the execution of a crime, are not encompassed by this definition of digital evidence. We feel it is important that any artifact or process that may be important in the arrest and prosecution of a criminal should be able to be modeled using DEML.

We decided to use an object-oriented representation for DEML for two reasons. First, we are modeling real-world artifacts and processes that are composed of objects. For instance, workstations are composed of objects -- motherboards, add-on cards, RAM, storage devices, human interface devices, etc. -- each of which is composed of other objects. This fact allows us to the object concept of composition and aggregation to represent both hardware and digital artifacts.

The second reason for an object-oriented representation is the need to develop and maintain an extensible and flexible schema. New technologies will be developed, and the diversity of technologies will increase. A schema built upon object-oriented representation will support the modeling of new and diverse technologies by simply developing new classes (for diverse technologies) or inheritance (inclusion of new technologies built upon old technologies) .

We are using a top-down perspective to develop our object-oriented perspective. Our initial selection included two, somewhat independent, top-tier objects consisting of hardware and digital artifacts. Using these two superclasses as starting points we attempted to model digital evidence using UML class diagrams.
We used our own interpretation and knowledge of hardware, along with the U.S. Secret Services “Best Practices for Seizing Electronic Evidence” (Volume 2) to advise on the on law enforcement interpretations of hardware digital systems.

The figure below illustrates a digital artifact in object-oriented format using UML class diagrams.

OO representation of a digital artifact

There are few resources that describe a forensics analysis of an Apple Mac computer. We are working to better understanding various version of Mac OS X, and to develop tools and procedures to conduct a forensics examination of an Apple Mac running Mac OS X.

In the past five years no other technology has grown more than personal electronic devices (PEDs). PEDs are typically small, handheld mobile devices with embedded computers chips and memory to store personal information, for instance, personal digital assistants (PDAs), cell phones, wrist watches, and so on. Some of these devices are hybrid devices that perform more than one function. For instance, new hybrid cell phones/PDAs perform those two functions. These generally cause two problems for law enforcement. First is that these devices are often overlooked by law enforcement at the scene of a crime due to ignorance about their functionality. A second problem is that even when seized, there is no PED-based forensic software or hardware to create forensically-sound copy of the contents of the device, or software to perform a logical or physical analysis of the device. We are working to develop tools and procedures that will assist law enforcement in the examination of PEDs

Microsoft’s Xbox game console is little more than a low-end computer; with nominal effort it can be modified to run additional operating systems, enabling it to store gigabytes worth of non-game related files in addition to allowing it to run various computer services.  Little has been published, however, on the proper forensic procedures to be employed in determining whether an Xbox has been modified, and if so, how to conduct a proper digital forensics investigation.  Given the ubiquity of these devices, it will be important to understand how to identify, image, and examine these systems while reducing the potential for making any changes.  This paper compliments and extends previous work involving the forensic analysis of Xboxes that are running Linux.  We approach the topic from an applied research methodology, providing a set of procedures to be followed during the acquisition and subsequent analysis of an Xbox.

Law enforcement investigators and forensic laboratory examiners must be prepared to respond to the increased use of technology by the criminal element. Digital evidence examiners are being called upon to demonstrate their competencies in court and to their own management. These trends in the digital forensics profession have made it necessary for laboratories, police agencies, and corporate investigative practices to find ways to evaluate the capabilities of their personnel, both individually and as a group. In other forensic sciences, proficiency and competency tests have become a standard method of documenting the knowledge, skills, and abilities of forensic examiners at all levels. However, digital forensics is so new that few standards exist that have been tried and tested by the scientific, law enforcement, and judicial communities. The digital forensics profession is in great need of evaluation and assessment tools that will bring this newest forensic science into the of universally accepted laboratory examination specialties.