A New Design and Implementation of Digital Evidence Container for Triage and Effective Investigation

디지털 증거 선별 조사의 효율성을 위한 Digital Evidence Container 설계 및 구현

  • Lim, Kyung-Soo (Cyber Security-Convergence Research Laboratory, Electronics and Telecommunication Research Institute) ;
  • Lee, Chang-Hoon (Dept. of Computer Engineering, Seoul National University of Science and Technology) ;
  • Lee, Sang-In (Cyber Security-Convergence Research Laboratory, Electronics and Telecommunication Research Institute)
  • 임경수 (한국전자통신연구원 사이버융합보안연구단) ;
  • 이창훈 (서울과학기술대학교 컴퓨터공학과) ;
  • 이상진 (한국전자통신연구원 사이버융합보안연구단)
  • Received : 2012.06.18
  • Accepted : 2012.07.02
  • Published : 2012.07.25


The law enforcement agencies in the worldwide are confiscating or retaining computer systems involved in a crime/civil case, if there are any, at the preliminary investigation stage, even though the case does not involve a cyber-crime. They are collecting digital evidences from the suspects's systems and using them in the essential investigation procedure. It requires much time, though, to collect, duplicate and analyze disk images in general crime cases, especially in cases in which rapid response must be taken such as kidnapping and murder cases. The enterprise forensics, moreover, it is impossible to acquire and duplicate hard disk drives in mass storage server, database server and cloud environments. Therefore, it is efficient and effective to selectively collect only traces of the behavior of the user activities on operating systems or particular files in focus of triage investigation. On the other hand, if we acquire essential digital evidences from target computer, it is not forensically sound to collect just files. We need to use standard digital evidence container from various sources to prove integrity and probative of evidence. In this article, we describe a new digital evidence container, we called Xebeg, which is easily able to preserve collected digital evidences selectively for using general technology such as XML and PKZIP compression technology, which is satisfied with generality, integrity, unification, scalability and security.


Supported by : 한국연구재단


  1. 임경수, 이상진, "신속한 사건 대응을 위한 휴대용 포렌식 도구 설계 및 구현," 2009 디지털 포렌식워크샵, 2009년 8월
  2. 임경수, "디지털 증거 수집을 위한 XML 기반 프 레임워크의 설계 및 구현", 고려대학교 정보경영공학전문대학원, 석사 학위 논문 2008.
  3. Kyungsoo Lim, Seokhee Lee, Jong Hyuk Park, Sangiin Lee "XFRAME: XML-baed framework for efficient acquiring digital evidence on Windows live system", Proceedings of 4th Annual IFIP WG11.9 International Conference on Digital Forensics, Kyoto, Japan, 2008.
  4. Kyung-soo Lim, SeungBong Lee nd Sangjin Lee,"Applying a Stepwise Forensic Approach to Incident Response and Computer Usage Analysis",2nd International Conference on Computer Science and its Application,(CSA 2009)
  5. Marcus K. Rogers, James Goldman, Rick Mislan, Timothy Wedge,Steve Debrot, "Computer Forensics Field Triage Process Model", Conference on Digital Forensics, Security and Law, 2006.
  6. Philip Turner, "Unification of Digital Evidence from Disparate Sources(Digital Evidence Bags)",Digital Forensic Research Workshop (DFRWS), New Orleans, 2005.
  7. Philip Turner, "Selective and intelligent imaging using digital evidence bags ", Digital Investigation, Volume 3, Supplement 1, September 2006, Pages 59-64
  8. Philip Turner, "Applying a forensic approach to incident response, network investigation and system administration using Digital Evidence Bags", Digital Investigation, Volume 4, Issue 1, March 2007, Pages 30-35 https://doi.org/10.1016/j.diin.2007.01.002
  9. Golden G. Richard III, Vassil Roussev, Lodovico Marziale. "Forensic discovery auditing of digital evidence containers", Digital Investigation, Volume 4, Issue 1, March 2007, Pages 88-97 https://doi.org/10.1016/j.diin.2007.04.002
  10. EnCase Portable, Gudiance Soft http://www.guidancesoftware.com/encase-portable.htm
  11. FISA-File System Analyzer, (주)포앤식스테크 http://www.4n6tech.com/pro_kr/info/info.php?pn=1 &sn=1&dn=1