INSIDE

DFRWS Projects:

DFRWS CDESF Working Group

The need to easily share digital evidence between different organizations and analysis tools is increasing as crimes and security incidents involve a diverse range of digital devices and administrative domains. Converting between proprietary formats may result in incorrect data, missing metadata, and lost productivity. There is a need for a standard format for storing and transmitting digital evidence and its associated metadata. A standard format would have the following benefits:

  • Digital evidence can be effortlessly imported into multiple analysis tools thereby reducing the time needed to convert formats or use a format that carries no metadata or integrity information.
  • Metadata are stored with the digital evidence thereby reducing the possibility of introducing errors while converting storage formats and losing information because it is stored in multiple locations (including different storage formats files, proprietary case files, and notebooks).

A standard format would decrease the time needed to complete an investigation, increase the amount of information available to the investigator, and increase the reliability of the evidence.

A standard digital evidence storage format will be analogous to the evidence bags used at physical crime scenes, where the evidence is placed in the bag and the outside of the bag has related information in a standard language, such as the acquisition location and time written in English. The current state of digital evidence storage formats is similar to having no bag, bags with information written in different languages, or bags with different types of locking mechanisms.

Scope

The purpose of the Common Digital Evidence Storage Format (CDESF) working group is to define an open data format that can store both digital evidence and related metadata. For example, the CDESF could contain a bit-wise image of a hard disk as well as the location from where the image was made, a digital photograph of the hard disk, the name of the person who made the image, and the case number. A different instance of the CDESF could contain a contraband file along with the unique identifier of the hard disk image from which it was extracted, the name of the investigator, and its original file name path. Another instance of the CDESF could contain only the metadata for a hard disk bit-wise image and a pointer to a second file where the actual hard disk image is stored in a raw format.

Documents

Current Status

Although this topic is important to digital forensics, this group was disbanded in August 2007 because DFRWS did not have the resources required to achieve the goals of the group. If you are interested in creating a DFRWS working group to again focus on this problem, please see the requirements.

©2001-2016 DFRWS   |   dfrws [at] dfrws [dot] org  

DFRWS is a US 501(c)(3) non-profit organization.