WO2006126006A1 - Digital evidence bag - Google Patents
Digital evidence bag Download PDFInfo
- Publication number
- WO2006126006A1 WO2006126006A1 PCT/GB2006/001942 GB2006001942W WO2006126006A1 WO 2006126006 A1 WO2006126006 A1 WO 2006126006A1 GB 2006001942 W GB2006001942 W GB 2006001942W WO 2006126006 A1 WO2006126006 A1 WO 2006126006A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- evidence
- data
- file
- digital
- files
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/10—Office automation; Time management
Definitions
- the present invention relates to apparatus, methods, data structures, and programs for computers for digital evidence gathering, tracking, and analysis and systems incorporating the same.
- the tag also contains sections for continuity purposes that can be signed when other people take custody of the item. This is used to provide continuity and assure provenance of the item from the time the item was seized to the time the item is used as evidence in court, restored to the owner, or destroyed.
- This individual wrapping also permits various articles to be distributed between the various specialist laboratories that can process that item. For example some items may require fingerprint analysis, others may require DNA analysis, whilst others may just require interpretation of their contents by the investigating officer.
- forensic data capture involves copying a complete digital image of a digital medium (e.g. computer hard disc) as a single digital image, which must subsequently be analysed as a single entity by analysis tools.
- a digital medium e.g. computer hard disc
- the 'dd' raw file capture contains no method of attaching details such as the date and time of capture, the person performing the capture process, or any mechanism to help assure the integrity of what has been captured. These features can be generated after the capture but usually require additional actions of the person carrying out the process as separate distinct functions.
- the system described in the EnCase® Legal Journal system provides a system in which digital evidence 1 can be downloaded into an evidence file 10.
- the data may optionally be compressed for space efficiency, provided that the compression algorithm preserves all the detail of the original data.
- CRC digits are appended to individual sectors throughout the binary dump, and stored as separate blocks 11 scattered throughout the file. These check digits provide the means of confirming that individual blocks have been neither tampered with nor accidentally corrupted.
- An MD5 hash 121 of the whole binary image is also stored in a footer component 12 of the evidence file so as to provide further data integrity checks to protect against corruption or tampering.
- each EnCase Evidence file also comprises a header section 13 containing custody information: for example the identity of the examined computer, date and time of evidence image capture, identity of investigator making the image, etc, along with an MD5 hash value for the captured data at the time of acquisition.
- custody information for example the identity of the examined computer, date and time of evidence image capture, identity of investigator making the image, etc, along with an MD5 hash value for the captured data at the time of acquisition.
- This provenance information cannot however be modified from within the EnCase software, and therefore cannot be used to track subsequent changes of custody or analyses performed upon the evidence file.
- the provenance information is designed solely to represent provenance at the moment of data capture.
- the Encase system embeds data other than that from the original source (e.g. header 13, footer 12, and CRC check digits 11) within the evidence files 10, it is in general impractical to apply other COTS analysis tools to those evidential files since they are not designed to take account of such proprietary file structurings. Instead it is recommended that investigators first restore a physical device from the EnCase image and then apply the other analysis tools to that image. This process is potentially highly time consuming and also, by extracting the image data from within the Evidence file, potentially breaks the provenance chain from the original.
- the original source e.g. header 13, footer 12, and CRC check digits 11
- Patent application US 2004/0260733 A1 discloses techniques for allowing a user to remotely interrogate a target computing device in order to collect and analyze computer evidence which may be stored on the target computing device.
- Patent application EP 0 893 763 A1 discloses systems for verifying and authenticating the integrity of data copied from computer memories. It employs hash values calculated over individual blocks of copied data, the hash values being encrypted and stored on external media (e.g. floppy disk).
- a method of capturing digital data comprising the steps of: copying digital data from a data source into one or more evidence files; for each evidence file recording data descriptive of at least one of the source and the contents of the digital data in the evidence file; recording, in a tag file, data indicative of provenance of the digital data in the one or more evidence files.
- the digital data may be copied into a plurality of evidence files.
- the digital data may be selectively copied from the source (i.e. not all the data from the given source need be copied into any given evidence file.)
- the data descriptive of one of the source and contents of the digital data may be stored in an index file distinct from the evidence file.
- a distinct index file may be created for each evidence file.
- the data descriptive of one of the source and contents of the digital data may comprise a digital fingerprint of the digital data.
- the tag file may comprise a digital fingerprint of at least one of the evidence files.
- the tag file may comprise a description of the format of the data descriptive of one of the source and contents of the digital data.
- the data source may be a data storage medium (or other static data medium)
- the data source may be a data transmission medium (or other dynamic data medium).
- multiple indications of provenance are associated with at least one given item of the digital data in the one or more evidence files.
- a program for a computer having respective code portions and data structures to perform the steps of the methods of other aspects of the invention.
- apparatus for capturing digital data comprising: means for copying digital data from a data source into one or more evidence files; for each evidence file, means for recording data descriptive of at least one of the source and the contents of the digital data in the evidence file; means arranged to record, in a tag file, data indicative of provenance of the digital data in the one or more evidence files.
- a data structure for capturing digital data comprising: at least one evidence file for containing digital data copied from a data source; at least one index file containing data descriptive of at least one of the source and contents of the digital data in the at least one evidence files; a tag file containing data indicative of provenance of the digital data in the at least one evidence files.
- a method of accessing a data structure comprising the steps of: identifying one or more evidence files to be accessed; recording details of the evidence file access in the tag file of the data structure; recording a new integrity check value in the tag file, responsive to the contents of the tag file including the newly-recorded details of the evidence file access.
- the details of the evidence file access may comprise at least one of: identification of the application performing the evidence file access; identification of the user requesting evidence file access; identification of the time of evidence file access;
- the integrity check may be a digital fingerprint, for example one of a CRC digits, an MD5 hash, and a SHA hash.
- apparatus for accessing a data structure comprising: means for identifying one or more evidence files to be accessed; means for recording details of the evidence file access in the tag file of the data structure; means for recording a new integrity check value in the tag file, responsive to the contents of the tag file including the newly-recorded details of the evidence file access.
- a method of updating a data structure comprising the steps of: accessing the data structure to extract evidential data contained within it; processing evidential data extracted from the data structure to create a new evidence file and corresponding index file; adding the new evidence file and index file to the existing data structure; appending continuity information to the tag file of the data structure indicative of the addition of the new evidence file and index file.
- apparatus for updating a data structure comprising: means for accessing the data structure to extract evidential data contained within it; means for processing evidential data extracted from the data structure to create a new evidence file and corresponding index file; means for adding the new evidence file and index file to the existing data structure; means for appending continuity information to the tag file of the data structure indicative of the addition of the new evidence file and index file.
- use of a common format for capturing digital data/evidence of disparate types and sizes facilitates tracking of provenance of such digital evidence whilst also facilitating efficient and selective analysis of the data by disparate analysis methods and tools.
- Such analysis may also be conducted concurrently on copies of the evidential data whose provenance from the original data can be tracked and verified.
- the invention also provides for systems for the purposes of digital data/evidence capture and analysis which comprise one or more instances of apparatus embodying the present invention, together with other additional apparatus.
- the invention also provides for computer software in a machine-readable form and arranged, in operation, to carry out every function of the apparatus and/or methods.
- Figure 1 shows a schematic diagram of a prior art digital evidence data structure
- Figure 2 shows a schematic diagram of a digital evidence data structure in accordance with the present invention
- Figure 3 shows a schematic diagram of a tag file update method according to the present invention
- Figure 4 shows an example of a tag file in accordance with the present invention.
- a Digital Evidence Bag (DEB) 20 is a structured wrapper for any type of digitally based evidence or information.
- a DEB may have arbitrarily large capacity, subject of course to the physical limits of the storage media available to carry it.
- a DEB may store information that could be captured either in a static environment (for example an image of a magnetic or optical storage medium) or in a real-time environment (for example a record of digital traffic over a communications medium).
- a DEB comprises a tag file 21 and one or more evidence units (EU) 22a, 22b.
- Each evidence unit in turn comprises index information 221 and a unit of digital evidence 222.
- index information and the digital evidence itself are preferably contained in separate files (an index file and an evidence file) as illustrated, the index information could alternatively be stored in the same file as the digital evidence, for example as a recognisable file header.
- each evidence file contains its own tag information complete with integrity assurance information.
- DEB's allow digital information of almost any size and from any source to be stored in a forensically sound manner. Furthermore the model allows evidence stored in DEB's to be distributed to different applications which may also perform different tasks upon the contents of those evidence files. This approach also allows application independence, and permits applications which perform the same task - albeit in a different manner (e.g alternate keyword search algorithms) - to work on the same evidence, potentially concurrently.
- the tag file 21 is preferably a plain text file, though it is possible that other more complex file formats may be employed (for example Microsoft Word format).
- the tag file contains descriptive details of the evidence units contained within the DEB of which it forms part.
- the information contained in the tag file is analogous to that which might be found on a physical tag attached to physical evidence when it is seized, and may for example comprise one or more of the following, or similar, items:
- the tag file may therefore also be used to record the provenance of information in the DEB and to provide a continuity record of the information contained within the DEB.
- the tag file in a DEB can also be used to record when a DEB analysis application accesses the DEB and also to record which analyses have been performed on any EU in the DEB.
- the tag file 21a may also comprise:
- integrity checks 42, 44 e.g. CRC digits or hash
- integrity checks 41 , 43 e.g. CRC digits or hash
- a tag seal integrity check (e.g. hash number) 31 comprising a hash of the tag file to date.
- the tag file 21 a may also comprise one or more Tag Continuity Blocks (TCB) 32.
- TBC Tag Continuity Blocks
- a TCB is appended (or otherwise added) to the tag file 21 b each time an application performs a function on the DEB as a whole or performs a function on one or more EU's within the DEB.
- the TCB's may capture some or all of the following or similar DEB access data: the date andtime 46, version 47 , application ID 47, application signature (hash) 49, and function 50 of the application that has been applied to the DEB or EU.
- a new tag seal hash number 321 is also appended, calculated over the updated contents of the tag file 21b including the preceding contents of the newly-appended TCB 32 and any previously recorded tag seal hash numbers 31 previously present in the tag file.
- Meta Tag structure 51 used within the DEB header.
- the structure definition comprises a series of Meta Tags (MT). The MTs are used to define both sequence of fields and content type of the index. The index in turn holds information relating to the contents of the bag.
- Meta tag definitions include, but are not limited to:
- ⁇ Fa> File Attributes (E.g. System, Read, Archive, Hidden)
- ⁇ Ds> Data source (PDA) - RAM, ROM, Database (User C
- ⁇ Tacc> Timestamp - accessed
- ⁇ Temo> Timestamp Entry modified (NTFS)
- ⁇ Dpin> Device PIN, security access code, password
- index file formats become, for example, common or standard abbreviations may of course be introduced for brevity.
- index format 51 applicable to all EU's within the DEB is illustrated in Figure 4, clearly the index format details may be defined on a per-index file basis.
- Each index file is a tab-delimited plain text file (though other formats may be used), containing a list detailing the contents of the corresponding evidence file.
- the index file may contain details such as a list of filenames, folder paths, and timestamp information relating to the contents of the digital information in the corresponding evidence file. It may contain details of a physical device from which the evidence was extracted, for example the make, model, and serial number of the device captured.
- the exact format and structure of the index file is reflected in the tag information in the tag file 21.
- the tag information therefore provides to analysis tools an indication of the structure within the various evidence units since, unlike known systems, the individual evidence units may exhibit different structure.
- the evidence files contain the actual evidential data/information itself.
- the contents of these evidence files may be, but is not limited to, raw binary information (e.g. from a raw device capture as in known systems), files (e.g. from logical volume acquisition), structured binary information (e.g. from network protocol packet capture), or categorized files (e.g. one evidence file containing all text files, another containing all Microsoft Word documents, or another containing all JPEG graphics files, etc.).
- Creating one evidence file per evidence source file acquired (e.g. one JPEG file into one evidence file) is also an option. Whilst this may lead to very large tag files, it may be appropriate where individual files may be of particular evidential interest.
- DEB application programs may be provided which update the tag file so that its contents reflect the history of operations performed on the evidence files. Such information would include the date and time the application was applied to the evidence unit, include an application signature so that it is known what category of application and what version of application was used. The DEB application should also update the tag seal number.
- DEB capture applications These are used to create the DEB from any type of digital source whether it be static disk capture, PDA capture, mobile telephone capture or live network packet capture to name but a few. The importance of this is that all these various digital processes can store evidence in a common data structure in the form of a DEB, as described above.
- DEB analysis applications These are used to perform an operation on an already created DEB.
- the type of operations that may be undertaken include, but are not limited to, keyword searches, hash analysis, graphical image analysis and characterisation, password cracking, log file analysis etc.
- a log may be kept in the tag file of the function that was performed on the evidence. This provides an audit trail of the date, time, type of task, version of DEB analysis application that was used.
- the current dumb approach to image capture i.e. start from the beginning of the media and capture everything until the end
- imagers that operate in a more intelligent or selective manner.
- an imager could capture all files of one particular type to one DEB and another type to another DEB.
- the imager could be more 'intelligent' and target specific information for example a forensic triage could be carried out just capturing system configuration information thus allowing the investigator the opportunity to discover the operating capability that a system possessed.
- an imager could capture specific types of files to a DEB.
- DEB format and structure is such that it can be used with existing applications run from a 'wrapper' application. This permits existing applications to be used immediately with no, or minimal, modification but with the additional benefits of information assurance, integrity and continuity provided by the DEB data structure and methods.
- DEB or EU The ability of a DEB or EU to hold entirely one type of information allows the whole digital case to be divided between systems, applications or process that can handle that category of information. Extending this further allows DEB's or EU's to be distributed across a range of systems in a multitasking and or multiprocessing environment to applications that are best suited to deal with that category of information. This would allow a forensic controller the ability to distribute DEB's or EU's to worker (client) applications safe in the knowledge that those workers would update the DEB continuity information showing what process or function was carried out on that evidence.
- Another feature of the DEB concept is the ability to maintain continuity information and to be able to show the provenance of the information contained within the DEB. Coupled with this is the requirement to both maintain and assure the integrity of the evidence within the DEB.
- DEBs A practical approach to introducing and utilizing DEBs is to employ an extensible format definition which can develop over time and may therefore be enhanced to meet future requirements.
- early implementations of the DEB approach might use it as a 'wrapper' for current forensic tools and applications. This has an immediate benefit that experience can be gained in using and applying DEB format with the tools that are commonly used and accepted today.
- this type of mechanism could also assist in the testing and certification of investigators, as it would permit trainees to undertake test cases and record how investigators tackled them.
- Partial or selective data copying may be considered as an alternative to capturing the whole image when it may not be practical to acquire everything. Such partial copying is know as "selective imaging".
- One reason for applying a selective approach is the quantity of information that may have to be acquired. Other reasons for performing a selective acquisition may include but are not limited to forensic triage, intelligence gathering, and legal requirements. There may be legal reasons why a selective approach should be adopted, for example a case involving Legal Professional Privilege (LPP) material. Adopting a selective approach has cerain risks associated with it, but this in no way means the evidence should not be gathered in any less scientific or rigorous manner.
- LPP Legal Professional Privilege
- Manual Selective Imaging is where a forensic investigator chooses exactly which files are captured. For example, the investigator can use an interface similar to that of a file browser and is able to navigate the directory tree and choose which files to acquire.
- Semi-automatic selective imaging is where a forensic investigator decides which file types or categories of information to capture. This may be based on file extension, file signature, or file hash, or some other definable criteria. When using a selective approach based on file hashes it is important to record which files are present and their provenance, even though the contents of each file may not be captured. It is also be prudent to record referential hash set information.
- Automatic selective imaging is where an investigator selects the source and destination devices and the imager automatically acquires the evidence. This is accomplished in a selective manner according to p re-configured parameters or the particular circumstances pertaining to the case / investigation.
- Provenance indications are preferably unique, unambiguous, concise, and repeatable. Each method meets these criteria in different ways, dependent upon the technical knowledge of the person trying to understand it. For example the general public, a judge, or a legal professional is likely to be more familiar with the concept of a folder location than a more technical concept such as absolute location or cluster reference. These other 'more technical' provenance descriptions may only complicate matters by introducing more technical vocabulary which in practice detracts from and obscures the real information that is to be presented. In an ideal world all relevant provenential descriptions would be captured though in practice this may not be practical. Nevertheless it is considered desirable to be able to capture multiple indications of provenance associated with any given evidence, rather than be restricted to capturing only one in each case.
- Secondary Provenential Key Logical cluster locations within a volume with the addition of an offset from the beginning of the physical device
- DEB containing one or more other DEBs that is, the content type of a DEB may also itself be a DEB.
- This ability to encapsulate DEBs within DEBs permits a parallel approach to be taken to the acquisition process, thus combining the acquired evidence into one entity for analysis.
- One example of this would be the simultaneous acquisition of data from distinct disks making up a RAID set: each disk may be captured, potentially concurrently, in a separate DEB and these DEBs in turn encapsulated in a further DEB.
- Other examples in which data may be concurrently or hierarchically gathered into DEBs will be apparent to the skilled person.
- DEBs also support the duplication of either all or selected information from a given source DEB whereby to create another DEB, together with an audit trail showing the provenance of the copied information.
- the audit trail may be shown both in the tag field of the originating DEB from which the new DEB is created and in the tag field of the new DEB itself.
- the original DEB will contain an indication that an application has extracted certain information, whilst the new DEB will contain an indication of where the information contained in it came from.
- DEBs may of course be stored on or transmitted via any form of digital medium including, but not limited to, optical, magnetic and wireless media .
Abstract
Description
Claims
Priority Applications (5)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CA002609469A CA2609469A1 (en) | 2005-05-27 | 2006-05-26 | Digital evidence bag |
JP2008512923A JP2008542865A (en) | 2005-05-27 | 2006-05-26 | Digital proof bag |
AU2006250921A AU2006250921A1 (en) | 2005-05-27 | 2006-05-26 | Digital evidence bag |
EP06744010A EP1891483A1 (en) | 2005-05-27 | 2006-05-26 | Digital evidence bag |
US11/915,602 US20080195543A1 (en) | 2005-05-27 | 2006-05-26 | Digital Evidence Bag |
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
GBGB0510878.2A GB0510878D0 (en) | 2005-05-27 | 2005-05-27 | Digital evidence bag |
GB0510878.2 | 2005-05-27 | ||
GB0607489.2 | 2006-04-13 | ||
GBGB0607489.2A GB0607489D0 (en) | 2005-05-27 | 2006-04-13 | Digital evidence bag |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2006126006A1 true WO2006126006A1 (en) | 2006-11-30 |
Family
ID=36646153
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/GB2006/001942 WO2006126006A1 (en) | 2005-05-27 | 2006-05-26 | Digital evidence bag |
Country Status (4)
Country | Link |
---|---|
EP (1) | EP1891483A1 (en) |
AU (1) | AU2006250921A1 (en) |
CA (1) | CA2609469A1 (en) |
WO (1) | WO2006126006A1 (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
GB2470198A (en) * | 2009-05-13 | 2010-11-17 | Evidence Talks Ltd | Digital forensics using a control pod with a clean evidence store |
US10440033B2 (en) | 2017-03-16 | 2019-10-08 | Sap Se | Data storage system file integrity check |
US20230004945A1 (en) * | 2020-05-14 | 2023-01-05 | Recyclego Inc | Systems and methods for facilitating generation of a carbon offset based on processing of a recyclable item |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP0893763A1 (en) * | 1997-07-25 | 1999-01-27 | Computer Forensics Limited | Integrity verification and authentication of copies of computer data |
GB2376389A (en) * | 2001-06-04 | 2002-12-11 | Hewlett Packard Co | Packaging evidence for long term validation |
US20040006588A1 (en) * | 2002-07-08 | 2004-01-08 | Jessen John H. | System and method for collecting electronic evidence data |
US20040260733A1 (en) * | 2003-06-23 | 2004-12-23 | Adelstein Frank N. | Remote collection of computer forensic evidence |
-
2006
- 2006-05-26 AU AU2006250921A patent/AU2006250921A1/en not_active Abandoned
- 2006-05-26 CA CA002609469A patent/CA2609469A1/en not_active Abandoned
- 2006-05-26 EP EP06744010A patent/EP1891483A1/en not_active Withdrawn
- 2006-05-26 WO PCT/GB2006/001942 patent/WO2006126006A1/en not_active Application Discontinuation
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP0893763A1 (en) * | 1997-07-25 | 1999-01-27 | Computer Forensics Limited | Integrity verification and authentication of copies of computer data |
GB2376389A (en) * | 2001-06-04 | 2002-12-11 | Hewlett Packard Co | Packaging evidence for long term validation |
US20040006588A1 (en) * | 2002-07-08 | 2004-01-08 | Jessen John H. | System and method for collecting electronic evidence data |
US20040260733A1 (en) * | 2003-06-23 | 2004-12-23 | Adelstein Frank N. | Remote collection of computer forensic evidence |
Non-Patent Citations (1)
Title |
---|
HOSMER, G. ; GORDON, G. ; SIEDSMA, C. ; HOSMER, J.: "SI-FI (Synthesizing Information from Forensic Investigations)", 2002, National Technical Information Service, XP002390560, Retrieved from the Internet <URL:http://stinet.dtic.mil/cgi-bin/GetTRDoc?AD=ADA402491&Location=U2&doc=GetTRDoc.pdf> [retrieved on 20060714] * |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
GB2470198A (en) * | 2009-05-13 | 2010-11-17 | Evidence Talks Ltd | Digital forensics using a control pod with a clean evidence store |
US10440033B2 (en) | 2017-03-16 | 2019-10-08 | Sap Se | Data storage system file integrity check |
US20230004945A1 (en) * | 2020-05-14 | 2023-01-05 | Recyclego Inc | Systems and methods for facilitating generation of a carbon offset based on processing of a recyclable item |
US11710106B2 (en) * | 2020-05-14 | 2023-07-25 | Recycle Go Inc. | Systems and methods for facilitating generation of a carbon offset based on processing of a recyclable item |
Also Published As
Publication number | Publication date |
---|---|
AU2006250921A1 (en) | 2006-11-30 |
AU2006250921A8 (en) | 2008-02-21 |
EP1891483A1 (en) | 2008-02-27 |
CA2609469A1 (en) | 2006-11-30 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20080195543A1 (en) | Digital Evidence Bag | |
US7644138B2 (en) | Forensics tool for examination and recovery and computer data | |
US7640323B2 (en) | Forensics tool for examination and recovery of computer data | |
US8656095B2 (en) | Digital forensic acquisition kit and methods of use thereof | |
US20050210054A1 (en) | Information management system | |
US20060259516A1 (en) | Nondisruptive method for encoding file meta-data into a file name | |
JP4901880B2 (en) | Encoding device, decoding device, methods thereof, program of the method, and recording medium recording the program | |
US20080282355A1 (en) | Document container data structure and methods thereof | |
US20050219076A1 (en) | Information management system | |
Mikus et al. | An analysis of disc carving techniques | |
CN112685436B (en) | Tracing information processing method and device | |
WO2007067425A2 (en) | Forensics tool for examination and recovery of computer data | |
Garfinkel et al. | Advanced forensic format: an open extensible format for disk imaging | |
Barrera-Gomez et al. | Walk This Way: Detailed Steps for Transferring Born-Digital Content from Media You Can Read In-House. | |
WO2006126006A1 (en) | Digital evidence bag | |
Pahade et al. | A survey on multimedia file carving | |
US9465858B2 (en) | Systems and methods for authenticating and aiding in indexing of and searching for electronic files | |
US9098730B2 (en) | System and method for preserving electronically stored information | |
Scanlon et al. | Digital evidence bag selection for P2P network investigation | |
Shayau et al. | Digital forensics investigation reduction model (DIFReM) framework for Windows 10 OS | |
Quick et al. | Digital forensic data reduction by selective imaging | |
Prem et al. | Disk memory forensics: Analysis of memory forensics frameworks flow | |
US8265428B2 (en) | Method and apparatus for detection of data in a data store | |
Kim et al. | Digital forensics formats: seeking a digital preservation storage container format for web archiving | |
Hama et al. | Data reduction-refining the sieve |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
WWE | Wipo information: entry into national phase |
Ref document number: 2006250921 Country of ref document: AU Ref document number: 2609469 Country of ref document: CA |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2008512923 Country of ref document: JP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 11915602 Country of ref document: US |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWW | Wipo information: withdrawn in national office |
Ref document number: DE |
|
REEP | Request for entry into the european phase |
Ref document number: 2006744010 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2006744010 Country of ref document: EP |
|
ENP | Entry into the national phase |
Ref document number: 2006250921 Country of ref document: AU Date of ref document: 20060526 Kind code of ref document: A |
|
WWP | Wipo information: published in national office |
Ref document number: 2006250921 Country of ref document: AU |
|
NENP | Non-entry into the national phase |
Ref country code: RU |
|
WWW | Wipo information: withdrawn in national office |
Ref document number: RU |
|
WWP | Wipo information: published in national office |
Ref document number: 2006744010 Country of ref document: EP |