Projects | Forensics and Security Research Group

EviPlant

Education and training in digital forensics requires suitable challenge corpora containing realistic features including regular wear-and-tear, background noise, and the actual digital traces to be discovered during investigation.

Typically, the creation of these challenges requires overly arduous effort on behalf of the educator to ensure their viability. Once created, the challenge image needs to be stored and distributed to a class for practical training. This storage and distribution step requires significant resources and time and may not even be possible in an online or distance learning scenario due to the data sizes involved.

EviPlant is a system designed for the efficient creation, manipulation, storage and distribution of challenges for digital forensics education and training. The system relies on the initial distribution of base disk images containing solely bare operating systems. Educators can boot the base system, emulate the desired activity, and perform a diffing of the resultant image and the base image. This diffing process extracts the modified artefacts and associated metadata and stores them in an evidence package.

Dedupe

With an increasing emphasis on digital evidence in criminal prosecution, law enforcement is encountering a corresponding rise in cases requiring expert digital forensic analysis.

The sheer volume of data to be processed in each case has significantly increased. As a result, the requirement for more efficient digital forensic investigation has ballooned, and law enforcement agencies throughout the world are buckling under the overwhelming stress. While more law enforcement personnel are being trained, the supply of highly skilled staff is not meeting demand.

This project introduces a novel solution to replace much of the current, overly arduous digital forensic process. The project leverages a Digital Forensics-as-a-Service paradigm based on data deduplication, aiming to eliminate reacquisition, redundant storage, and reanalysis of previously processed data.

Moving to a deduplicated model provides significant advantages over the current approach, including reduced costs, higher throughput, and faster processing. It also enables useful milestones including digital forensic challenge creation for education and training, forensic tool testing and validation, and automated investigation.