Forensics and Security Research Group Forensics and Security UCD and SETU research group

Article

EviPlant: An Efficient Digital Forensic Challenge Creation, Manipulation, and Distribution Solution

Mark Scanlon; Xiaoyu Du; David Lillis

March 2017 Digital Investigation
PDF BibTeX DOI

Contribution Summary

EviPlant is a system designed to address the challenges of creating, manipulating, storing, and distributing digital forensic challenges for education and training. The system relies on the initial distribution of base disk images, which contain solely bare operating systems. Educators can then boot the base system, emulate the desired activity, and perform a diffing process to extract modified artefacts and associated metadata, which are stored in an evidence package. This approach reduces the need for large, full-image files and makes it easier to distribute challenges to students. EviPlant also allows for the creation of evidence packages for different personas, wear-and-tear, and emulated crimes, making it a versatile tool for digital forensic education and training.

Keywords: Digital forensics education; Forensic corpora; Digital forensic challenges; Evidence injection; Tool testing and validation; Digital forensic challenge creation; Malware analysis

Abstract

Education and training in digital forensics requires a variety of suitable challenge corpora containing realistic features including regular wear-and-tear, background noise, and the actual digital traces to be discovered during investigation. Typically, the creation of these challenges requires overly arduous effort on behalf of the educator to ensure their viability. Once created, the challenge image needs to be stored and distributed to a class for practical training. This storage and distribution step requires significant resources and time and may not even be possible in an online/distance learning scenario due to the data sizes involved. As part of this paper, we introduce a more capable methodology and system to current approaches. EviPlant is a system designed for the efficient creation, manipulation, storage and distribution of challenges for digital forensics education and training. The system relies on the initial distribution of base disk images, i.e., images containing solely bare operating systems. In order to create challenges for students, educators can boot the base system, emulate the desired activity and perform a diffing of resultant image and the base image. This diffing process extracts the modified artefacts and associated metadata and stores them in an evidence package. Evidence packages can be created for different personas, different wear-and-tear, different emulated crimes, etc., and multiple evidence packages can be distributed to students and integrated with the base images. A number of advantages and additional functionality over the current approaches are discussed that emerge as a result of using EviPlant.

BibTeX

@article{scanlon2017eviplant,
	author={Scanlon, Mark and Du, Xiaoyu and Lillis, David},
	title="{EviPlant: An Efficient Digital Forensic Challenge Creation, Manipulation, and Distribution Solution}",
	journal="{Digital Investigation}",
	year=2017,
	month=03,
	volume="20S",
	number="1",
	pages="29-36",
	publisher={Elsevier},
	abstract="Education and training in digital forensics requires a variety of suitable challenge corpora containing realistic features including regular wear-and-tear, background noise, and the actual digital traces to be discovered during investigation. Typically, the creation of these challenges requires overly arduous effort on behalf of the educator to ensure their viability. Once created, the challenge image needs to be stored and distributed to a class for practical training. This storage and distribution step requires significant resources and time and may not even be possible in an online/distance learning scenario due to the data sizes involved. As part of this paper, we introduce a more capable methodology and system to current approaches. EviPlant is a system designed for the efficient creation, manipulation, storage and distribution of challenges for digital forensics education and training. The system relies on the initial distribution of base disk images, i.e., images containing solely bare operating systems. In order to create challenges for students, educators can boot the base system, emulate the desired activity and perform a diffing of resultant image and the base image. This diffing process extracts the modified artefacts and associated metadata and stores them in an evidence package. Evidence packages can be created for different personas, different wear-and-tear, different emulated crimes, etc., and multiple evidence packages can be distributed to students and integrated with the base images. A number of advantages and additional functionality over the current approaches are discussed that emerge as a result of using EviPlant.",
  doi={10.1016/j.diin.2017.01.010},
}