computer forensics, computer forensics expert, mobile phone forensics, expert witness

Inside Out

Follow up paper on the AFF4 evidence container to be presented at 6th IFIP WG 11.9 International Conference on Digital Forensics

I posted earlier about a new forensic container format being created by myself, Michael Cohen, and Simson Garfinkel. A paper describing the work was presented at DFRWS 2009 by Michael.

Michael and I have recently extended and refined the container format to support describing the provenance of information and data, and more accurate description of evidence characteristics. A paper describing this work, titled “Refining the AFF4 evidence container for provenance and accurate data representation”, has been accepted for presentation at the 6th Annual IFIP WG 11.9 conference on Digital Forensics.

The abstract follows:

It is well acknowledged that there is a pressing need for a general solution to the problem of storage of digital evidence, both in terms of copied bit-stream images and general information which describes the images and surrounding context of the case. In a prior paper, the authors introduced the AFF4 evidence container format, focusing in particular on the description of the efficient and layered bitstream storage architecture, a general approach to representing arbitrary information, and a compositional approach to managing and sharing evidence. In this paper we describe our work refining the representation schemes embodied in the new format, addressing the accurate representation of discontiguous data and description of the provenance of both data and information.