Exploring the space of digital evidence: Position paper

Carsten Rudolph

    Research output: Chapter in Book/Report/Conference proceedingConference PaperResearchpeer-review

    Abstract

    Digital evidence is much more than what is acquired during forensic investigations. In particular when building systems that are supposed to provide secure digital evidence it is necessary to clearly define requirements. Various work on forensic evidence provides different sets of such requirements. Also ISO standardization work is concerned with forensic evidence. However, currently there is no full overview of the different relevant areas for digital evidence that can be used for guidance in the requirement phase of system engineering. Furthermore, a rigorous specification of requirements for digital evidence is missing. Formal methods have been applied to security protocols and other types of requirements, but not to describe the various requirements of digital evidence. One approach towards defining the available space for digital evidence suggests three dimensions. First, and most obviously, is the time when data is collected, processed, retained and correlated for potential forensic use. This dimension includes data collected at run-time, data collected for particular transactions, in case of deviations, for incidents, “postmortem” forensic investigations, and the digitization of evidence for court procedures. The second dimension describes the goal for which digital evidence is produced. This can be either for showing compliance, i.e. for proving that somebody was not responsible for some incident or for showing malicious events that happened and to find who did what. Finally, the third dimension consists of the actual information to be documented. Examples are the documentation of the normal system behaviour, compliance information, accidents, safety issues, malicious behaviour, identity information and various relevant parameters. A formal framework for security requirements that was developed for security requirements engineering is one promising candidate to derive a precise characterization of requirements for digital evidence in the different areas of the available evidence space. This paper is a position paper to drive the discussion and development in forensic readiness and security of digital evidence.

    Original languageEnglish
    Title of host publicationInformation Security and Privacy
    Subtitle of host publication21st Australasian Conference, ACISP 2016, Melbourne, VIC, Australia, July 4–6, 2016, Proceedings, Part I
    EditorsJoseph K. Liu, Ron Steinfeld
    Place of PublicationSwitzerland
    PublisherSpringer
    Pages249-262
    Number of pages14
    ISBN (Electronic)9783319402536
    ISBN (Print)9783319402529
    DOIs
    Publication statusPublished - 30 Jun 2016
    EventAustralasian Conference on Information Security and Privacy 2016 - Melbourne, Australia
    Duration: 4 Jul 20166 Jul 2016
    Conference number: 21

    Publication series

    NameLecture Notes in Computer Science
    PublisherSpringer
    Volume9722
    ISSN (Print)0302-9743
    ISSN (Electronic)1611-3349

    Conference

    ConferenceAustralasian Conference on Information Security and Privacy 2016
    Abbreviated titleACISP 2016
    CountryAustralia
    CityMelbourne
    Period4/07/166/07/16

    Keywords

    • Forensic readiness
    • Secure digital evidence
    • Security engineering
    • Formal methods

    Cite this

    Rudolph, C. (2016). Exploring the space of digital evidence: Position paper. In J. K. Liu, & R. Steinfeld (Eds.), Information Security and Privacy: 21st Australasian Conference, ACISP 2016, Melbourne, VIC, Australia, July 4–6, 2016, Proceedings, Part I (pp. 249-262). (Lecture Notes in Computer Science; Vol. 9722). Switzerland: Springer. https://doi.org/10.1007/978-3-319-40253-6_15
    Rudolph, Carsten. / Exploring the space of digital evidence : Position paper. Information Security and Privacy: 21st Australasian Conference, ACISP 2016, Melbourne, VIC, Australia, July 4–6, 2016, Proceedings, Part I. editor / Joseph K. Liu ; Ron Steinfeld. Switzerland : Springer, 2016. pp. 249-262 (Lecture Notes in Computer Science).
    @inproceedings{6221774e082647ea825b0b25b856c3c0,
    title = "Exploring the space of digital evidence: Position paper",
    abstract = "Digital evidence is much more than what is acquired during forensic investigations. In particular when building systems that are supposed to provide secure digital evidence it is necessary to clearly define requirements. Various work on forensic evidence provides different sets of such requirements. Also ISO standardization work is concerned with forensic evidence. However, currently there is no full overview of the different relevant areas for digital evidence that can be used for guidance in the requirement phase of system engineering. Furthermore, a rigorous specification of requirements for digital evidence is missing. Formal methods have been applied to security protocols and other types of requirements, but not to describe the various requirements of digital evidence. One approach towards defining the available space for digital evidence suggests three dimensions. First, and most obviously, is the time when data is collected, processed, retained and correlated for potential forensic use. This dimension includes data collected at run-time, data collected for particular transactions, in case of deviations, for incidents, “postmortem” forensic investigations, and the digitization of evidence for court procedures. The second dimension describes the goal for which digital evidence is produced. This can be either for showing compliance, i.e. for proving that somebody was not responsible for some incident or for showing malicious events that happened and to find who did what. Finally, the third dimension consists of the actual information to be documented. Examples are the documentation of the normal system behaviour, compliance information, accidents, safety issues, malicious behaviour, identity information and various relevant parameters. A formal framework for security requirements that was developed for security requirements engineering is one promising candidate to derive a precise characterization of requirements for digital evidence in the different areas of the available evidence space. This paper is a position paper to drive the discussion and development in forensic readiness and security of digital evidence.",
    keywords = "Forensic readiness, Secure digital evidence, Security engineering, Formal methods",
    author = "Carsten Rudolph",
    year = "2016",
    month = "6",
    day = "30",
    doi = "10.1007/978-3-319-40253-6_15",
    language = "English",
    isbn = "9783319402529",
    series = "Lecture Notes in Computer Science",
    publisher = "Springer",
    pages = "249--262",
    editor = "Liu, {Joseph K.} and Ron Steinfeld",
    booktitle = "Information Security and Privacy",

    }

    Rudolph, C 2016, Exploring the space of digital evidence: Position paper. in JK Liu & R Steinfeld (eds), Information Security and Privacy: 21st Australasian Conference, ACISP 2016, Melbourne, VIC, Australia, July 4–6, 2016, Proceedings, Part I. Lecture Notes in Computer Science, vol. 9722, Springer, Switzerland, pp. 249-262, Australasian Conference on Information Security and Privacy 2016, Melbourne, Australia, 4/07/16. https://doi.org/10.1007/978-3-319-40253-6_15

    Exploring the space of digital evidence : Position paper. / Rudolph, Carsten.

    Information Security and Privacy: 21st Australasian Conference, ACISP 2016, Melbourne, VIC, Australia, July 4–6, 2016, Proceedings, Part I. ed. / Joseph K. Liu; Ron Steinfeld. Switzerland : Springer, 2016. p. 249-262 (Lecture Notes in Computer Science; Vol. 9722).

    Research output: Chapter in Book/Report/Conference proceedingConference PaperResearchpeer-review

    TY - GEN

    T1 - Exploring the space of digital evidence

    T2 - Position paper

    AU - Rudolph, Carsten

    PY - 2016/6/30

    Y1 - 2016/6/30

    N2 - Digital evidence is much more than what is acquired during forensic investigations. In particular when building systems that are supposed to provide secure digital evidence it is necessary to clearly define requirements. Various work on forensic evidence provides different sets of such requirements. Also ISO standardization work is concerned with forensic evidence. However, currently there is no full overview of the different relevant areas for digital evidence that can be used for guidance in the requirement phase of system engineering. Furthermore, a rigorous specification of requirements for digital evidence is missing. Formal methods have been applied to security protocols and other types of requirements, but not to describe the various requirements of digital evidence. One approach towards defining the available space for digital evidence suggests three dimensions. First, and most obviously, is the time when data is collected, processed, retained and correlated for potential forensic use. This dimension includes data collected at run-time, data collected for particular transactions, in case of deviations, for incidents, “postmortem” forensic investigations, and the digitization of evidence for court procedures. The second dimension describes the goal for which digital evidence is produced. This can be either for showing compliance, i.e. for proving that somebody was not responsible for some incident or for showing malicious events that happened and to find who did what. Finally, the third dimension consists of the actual information to be documented. Examples are the documentation of the normal system behaviour, compliance information, accidents, safety issues, malicious behaviour, identity information and various relevant parameters. A formal framework for security requirements that was developed for security requirements engineering is one promising candidate to derive a precise characterization of requirements for digital evidence in the different areas of the available evidence space. This paper is a position paper to drive the discussion and development in forensic readiness and security of digital evidence.

    AB - Digital evidence is much more than what is acquired during forensic investigations. In particular when building systems that are supposed to provide secure digital evidence it is necessary to clearly define requirements. Various work on forensic evidence provides different sets of such requirements. Also ISO standardization work is concerned with forensic evidence. However, currently there is no full overview of the different relevant areas for digital evidence that can be used for guidance in the requirement phase of system engineering. Furthermore, a rigorous specification of requirements for digital evidence is missing. Formal methods have been applied to security protocols and other types of requirements, but not to describe the various requirements of digital evidence. One approach towards defining the available space for digital evidence suggests three dimensions. First, and most obviously, is the time when data is collected, processed, retained and correlated for potential forensic use. This dimension includes data collected at run-time, data collected for particular transactions, in case of deviations, for incidents, “postmortem” forensic investigations, and the digitization of evidence for court procedures. The second dimension describes the goal for which digital evidence is produced. This can be either for showing compliance, i.e. for proving that somebody was not responsible for some incident or for showing malicious events that happened and to find who did what. Finally, the third dimension consists of the actual information to be documented. Examples are the documentation of the normal system behaviour, compliance information, accidents, safety issues, malicious behaviour, identity information and various relevant parameters. A formal framework for security requirements that was developed for security requirements engineering is one promising candidate to derive a precise characterization of requirements for digital evidence in the different areas of the available evidence space. This paper is a position paper to drive the discussion and development in forensic readiness and security of digital evidence.

    KW - Forensic readiness

    KW - Secure digital evidence

    KW - Security engineering

    KW - Formal methods

    UR - http://www.scopus.com/inward/record.url?scp=84978221149&partnerID=8YFLogxK

    UR - http://link.springer.com/book/10.1007/978-3-319-40253-6

    U2 - 10.1007/978-3-319-40253-6_15

    DO - 10.1007/978-3-319-40253-6_15

    M3 - Conference Paper

    AN - SCOPUS:84978221149

    SN - 9783319402529

    T3 - Lecture Notes in Computer Science

    SP - 249

    EP - 262

    BT - Information Security and Privacy

    A2 - Liu, Joseph K.

    A2 - Steinfeld, Ron

    PB - Springer

    CY - Switzerland

    ER -

    Rudolph C. Exploring the space of digital evidence: Position paper. In Liu JK, Steinfeld R, editors, Information Security and Privacy: 21st Australasian Conference, ACISP 2016, Melbourne, VIC, Australia, July 4–6, 2016, Proceedings, Part I. Switzerland: Springer. 2016. p. 249-262. (Lecture Notes in Computer Science). https://doi.org/10.1007/978-3-319-40253-6_15

    Access to Document