23.02.14 - 28.02.14, Seminar 14092

Digital Evidence and Forensic Readiness

Diese Seminarbeschreibung wurde vor dem Seminar auf unseren Webseiten veröffentlicht und bei der Einladung zum Seminar verwendet.

Motivation

This Dagstuhl seminar is planned as a unique, targeted event that will provide the space for interdisciplinary discussions on clearly defined critical aspects of engineering issues, evaluation and processes for secure digital evidence and forensic readiness. A large gap exists between the state-of-the-art in IT security and best-practice procedures for digital evidence. Experts from IT and law will use this seminar to develop a common view on what exactly can be considered as secure and admissible digital evidence. It will also explore possible technical solutions. Example scenarios include log data in IT networks, images for mass-storage, cloud computing, interception of digital communications, and others.

In addition to sessions with all participants, a separation of the participants for discussing approximately five aspects will be arranged. The outcome of these working sessions will then be used in the general discussion to work on a common understanding of the topic. The results of the seminar should lead to new technological developments as well as to new legal views to this points and to a change of organizational measures using ICT. Finally, it is also expected that open issues and research topics will be identified. The results of the discussions will be documented in the form of a White Paper on digital evidence.

One possible definition for Secure Digital Evidence was proposed by Rudolph et al. at the Eighth Annual IFIP WG 11.9 International Conference on Digital Forensics 2012. It states that a data record can be considered secure if it was created authentically by a device for which the following holds:

  • The device is physically protected to ensure at least tamper-evidence.
  • The data record is securely bound to the identity and status of the device (including running software and configuration) and to all other relevant parameters (such as time, temperature, location, users involved, etc.)
  • The data record has not been changed after creation.

Digital Evidence according to this denition comprises the measured value and additional information on the state of the measurement device. This additional information on the state of the measurement device aims to document the operation environment providing evidence that can help to lay the foundation for admissibility. The definition will provide one basis of discussion at the seminar and will be compared with other approaches to forensic readiness.

Additional relevant aspects occur in the forensic readiness of mobile devices, cloud computing and services. Such scenarios are already very frequent but will come to full force in the near future. The topics of the interdisciplinary workshop-sessions will be finalized during the first day of the seminar. Possible topics include mobile forensic readiness, investigative forensics, forensic readiness from a legal perspective, forensic readiness and certification, forensic readiness in industrial production processes, forensic readiness in cloud scenarios, and innovative aspects for forensic readiness and digital evidence.

The interdisciplinary Dagstuhl seminar on digital evidence and forensic readiness has the potential to provide valuable input to the discussion in the future of various types of evidence and it will build the basis for acceptable and sound rules for the assessment of digital evidences.