DEX: Digital Evidence Provenance Supporting Reproducibility and Comparison. Brian Neil Levine and Marc Liberatore. In Proc. of DFRWS Annual Conference, August 2009. [pdf]
The current standard and open formats for forensic data describe
whole disk and memory image properties, but do not describe the
products of detailed investigations. In this project, we propose a
simple canonical description of digital evidence provenance that
explicitly states the set of tools and transformations that led from
acquired raw data to the resulting product. Our format, called Digital
Evidence Exchange (DEX) is independent of the forensic tool that
discovered the evidence, which has a number of advantages. Using a DEX
description and the raw image file, evidence can be reproduced by other
tools with the same functionality. Additionally, DEX descriptions can
identify dierences between two separate investigations of the same raw
evidence. Finally, as a standard product of tools, DEX can allow
quick fabrication of tool chains either as best of breed amalgams or
for tool testing. We have implemented DEX as an open source library.
The DEX source code is available in tar.bz2 or zip archive format.
DEX is written in JAVA and is released under a BSD-like license. Currently, we provide a core library and wrappers for
fdisk, mmls, istat, icat, exiftool, and JHead. We welcome your comments and feedback!
This work was supported in part by National Science Foundation award DUE-0830876 and in part by National Institute of Justice Award 2008-CE-CX-K005.