On the Network Performance of Digital Evidence Acquisition of Small Scale Devices Over Public Networks

Irvin Homem, Spyridon Dosis


While cybercrime proliferates – becoming more complex and surreptitious on the Internet – the tools and techniques used in performing digital investigations are still largely lagging behind, effectively slowing down law enforcement agencies at large. Real-time remote acquisition of digital evidence over the Internet is still an elusive ideal in the combat against cybercrime. In this paper we briefly describe the architecture of a comprehensive proactive digital investigation system that is termed as the Live Evidence Information Aggregator (LEIA). This system aims at collecting digital evidence from potentially any device in real time over the Internet. Particular focus is made on the importance of the efficiency of the network communication in the evidence acquisition phase, in order to retrieve potentially evidentiary information remotely and with immediacy. Through a proof of concept implementation, we demonstrate the live, remote evidence capturing capabilities of such a system on small scale devices, highlighting the necessity for better throughput envisioned through the use of Peer-to-Peer overlays.


Digital Forensics, Digital Evidence, Remote acquisition, Proactive forensics, Mobile devices, P2P, Network performance

Full Text:



Alink, W., Bhoedjang, R. a. F., Boncz, P. a., & de Vries, A. P. (2006). XIRAF – XML-based indexing and querying for digital forensics. Digital Investigation, 3, 50–58. doi:10.1016/j.diin.2006.06.016

Almulhem, A., & Traore, I. (2005). Experience with Engineering a Network Forensics System. Proceedings of the 2005 international conference on Information Networking. Convergence in Broadband and Mobile Networking (pp. 62–71). Korea: Springer Berlin Heidelberg.

Case, A., Cristina, A., Marziale, L., Richard, G. G., & Roussev, V. (2008). FACE: Automated digital evidence discovery and correlation. Digital Investigation, 5, S65–S75. doi:10.1016/j.diin.2008.05.008

CDESF Working Group. (2006). Standardizing digital evidence storage. Communications of the ACM. doi:10.1145/1113034.1113071

Cohen, B. (2003). Incentives build robustness in BitTorrent. Workshop on Economics of Peer-to-Peer Systems. Retrieved from http://www.ittc.ku.edu/~niehaus/classes/750-s06/documents/BT-description.pdf

Cohen, M., Garfinkel, S., & Schatz, B. (2009). Extending the advanced forensic format to accommodate multiple data sources, logical evidence, arbitrary information and forensic workflow. Digital Investigation, 6, S57–S68. doi:10.1016/j.diin.2009.06.010

Cohen, M. I., Bilby, D., & Caronni, G. (2011). Distributed forensics and incident response in the enterprise. In Digital Investigation (Vol. 8, pp. S101–S110). Elsevier Ltd. doi:10.1016/j.diin.2011.05.012

Davis, M., Manes, G., & Shenoi, S. (2005). A network-based architecture for storing digital evidence. Advances in Digital Forensics: IFIP International Conference on Digital Forensics, 194, 33–42. doi:10.1007/0-387-31163-7_3

Dean, J., & Ghemawat, S. (2008). MapReduce : Simplified Data Processing on Large Clusters. Communications of the ACM, 51(1), 1–13. Doi:10.1145/1327452.1327492

Dosis, S., Homem, I., & Popov, O. (2013). Semantic Representation and Integration of Digital Evidence. Procedia Computer Science, 22, 1266–1275. doi:10.1016/j.procs.2013.09.214

Garfinkel, S. L. (2006). AFF : A New Format for Storing Hard Drive Images. Association for Computing Machinery. Communications of the ACM, 49(2), 85–87.

Jelasity, M., Voulgaris, S., Guerraoui, R., Kermarrec, A.-M., & Steen, M. van. (2007). Gossip-based peer sampling. ACM Transactions on Computer Systems (TOCS), 25(3), 1–36. Retrieved from http://dl.acm.org/citation.cfm?id=1275520

Kahvedžić, D., & Kechadi, T. (2009). DIALOG: A framework for modeling, analysis and reuse of digital forensic knowledge. Digital Investigation, 6, S23–S33. doi:10.1016/j.diin.2009.06.014

Kaspersky Lab. (2014). The Regin Platform: Nation-State Ownage of GSM Networks (pp. 1–28).

Koopmans, M. B., & James, J. I. (2013). Automated network triage. Digital Investigation, 10(2), 129–137. doi:10.1016/j.diin.2013.03.002

Leu, F.-Y. L. F.-Y., & Yang, T.-Y. Y. T.-Y. (2003). A host-based real-time intrusion detection system with data mining and forensic techniques. IEEE 37th Annual 2003 International Carnahan Conference onSecurity Technology, 2003. Proceedings., (Mid). doi:10.1109/CCST.2003.1297623

Moser, A., & Cohen, M. I. (2013). Hunting in the enterprise: Forensic triage and incident response. Digital Investigation, 10(2), 89–98. doi:10.1016/j.diin.2013.03.003

National Institute of Standards and Technology. (2004). Digital data acquisition tool specification. Draft for Comments. Retrieved from http://www.cftt.nist.gov/Pub-Draft-1- DDA-Require.pdf

Palmer, G. (2001). A Road Map for Digital Forensic Research. In Proceedings of the Digital Forensic Research Workshop, 2001. Uttica, New York.

Raghavan, S., Clark, A., & Mohay, G. (2009). FIA: an open forensic integration architecture for composing digital evidence. Forensics in Telecommunications, Information and Multimedia: Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, 8, 83–94. Retrieved from http://link.springer.com/chapter/10.1007/978-3-642-02312-5_10

Redding, S. (2005). Using Peer-to-Peer Technology for Network Forensics. Advances in Digital Forensics: IFIP International Federation for Information Processing, 194, 141–152. doi:10.1007/0-387-31163-7_12

Ren, W., & Jin, H. (2005). Distributed agent-based real time network intrusion forensics system architecture design. In Proceedings - International Conference on Advanced Information Networking and Applications, AINA (Vol. 1, pp. 177–182). Ieee. doi:10.1109/AINA.2005.164

Roussev, V., & Richard III, G. G. (2004). Breaking the Performance Wall: The Case for Distributed Digital Forensics. Digital Forensics Research Workshop, 1–16.

Sacha, J., Dowling, J., Cunningham, R., & Meier, R. (2006). Discovery of stable peers in a self-organising peer-to-peer gradient topology. In International Conference on Distributed Applications and Interoperable Systems (DAIS) (pp. 70–83). Retrieved from http://link.springer.com/chapter/10.1007/11773887_6

Schatz, B., & Clark, A. (2006). An open architecture for digital evidence integration. In AusCERT Asia Pacific Information Technology Security Conference (pp. 15–29). Gold Coast, Queensland. Retrieved from http://eprints.qut.edu.au/21119/

Scientific Working Group on Digital Evidence (SWGDE). (2006). Data integrity within computer forensics. Retrieved from https://www.swgde.org/documents/Current Documents/2006-04-12 SWGDE Data Integrity Within Computer Forensics v1.0

Shields, C., Frieder, O., & Maloof, M. (2011). A system for the proactive, continuous, and efficient collection of digital forensic evidence. Digital Investigation, 8, S3–S13. doi:10.1016/j.diin.2011.05.002

Shvachko, K., Kuang, H., Radia, S., & Chansler, R. (2010). The Hadoop Distributed File System. 2010 IEEE 26th Symposium on Mass Storage Systems and Technologies (MSST), 1–10. doi:10.1109/MSST.2010.5496972

sKyWIper Analysis Team. (2012). Skywiper (a.K.a Flame a.K.a Flamer): a Complex Malware for Targeted Attacks (Vol. 05, pp. 1–64). Budapest. Retrieved from http://www.crysys.hu/skywiper/skywiper.pdfnpapers2://publication/uuid/1A396077-EBAB-47F8-A363-162BDAF34247

Stone-Gross, B. (2012). The Lifecycle of Peer-to-Peer ( Gameover ) ZeuS. Retrieved from http://www.secureworks.com/cyber-threat-intelligence/threats/The_Lifecycle_of_Peer_to_Peer_Gameover_ZeuS/

Van Baar, R. B., van Beek, H. M. a., & van Eijk, E. J. (2014). Digital Forensics as a Service: A game changer. Digital Investigation, 11, S54–S62. doi:10.1016/j.diin.2014.03.007

Yu, J., Ramana Reddy, Y. V., Selliah, S., Reddy, S., Bharadwaj, V., & Kankanahalli, S. (2005). TRINETR: An architecture for collaborative intrusion detection and knowledge-based alert evaluation. Advanced Engineering Informatics, 19(2), 93–101. doi:10.1016/j.aei.2005.05.004

Zonouz, S., Joshi, K., & Sanders, W. (2011). Floguard: cost-aware systemwide intrusion defense via online forensics and on-demand IDS deployment. In Computer Safety, Reliability, and … (pp. 338–354). Naples, Italy: Springer-Verlag, Berlin, Heidelberg. doi:10.1007/978-3-642-24270-0_25


  • There are currently no refbacks.

Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 International License.

Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 International License.

(c) 2006-2015 Association of Digital Forensics, Security and Law