Dagstuhl-Seminar 14092
Digital Evidence and Forensic Readiness
( 23. Feb – 28. Feb, 2014 )
Permalink
Organisatoren
- Glenn S. Dardick (Longwood University - Farmville, US)
- Barbara Endicott-Popovsky (University of Washington - Seattle, US)
- Pavel Gladyshev (University College Dublin, IE)
- Thomas Kemmerich (Gjøvik University College, NO)
- Carsten Rudolph (Fraunhofer SIT - Darmstadt, DE)
Kontakt
- Annette Beyer (für administrative Fragen)
Impacts
- Exploring the Space of Digital Evidence : Position Paper : article in LNCS 9722 - Rudolph, Carsten - Berlin : Springer, 2016 - (Lecture notes in computer science ; 9722 : article).
- From IT forensics to forensic computing : special issue : pp. 337-393 - Freiling, Felix C. - Berlin : de Gruyter, 2015 - (Information technology : 57. 2015, 6).
This Dagstuhl seminar is planned as a unique, targeted event that will provide the space for interdisciplinary discussions on clearly defined critical aspects of engineering issues, evaluation and processes for secure digital evidence and forensic readiness. A large gap exists between the state-of-the-art in IT security and best-practice procedures for digital evidence. Experts from IT and law will use this seminar to develop a common view on what exactly can be considered as secure and admissible digital evidence. It will also explore possible technical solutions. Example scenarios include log data in IT networks, images for mass-storage, cloud computing, interception of digital communications, and others.
In addition to sessions with all participants, a separation of the participants for discussing approximately five aspects will be arranged. The outcome of these working sessions will then be used in the general discussion to work on a common understanding of the topic. The results of the seminar should lead to new technological developments as well as to new legal views to this points and to a change of organizational measures using ICT. Finally, it is also expected that open issues and research topics will be identified. The results of the discussions will be documented in the form of a White Paper on digital evidence.
One possible definition for Secure Digital Evidence was proposed by Rudolph et al. at the Eighth Annual IFIP WG 11.9 International Conference on Digital Forensics 2012. It states that a data record can be considered secure if it was created authentically by a device for which the following holds:
- The device is physically protected to ensure at least tamper-evidence.
- The data record is securely bound to the identity and status of the device (including running software and configuration) and to all other relevant parameters (such as time, temperature, location, users involved, etc.)
- The data record has not been changed after creation.
Digital Evidence according to this definition comprises the measured value and additional information on the state of the measurement device. This additional information on the state of the measurement device aims to document the operation environment providing evidence that can help to lay the foundation for admissibility. The definition will provide one basis of discussion at the seminar and will be compared with other approaches to forensic readiness.
Additional relevant aspects occur in the forensic readiness of mobile devices, cloud computing and services. Such scenarios are already very frequent but will come to full force in the near future. The topics of the interdisciplinary workshop-sessions will be finalized during the first day of the seminar. Possible topics include mobile forensic readiness, investigative forensics, forensic readiness from a legal perspective, forensic readiness and certification, forensic readiness in industrial production processes, forensic readiness in cloud scenarios, and innovative aspects for forensic readiness and digital evidence.
The interdisciplinary Dagstuhl seminar on digital evidence and forensic readiness has the potential to provide valuable input to the discussion in the future of various types of evidence and it will build the basis for acceptable and sound rules for the assessment of digital evidences.
This summary briefly recapitulates the outcomes of our seminar on digital evidence and forensic readiness. The main focus of the seminar was to work on a common cross-discipline understanding of notions of digital evidence and forensic readiness. In particular, technical notions in the view of IT security experts and the legal view were considered. Furthermore, relevance of differences in jurisdictions in different countries was also discussed.
The participants of the seminar came from 4 continents (Europe, U.S., Africa and Australia) and 12 countries. The group was a mix of experts from digital forensics, IT security, cyber security, archival sciences, criminal law, civil law, and cyber law. Thus, all relevant disciplines for digital evidence and forensic readiness were represented in the seminar, creating a perfect group for the task, but also a challenging communication environment that required good leadership in the interaction and discussions.
The main focus of the seminar was to develop a common view on what exactly can be considered secure and admissible digital evidence. The seminar was a first attempt to achieve progress towards this goal and therefore, a comprehensive coverage of the topic was not to be expected. Nevertheless, the international interest in the topic as well as the intensive discussions in the seminar show the relevance of the topic. The results of the seminar identify open issues in the area of digital forensics, but also proposes first substantial steps in the direction of establishing strong and internationally useful notions for digital evidence and forensic readiness.
Initial talks and discussions quickly revealed some of the majour challenges:
- The growing variety of types of potential digital evidence increases the problem to define clear technical guidelines for the collection and evaluation of data records for forensic use. Examples include mobile devices, data stored and processed via cloud service, huge infrastructures with distributed data, or big data with many possible interpretations of data found.
- In many cases, digital evidence cannot be directly related to data on one device. In particular in cloud environments, stored data is distributed over different countries and digital processes easily cross borders. Thus, digital evidence becomes a cross-jurisdictional issue that needs rules on how to deal with differences and contradictions in jurisdiction.
- Teaching and education is another challenge. One cannot expect all lawyers, attorneys, or judges to become experts on technical issues. however, a basic understanding of the area of digital evidence is essential to be able to decide if expert witnesses are required and also to be able to achieve correct interpretations of the report by expert witnesses.
- forensic readiness can guide the development of systems that collect, store, and provide secure digital evidence. However, the applicability of forensically ready technical solutions is restricted by privacy and also economy. Here, processes need to be defined and adequate procedures and regulations (also internationally) need to be found.
Four discussion groups were formed in the seminar to discuss digital forensic readiness processes and procedures for investigators, notions of digital evidence, a forensic readiness landscape, and forensic readiness: evidence in a digital world. More details of the results of the discussions in the working groups can be found in the sections below.
As one of the major results of the seminar can be identified that all participants understood and agreed on the need to initiate future research activities in the area of digital evidence and forensic readiness. The results also clearly show that this research must be international and inter-disciplinary. Furthermore, the seminar has proven that technically oriented IT security experts and experts from law can co-operate to advance the state of the art. The seminar has established new inter-disciplinary and international contacts that are suitable to build a new community that will drive this strand of work in the field of forensic readiness.
- Aaron Alva (University of Washington - Seattle, US) [dblp]
- Carsten Bormann (Universität Bremen, DE) [dblp]
- Joseph Cannataci (University of Malta, MT) [dblp]
- Raymond Choo (University of South Australia - Mawson Lakes, AU)
- Glenn S. Dardick (Longwood University - Farmville, US) [dblp]
- Günther Diederich (ifib - Bremen, DE) [dblp]
- Jos Dumortier (KU Leuven, BE) [dblp]
- Barbara Endicott-Popovsky (University of Washington - Seattle, US) [dblp]
- Katrin Y. Franke (Gjøvik University College, NO) [dblp]
- Felix Freiling (Universität Erlangen-Nürnberg, DE) [dblp]
- Stefanie Gerdes (Universität Bremen, DE) [dblp]
- Pavel Gladyshev (University College Dublin, IE) [dblp]
- Babak Habibnia (University College Dublin, IE)
- Nils-Peter Hercher (Nagel Schlösser Rechtsanwälte - Hannover, DE)
- Florian Junge (Universität Bremen, DE) [dblp]
- Thomas Kemmerich (Gjøvik University College, NO) [dblp]
- Nicolai Kuntze (Fraunhofer SIT - Darmstadt, DE) [dblp]
- David Manz (Pacific Northwest National Lab. - Richland, US) [dblp]
- Christian Moch (Universität Erlangen-Nürnberg, DE) [dblp]
- Carsten Momsen (Leibniz Universität Hannover, DE)
- Heiko Patzlaff (Siemens AG - München, DE)
- Corinne Rogers (InterPARES Trust - Vancouver, CA)
- Carsten Rudolph (Fraunhofer SIT - Darmstadt, DE) [dblp]
- Viola Schmid (TU Darmstadt, DE) [dblp]
- Isabel Taylor (Universität Tübingen, DE)
- Lee Tobin (University College Dublin, IE) [dblp]
- Hein Venter (University of Pretoria, ZA) [dblp]
- Rhythm Suren Wadhwa (Gjøvik University College, NO) [dblp]
- Nigel Wilson (University of Adelaide, AU) [dblp]
- Stephen Wolthusen (Royal Holloway University of London, GB & Gjovik University College, NO) [dblp]
Klassifikation
- security / cryptology
- society / human-computer interaction
Schlagworte
- Digital evidence
- Forensic readiness
- Mobile forensic
- Trusted computing
- Cyber-Law