Digital Evidence and Forensic Readiness (Dagstuhl Seminar 14092)

The seminar on Digital Evidence and Forensic Readiness provided the space for interdisciplinary discussions on clearly defined critical aspects of engineering issues, evaluation and processes for secure digital evidence and forensic readiness. A large gap exists between the state-of-the-art in IT security and best-practice procedures for digital evidence. Experts from IT and law used this seminar to develop a common view on what exactly can be considered secure and admissible digital evidence. In addition to sessions with all participants, a separation of participants for discussing was arranged. The outcome of these working sessions was used in the general discussion to work on a common understanding of the topic. The results of the seminar will lead to new technological developments as well as to new legal views to this points and to a change of organizational measures using ICT. Finally, various open issues and research topics have been identified. In addition to this report, open research issues will also be published in the form of a manifesto on digital evidence. One possible definition for Secure Digital Evidence was proposed by Rudolph et al. at the Eighth Annual IFIP WG 11.9 International Conference on Digital Forensics 2012. It states that a data record can be considered secure if it was created authentically by a device for which the following holds: - The device is physically protected to ensure at least tamper-evidence. - The data record is securely bound to the identity and status of the device (including running software and configuration) and to all other relevant parameters (such as time, temperature, location, users involved, etc.) - The data record has not been changed after creation. Digital Evidence according to this definition comprises the measured value and additional information on the state of the measurement device. This additional information on the state of the measurement device aims to document the operation environment providing evidence that can help lay the foundation for admissibility. This definition provided one basis of discussion at the seminar and was compared to other approaches to forensic readiness. Additional relevant aspects occur in the forensic readiness of mobile device, cloud computing and services. Such scenarios are already very frequent but will come to full force in the near future. The interdisciplinary Dagstuhl seminar on digital evidence and forensic readiness has provided valuable input to the discussion on the future of various types of evidence and it has build the basis for acceptable and sound rules for the assessment of digital evidences. Furthermore, it has established new links between experts from four continents and thus has set the foundations for new interdisciplinary and international co-operations.