Forensic applications of analog memory: the digital evidence bag

Abstract

Digital evidence is electronic data that \has the potential to make the factual account of either party more probable or less probable than it would be without the evidence" [1]. We consider digital evidence stored on a physical memory device, collected in the fi eld and transported to a lab where the digital content is stored and analyzed. Digital Forensics is the area of study that deals with the science behind this process, as well as establishing best practices and legal requirements. The core aspects of digital forensics are preserving evidence integrity and the chain of custody during the handling and storage of the evidence [2]. In this thesis, we look specifi cally at digital evidence where only digital data is collected (such as forensic photography), as opposed to digital evidence that also includes the storage medium (such as seized mobile phones). We review the existing procedures used for collecting and transporting evidence and explore how these processes could be improved to better suit this kind of digital evidence. The fi eld of Information Security deals with providing con fidentiality and integrity of data, along with authentication and non-repudiation of both data and entities [3]. This is a widely researched and well developed area with many commercial applications, the most well known being internet security. We review and categorize the existing technologies used in information security into four avenues of approach based upon the fundamental security concepts of each: cryptography, widely witnessed, hardware security and exploitation of manufacturing defects. Many information security systems incorporate several of these approaches which leads to the overall security of the system being improved. The aims of Digital Forensics and Information Security are similar, however the processes and systems used are very different. This partly reflects that digital forensics is usually subject to a greater level of legal scrutiny, but it also highlights that there are potentially opportunities to improve the processes and systems used. Hence we develop the concept of a \digital evidence bag" (DEB), a device for the secure transport of digital evidence that has the same requirements as physical evidence bags: tamper-evident, unforgeable and clean. To achieve these requirements through technological solutions, we look at technology used in Information Security along with traditional forensic processes and explore how they can be adapted to create a DEB. Given the nature of digital data, it is easy to produce exact copies and edit the data with- out loss of quality. From a forensics point of view, this strips out a lot of the imperfections that are usually exploited in the traditional forensic processes. However the technology used to build digital memory is still inherently analog and has non-ideal characteristics, which are usually obfuscated in the digital application space. We show how these characteristics can be exploited to achieve the DEB requirements. We explore how a digital fi ngerprint for conventional digital memory could be used to meet the requirements of the DEB. We also propose a DEB based on analog memory cells which offers a novel method to meet the requirements.