Abstract
The analysis and value of digital evidence in an investigation has been the domain of discourse in the digital forensic community for several years. While many works have considered different approaches to model digital evidence, a comprehensive understanding of the process of merging different evidence items recovered during a forensic analysis is still a distant dream. With the advent of modern technologies, pro-active measures are integral to keeping abreast of all forms of cyber crimes and attacks. This paper motivates the need to formalize the process of analyzing digital evidence from multiple sources simultaneously. In this paper, we present the forensic integration architecture (FIA) which provides a framework for abstracting the evidence source and storage format information from digital evidence and explores the concept of integrating evidence information from multiple sources. The FIA architecture identifies evidence information from multiple sources that enables an investigator to build theories to reconstruct the past. FIA is hierarchically composed of multiple layers and adopts a technology independent approach. FIA is also open and extensible making it simple to adapt to technological changes. We present a case study using a hypothetical car theft case to demonstrate the concepts and illustrate the value it brings into the field.
The original version of this chapter was revised: The copyright line was incorrect. This has been corrected. The Erratum to this chapter is available at DOI: 10.1007/978-3-642-02312-5_25
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Alink, W., Bhoedjang, R.A.F., Boncz, P.A., de Vries, A.P.: XIRAF - XML-based indexing and querying for digital forensics. Digital Investigation. In: The Proceedings of the 6th Annual Digital Forensic Research Workshop (DFRWS 2006), vol. 3(suppl. 1), pp. 50–58 (2006)
Beebe, N.L., Clark, J.G.: A hierarchical, objectives-based framework for the digital investigations process. Digital Investigation 2(2), 147–167 (2005)
Beebe, N.L., Clark, J.G.: Digital forensic text string searching: Improving information retrieval effectiveness by thematically clustering search results. Digital Investigation 4(suppl. 1), 49–54 (2007)
Buchholz, F., Spafford, E.: On the role of file system metadata in digital forensics. Digital Investigation 1(4), 297–308 (2004)
Carrier, B.D., Grand, J.: A hardware-based memory acquisition procedure for digital investigations. Digital Investigation 1(1), 50–60 (2004)
Case, A., Cristina, A., Marziale, L., Richard, G.G., Roussev, V.: FACE: Automated digital evidence discovery and correlation, Digital Investigation. In: The Proceedings of the Eighth Annual DFRWS Conference, 5th edn., pp. S65–S75 (September 2008)
Cohen, M.I.: PyFlag - An advanced network forensic framework, Digital Investigation. In: The Proceedings of the Eighth Annual DFRWS Conference, vol. 5(suppl. 1), pp. S112–S120 (September 2008)
Common Digital Evidence Storage Format Working Group. Standardizing digital evidence storage. Communications of the ACM 49(2), 67–68 (Feburary 2006)
Garfinkel, S.: AFF: a new format for storing hard drive images. Communications of the ACM 49(2), 85–87 (2006)
Gladyshev, P., Patel, A.: Finite state machine approach to digital event reconstruction. Digital Investigation 1(2), 130–149 (2004)
Hosmer, C.: Digital evidence bag. Communications of the ACM 49(2), 69–70 (2006)
Mocas, S.: Building theoretical underpinnings for digital forensics research. Digital Investigation 1(1), 61–68 (2004)
Mee, V., Tryfonas, T., Sutherland, I.: The Windows Registry as a forensic artefact: Illustrating evidence collection for Internet usage. Digital Investigation 3(3), 166–173 (2006)
Nikkel, B.J.: Improving evidence acquisition from live network sources. Digital Investigation 3(2), 89–96 (2006)
Petroni, J., Nick, L., Walters, A., Fraser, T., Arbaugh, W.A.: FATKit: A framework for the extraction and analysis of digital forensic data from volatile system memory. Digital Investigation 3(4), 197–210 (2006)
Schatz, B., Clark, A.: An Open architecture for digital evidence integration. In: Proceedings of the 2006 AUSCERT R&D Stream, pp. 15–29 (2006)
Schatz, B.: BodySnatcher: Towards reliable volatile memory acquisition by software. Digital Investigation 4(suppl. 1), 126–134 (2007)
Schuster, A.: Searching for processes and threads in Microsoft Windows memory dumps. Digital Investigation. In: The Proceedings of the 6th Annual Digital Forensic Research Workshop (DFRWS 2006), vol. 3(suppl. 1), pp. 10–16 (2006)
Turner, P.: Unification of digital evidence from disparate sources (Digital Evidence Bags). Digital Investigation 2(3), 223–228 (2005)
Turner, P.: Selective and intelligent imaging using digital evidence bags. Digital Investigation. In: The Proceedings of the 6th Annual Digital Forensic Research Workshop (DFRWS 2006), vol. 3(suppl. 1), pp. 59–64 (2006)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Raghavan, S., Clark, A., Mohay, G. (2009). FIA: An Open Forensic Integration Architecture for Composing Digital Evidence. In: Sorell, M. (eds) Forensics in Telecommunications, Information and Multimedia. e-Forensics 2009. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 8. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-02312-5_10
Download citation
DOI: https://doi.org/10.1007/978-3-642-02312-5_10
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-02311-8
Online ISBN: 978-3-642-02312-5
eBook Packages: Computer ScienceComputer Science (R0)