PosterPDF Available

Expediting the Digital Forensic Process through a Deduplicated Framework

  • June 2017
DOI:10.13140/RG.2.2.21098.31688
  • Conference: 16th European Conference on Cyber Warfare and Security
  • At: Dublin, Ireland
Authors:
Xiaoyu Du at National University of Ireland, Maynooth
Xiaoyu Du
Mark Scanlon at University College Dublin
Mark Scanlon
Download file PDF
Read file
Download citation

Abstract

In this age of big data, the sheer volume of cases anticipated to be encountered by digital evidence investigators is set to increase into the foreseeable future. Digital evidence backlogs gave become commonplace in local, national and international police forces throughout the globe. These backlogs often reach two years and can exceed four years in the extreme. Addressing this backlog is crucial to ensure efficient investigation and prosecution. One promising solution is to redefine the traditional digital evidence processing model by moving much of the processing to a cloud-based environment.
Content uploaded by Mark Scanlon
Author content
All content in this area was uploaded by Mark Scanlon on Jun 17, 2017
Content may be subject to copyright.
!" #$%& '() *+ ,%( -'#'. #$) &$))/ 0*123) *+ 4'&)& '"#%4%5'#)- #* ,) )"4*2"#)/)- ,6
-%(%#'1 )0%-)"4) %"0)&#%('#*/& %& &)# #* %"4/)'&) %"#* #$) +*/)&))',1) +2#2/)78%(%#'1
)0%-)"4) ,'491*(& ('0) ,)4*3) 4*33*"51'4) %" 1*4'1. "'#%*"'1 '"- %"#)/"'#%*"'1
5*1%4) +*/4)& #$/*2($*2# #$) (1*,)7:$)&) ,'491*(& *+#)" /)'4$ #;* 6)'/& '"- 4'"
)<4))- +*2/ 6)'/& %" #$) )<#/)3) =>?7 @--/)&&%"( #$%& ,'491*( %& 4/24%'1 #* )"&2/)
)++%4%)"# %"0)&#%('#%*" '"- 5/*&)42#%*"7A") 5/*3%&%"( &*12#%*" %& #* /)-)+%") #$)
#/'-%#%*"'1 -%(%#'1 )0%-)"4) 5/*4)&&%"( 3*-)1 ,6 3*0%"( 324$ *+ #$) 5/*4)&&%"( #*
'41*2-B,'&)- )"0%/*"3)"#7
:/'-%#%*"'1 5/*4)&& 3*-)1& &5)4%+6 '"23,)/ *+ '/-2*2& &#)5& +*/ -%(%#'1 +*/)"&%4
%"0)&#%('#%*" %"412-%"( %-)"#%+%4'#%*". '4C2%&%#%*" '"- &#*/'(). '"'16&%&. '"-
/)5*/#%"( =D?7 8%(%#'1 E*/)"&%4& '& 'F)/0%4) G8E''FH%& '/)4)"# -)0)1*53)"# 4'5',1)
*+ ,)%"( %"#)(/'#)- ;%#$ #$) )<%&#%"( -%(%#'1 +*/)"&%4 5/*4)&& 3*-)1& 1)0)/'(%"( #$)
1*;B4*&#. '1;'6&B*" "'#2/) *+ 41*2- #)4$"*1*(%)&7:$%& /)&)'/4$ '%3& #* -)&%(" '"-
%351)3)"# '41*2-B,'&)- -)-251%4'#)- -%(%#'1 +*/)"&%4 &6&#)3 #* %35/*0) #$)
*0)/'11 )++%4%)"46 *+ #$) -%(%#'1 +*/)"&%4 %"0)&#%('#%*" 5/*4)&&7
Introduction Digital.Evidence.Acquisition.Methodology
8'#' -)-251%4'#%*" %& '-'#' 4*35/)&&%*" #)4$"%C2) ;$%4$ '%3& #* /)-24) #$)
/)C2%/)3)"#& *+ &#*/'() &5'4) '"- #$) ")#;*/9 ,'"-;%-#$ -2/%"( #$) -'#'
#/'"&3%&&%*"7:$) 5/)3%&) ,)$%"- -'#' -)-251%4'#%*" %& *2#1%")- %" E%(2/) >7
F4$**1I*+IJ*352#)/IF4%)"4).IK"%0)/&%#6IJ*11)()I82,1%".I!/)1'"-7
<%'*627-2L24-4*"")4#7%).I3'/97&4'"1*"L24-7%)
M%'*62 82.IN'/9IF4'"1*"
Expediting.the.Digital.Forensic.Process.
through.a.Deduplicated.Framework
8E''F %& 42//)"#16 %" #$) )'/16 &#'()& *+ %351)3)"#'#%*" +*/ 5*1%4) +*/4)& ;%#$ #$)
1'/()&# *5)/'#%*"'1 &6&#)3 ,)%"( %351)3)"#)- %" #$) O)#$)/1'"-& =P. Q?7 :$%&
%351)3)"#'#%*" '551%)& '2#*3'#)- 5/*4)&&%"( #)4$"%C2)& #* ('#$)/ '"- 5/*4)&&
)0%-)"4)7!#& '%3 %& #* &5))-B25 #$) %"0)&#%('#%*" #$/*2($ 5/*0%-%"( 4'&) -)#)4#%0)&
;%#$ #$) '44)&& #* C2)/6 #$) )0%-)"4) ;%#$*2# "))-%"( #* ;'%# +*/ )<5)/# 3'"2'1
'"'16&%&7
E%(2/)ID7I8%(%#'1IE*/)"&%4&I'&I'IF)/0%4)
:$) '/#)+'4# -'#' '4C2%&%#%*" &#)5 %"412-)&R >H7 J*11)4#%"( '11 +%1)&. ;%#$ #$)%/ 3)#'-'#'
&#*/)- %" #$) -'#','&)7 DH7 F1'49 &5'4) '"- 2"'11*4'#)- &5'4) ;$)/) -'#' 3%($#
/)3'%" %" #$) +%1) &6&#)37E*/ )'4$ -)0%4) &)%S)- %" '" %"0)&#%('#%*". )0)/6 ,%# *+ #$)
*/%(%"'1 -'#' ;%11 ,) 4*5%)- '"- #/'"&+)//)- #* #$) 41*2-7:$) -'#','&) &#*/)& #$)
%3'() '4C2%&%#%*" %"+*/3'#%*" '"- #$) '/#)+'4#&T 3)#'-'#'. '"- #$) '/#)+'4# %& &#*/)-
*"16 *"4) *" #$) &6&#)37
82/%"( #$) 5/*4)&& *+ -%&9 %3'() /)4*"&#/24#%*". '-%&9 &#'(%"( '/)' %& +%/&# 4/)'#)-
;%#$ #$) &'3) &%S) '& #$) '4C2%&%#%*"7U'4$ '/#)+'4#. *")B,6B*"). %& ;/%##)" #* #$)
5/)4%&) 1*4'#%*" %" #$%& &#'(%"( '/)' '& %# ;'& -%&4*0)/)- %" #$) */%(%"'1 -%&9 %3'()7E*/
#$) 2"'11*4'#)- &5'4). %#& 5*&%#%*" %" #$) -%&9 %& #/)'#)- '& '&)# *+ 4*"#%"2*2& ,1*49&.
'"- %& #/)'#)- 1%9) '"6 *#$)/ '/#)+'4# %" #$) -'#','&)7A+ 4*2/&). '" '/#)+'4# 3%($# "*#
,) &'0)- %" '4*"#%"2*2& &#/)'3 *" #$) -%&9. )7(7. +%1) +/'(3)"#'#%*"7@& &24$. #$)
&#'/#%"( *++&)# '"- #$) 1)"(#$ *+ )'4$ +/'(3)"# %& &#*/)- %" #$) -'#','&). '"- +*/
/)4*"&#/24#%*". )'4$ +%1) +/'(3)"# %& ;/%##)" #* %#& 4*//)&5*"-%"( 1*4'#%*" *" #$) -%&9
&#'(%"( '/)'7
@& &$*;" %" E%(2/) P. #$) 41%)"# 4'" /)'- )'4$ '/#)+'4# '"- %#& 3)#'-'#' +/*3 #$)
&2&5)4# -/%0). 4'1421'#) #$) '/#)+'4#T& $'&$ 0'12). '"- #$)" &)"- #$%& %"+*/3'#%*" #*
#$) 41*2-B,'&)- &6&#)37:$) &6&#)3 4'" #$)" 4$)49 #$) -'#','&) #* &)) %+ #$) +%1)
'1/)'-6 )<%&#&. '"- %+ "*#. 4'" &)"- '" '/#)+'4# /)C2)&# #* #$) 41%)"#7!" #$) -'#','&).
%"+*/3'#%*" %& &#*/)- +*/ )'4$ '/#)+'4# )"4*2"#)/)-. %#& 3)#'-'#' +*/ )'4$ #%3) %# %&
+*2"-. '"- '4C2%&%#%*" &5)4%+%4 3)#'-'#' 1'#)/ 2&)- #* )"&2/) +*/)"&%4'116 &*2"-
/)4*"&#/24#%*"7
Data.Deduplication.and.DFaaS
E%(2/)IP7I8%(%#'1IU0%-)"4)I@4C2%&%#%*"
:$) 41*2-B,'&)- "'#2/) *+ #$%& &6&#)3 4'" +'4%1%#'#) "23)/*2& '--%#%*"'1 ,)")+%#&
=D?R
Intelligent Forensics - N'"2'1 )<5)/# )0%-)"4) '"'16&%& '"- 4'#)(*/%&'#%*" 4'"
,) 2&)- +*/ #/'%"%"( 3'4$%") 1)'/"%"( ,'&)- '2#*3'#)- 5/*4)&&%"(7
Resourcing -8%(%#'1 E*/)"&%4& '& 'F)/0%4) 4'" *++)/ &2++%4%)"# &#*/'() &5'4) '"-
5*;)/+21 4*352#%"( /)&*2/4)& %" '" '++*/-',1) 3'"")/7
Information Sharing -8)#)4#%0)&. %"0)&#%('#*/&. '"- )<5)/# '"'16&#& 4'" ;*/9
#*()#$)/ %" 5'/'11)1 *" '4'&) '"- #$)%/ '"'16&%& 4'" ,) &$'/)- '4/*&& 4'&)&7
Efficient Management -U'&%)/ 3'"'()3)"# *+ ,*#$ $'/-;'/) '"- &*+#;'/)
/)&*2/4)& )"&2/%"( #$) '0'%1',%1%#6 *+ #$) 1'#)&# #)4$"%C2)& #* )'4$ %"0)&#%('#%*"7
E%(2/)I>7I8'#'I8)-251%4'#%*"
Conclusion
References
Acknowledgements...
8E''F 4'" 5/*0%-) '&2%#) *+ ,)")+%#& *0)/ #/'-%#%*"'1 -%(%#'1 +*/)"&%4 5/*4)&& 3*-)1&7
V$%1) 4*3,%"%"( 41*2- #)4$"*1*(%)& ;%#$ -%(%#'1 +*/)"&%4& %& 42//)"#16 %" %#& %"+'"46
=P?. #$) )<%&#%"( &)/0%4)B,'&)- +*/)"&%4 &6&#)3. M!W@E. ;$%4$ $'& ,))" %351)3)"#)-
%" #$) O)#$)/1'"-& &$*;& (/)'# 5/*3%&) +*/ #$%& #)4$"%C2) =P. Q?7 :$%& /)&)'/4$ ;%11
4*"#%"2) *" ,2%1-%"( #$) #)4$"%C2)& '"- #**1& "))-)- +*/ '3*/) %"#)11%()"# 41*2-B
,'&)- &6&#)3 +*/ -%(%#'1 +*/)"&%4 5/*4)&&%"(. )<5)-%#%"( #$) '4C2%&%#%*". '"'16&%& '"-
/)5*/#%"( &#)5& *+ #$) #/'-%#%*"'1 5/*4)&&7
=>?IF4'"1*"IN7IBattling(the(Digital(Forensic(Backlog(through(Data(Deduplication7I!"RI
X/*4))-%"(&I*+I#$)IY#$I!UUUI!"#)/"'#%*"'1IJ*"+)/)"4)I*"I!""*0'#%0)IJ*352#%"(I
:)4$"*1*(%)&IG!O:UJZID[>YH.I82,1%".I!/)1'"-.ID[>Y7
=D?I82IM.I\)B]$'4IO@.IF4'"1*"IN7IEvaluation(of(Digital(Forensic(Process(Models(with(
Respect(to(Digital(Forensics(as(a(Service7I>Y#$IU2/*5)'"IJ*"+)/)"4)I*"IJ6,)/I
V'/+'/)I'"-IF)42/%#6IGUJJVFID[>^H.I82,1%".I!/)1'"-ID[>^7
=P?I0'"I_''/ W.I0'"I_))9 Z.I0'"IU%`9 U7I8%(%#'1IE*/)"&%4&I'&I'IF)/0%4)RI@Ia'3)IJ$'"()/7I
8%(%#'1I!"0)&#%('#%*"ID[>Qb>>RFcQdFYD7
=Q?I0'"I_))9IZ.I0'"IU%`9IU.I0'"I_''/IW.IK()" N.I_*--) e.IF%)3)1%"9 @7I8%(%#'1IE*/)"&%4&I
'&I'IF)/0%4)RIa'3)IA"7I8%(%#'1I!"0)&#%('#%*"ID[>cb>cRD[dPf7
:$%&I;*/9I%&I+2"-)-I,6I#$)IF4$**1I*+IJ*352#)/IF4%)"4).IK"%0)/&%#6IJ*11)()I82,1%"7IIIIIIIIIIIIIIII
ResearchGate has not been able to resolve any citations for this publication.
Evaluation of Digital Forensic Process Models with Respect to Digital Forensics as a Service
Conference Paper
Full-text available
  • Jun 2017
Digital forensic science is very much still in its infancy, but is becoming increasingly invaluable to investigators. A popular area for research is seeking a standard methodology to make the digital forensic process accurate, robust, and efficient. The first digital forensic process model proposed contains four steps: Acquisition, Identification, Evaluation and Admission. Since then, numerous process models have been proposed to explain the steps of identifying, acquiring, analysing, storage, and reporting on the evidence obtained from various digital devices. In recent years, an increasing number of more sophisticated process models have been proposed. These models attempt to speed up the entire investigative process or solve various of problems commonly encountered in the forensic investigation. In the last decade, cloud computing has emerged as a disruptive technological concept, and most leading enterprises such as IBM, Amazon, Google, and Microsoft have set up their own cloud-based services. In the field of digital forensic investigation, moving to a cloud-based evidence processing model would be extremely beneficial and preliminary attempts have been made in its implementation. Moving towards a Digital Forensics as a Service model would not only expedite the investigative process, but can also result in significant cost savings – freeing up digital forensic experts and law enforcement personnel to progress their caseload. This paper aims to evaluate the applicability of existing digital forensic process models and analyse how each of these might apply to a cloud-based evidence processing paradigm.
View
Battling the Digital Forensic Backlog through Data Deduplication
Conference Paper
Full-text available
  • Aug 2016
In recent years, technology has become truly pervasive in everyday life. Technological advancement can be found in many facets of life, including personal computers, mobile devices, wearables, cloud services, video gaming, web-powered messaging, social media, Internet-connected devices, etc. This technological influence has resulted in these technologies being employed by criminals to conduct a range of crimes – both online and offline. Both the number of cases requiring digital forensic analysis and the sheer volume of information to be processed in each case has increased rapidly in recent years. As a result, the requirement for digital forensic investigation has ballooned, and law enforcement agencies throughout the world are scrambling to address this demand. While more and more members of law enforcement are being trained to perform the required investigations, the supply is not keeping up with the demand. Current digital forensic techniques are arduously time-consuming and require a significant amount of man power to execute. This paper discusses a novel solution to combat the digital forensic backlog. This solution leverages a deduplication-based paradigm to eliminate the reacquisition, redundant storage, and reanalysis of previously processed data.
View
  • Jan 2014
  • 54-62
  • R Van Baar
  • H Van Beek
  • E Van Eijk
van Baar R, van Beek H, van Eijk E. Digital Forensics as a Service: A Game Changer. Digital Investigation 2014;11:S54-S62.
  • Jan 2015
  • 20-38
  • H Van Beek
  • E Van Eijk
  • R Van Baar
  • M Ugen
  • J Bodde
  • A Siemelink
van Beek H, van Eijk E, van Baar R, Ugen M, Bodde J, Siemelink A. Digital Forensics as a Service: Game On. Digital Investigation 2015;15:20-38.