While cybercrime proliferates – becoming more complex and surreptitious on the Internet – the tools and techniques used in performing digital investigations are still largely lagging behind, effectively slowing down law enforcement agencies at large. Real-time remote acquisition of digital evidence over the Internet is still an elusive ideal in the combat against cybercrime. In this paper we briefly describe the architecture of a comprehensive proactive digital investigation system that is termed as the Live Evidence Information Aggregator (LEIA). This system aims at collecting digital evidence from potentially any device in real time over the Internet. Particular focus is made on the importance of the efficiency of the network communication in the evidence acquisition phase, in order to retrieve potentially evidentiary information remotely and with immediacy. Through a proof of concept implementation, we demonstrate the live, remote evidence capturing capabilities of such a system on small scale devices, highlighting the necessity for better throughput and availability envisioned through the use of Peer-to-Peer overlays.


AccessData. (2014). AccessData FTK ADEnterprise. Retrieved December 4, 2014, from http://accessdata.com/solutions/digitalforensics/ad-enterprise

Alink, W., Bhoedjang, R. A. F., Boncz, P. A., & de Vries, A. P. (2006). XIRAF - XMLbased indexing and querying for digital forensics. Digital Investigation, 3, 50–58. doi:10.1016/j.diin.2006.06.016

Almulhem, A., & Traore, I. (2005). Experience with Engineering a Network Forensics System. Proceedings of the 2005 international conference on Information Networking. Convergence in Broadband and Mobile Networking. Korea: Springer Berlin Heidelberg.

Case, A., Cristina, A., Marziale, L., Richard, G. G., & Roussev, V. (2008). FACE: Automated digital evidence discovery and correlation. Digital Investigation, 5, S65– S75. doi:10.1016/j.diin.2008.05.008

CDESF Working Group. (2006). Standardizing digital evidence storage. Communications of the ACM. doi:10.1145/1113034.1113071

Cohen, B. (2003). Incentives build robustness in BitTorrent. Workshop on Economics of Peer-to-Peer Systems. Retrieved from http://www.ittc.ku.edu/~niehaus/classes/7 50-s06/documents/BT-description.pdf

Cohen, M., Garfinkel, S., & Schatz, B. (2009). Extending the advanced forensic format to accommodate multiple data sources, logical evidence, arbitrary information and forensic workflow. Digital Investigation, 6, S57–S68. doi:10.1016/j.diin.2009.06.010

Cohen, M. I., Bilby, D., & Caronni, G. (2011). Distributed forensics and incident response in the enterprise. In Digital Investigation (Vol. 8, pp. S101–S110). Elsevier Ltd. doi:10.1016/j.diin.2011.05.012

Davis, M., Manes, G., & Shenoi, S. (2005). A network-based architecture for storing digital evidence. Advances in Digital Forensics: IFIP International Conference on Digital Forensics, 194, 33–42. doi:10.1007/0-387-31163-7_3

Dean, J., & Ghemawat, S. (2008). MapReduce : Simplified Data Processing on Large Clusters. Communications of the ACM, 51(1), 1–13. doi:10.1145/1327452.1327492

Dosis, S., Homem, I., & Popov, O. (2013). Semantic Representation and Integration of Digital Evidence. Procedia Computer Science, 22, 1266–1275. doi:10.1016/j.procs.2013.09.214

Garfinkel, S. L. (2006). AFF : A New Format for Storing Hard Drive Images. Association for Computing Machinery. Communications of the ACM, 49(2), 85–87.

Guidance Software. (2014). Encase Enterprise. Retrieved December 4, 2014, from https://www.guidancesoftware.com/produc ts/Pages/encase-enterprise/overview.aspx

Homem, I. (2013). LEIA : The Live Evidence Information Aggregator A Scalable Distributed Hypervisor-based Peer-2-Peer Aggregator of Information for Cyber- Law Enforcement. KTH - The Royal Insitute of Technology.

Homem, I., Dosis, S., & Popov, O. (2013). LEIA: The Live Evidence Information Aggregator: Towards efficient cyber-law enforcement. In World Congress on Internet Security (WorldCIS-2013) (pp. 156–161). London. doi:10.1109/WorldCIS.2013.6751038

Jelasity, M., Voulgaris, S., Guerraoui, R., Kermarrec, A.-M., & Steen, M. van. (2007). Gossip-based peer sampling. ACM Transactions on Computer Systems (TOCS), 25(3), 1–36. Retrieved from http://dl.acm.org/citation.cfm?id=1275520

Kahvedžić, D., & Kechadi, T. (2009). DIALOG: A framework for modeling, analysis and reuse of digital forensic knowledge. Digital Investigation, 6, S23– S33. doi:10.1016/j.diin.2009.06.014

Kaspersky Lab. (2014). The Regin Platform: Nation-State Ownage of GSM Networks.

Koopmans, M. B., & James, J. I. (2013). Automated network triage. Digital Investigation, 10(2), 129–137. doi:10.1016/j.diin.2013.03.002

Leu, F.-Y. L. F.-Y., & Yang, T.-Y. Y. T.-Y. (2003). A host-based real-time intrusion detection system with data mining and forensic techniques. IEEE 37th Annual 2003 International Carnahan Conference onSecurity Technology, 2003. Proceedings., (Mid). doi:10.1109/CCST.2003.1297623

Moser, A., & Cohen, M. I. (2013). Hunting in the enterprise: Forensic triage and incident response. Digital Investigation, 10(2), 89– 98. doi:10.1016/j.diin.2013.03.003

National Institute of Standards and Technology. (2004). Digital data acquisition tool specification. Draft for Comments. Retrieved from http://www.cftt.nist.gov/Pub-Draft-1- DDA-Require.pdf

Palmer, G. (2001). A Road Map for Digital Forensic Research. In Proceedings of the Digital Forensic Research Workshop, 2001. Uttica, New York.

Raghavan, S., Clark, A., & Mohay, G. (2009). FIA: an open forensic integration architecture for composing digital evidence. Forensics in Telecommunications, Information and Multimedia: Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, 8, 83–94. Retrieved from http://link.springer.com/chapter/10.1007/9 78-3-642-02312-5_10

Redding, S. (2005). Using Peer-to-Peer Technology for Network Forensics. Advances in Digital Forensics: IFIP International Federation for Information Processing, 194, 141–152. doi:10.1007/0- 387-31163-7_12

Ren, W., & Jin, H. (2005). Distributed agentbased real time network intrusion forensics system architecture design. In Proceedings - International Conference on Advanced Information Networking and Applications, AINA (Vol. 1, pp. 177–182). Ieee. doi:10.1109/AINA.2005.164

Roussev, V., & Richard III, G. G. (2004). Breaking the Performance Wall: The Case for Distributed Digital Forensics. Digital Forensics Research Workshop, 1–16.

Sacha, J., Dowling, J., Cunningham, R., & Meier, R. (2006). Discovery of stable peers in a self-organising peer-to-peer gradient topology. In International Conference on Distributed Applications and Interoperable Systems (DAIS) (pp. 70–83). Retrieved from http://link.springer.com/chapter/10.1007/1 1773887_6

Scanlon, M., Farina, J., Khac, N. A. Le, & Kechadi, T. (2014). Leveraging Decentralization to Extend the Digital Evidence Acquisition Window : Case Study on BitTorrent Sync. Journal of Digital Forensics Security and Law, 9(December), 85–99.

Scanlon, M., & Kechadi, M. T. (2010). Online acquisition of digital forensic evidence. In Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering (Vol. 31 LNICST, pp. 122–131). doi:10.1007/978-3- 642-11534-9_12

Schatz, B., & Clark, A. (2006). An open architecture for digital evidence integration. In AusCERT Asia Pacific Information Technology Security Conference (pp. 15–29). Gold Coast, Queensland. Retrieved from http://eprints.qut.edu.au/21119/

Scientific Working Group on Digital Evidence (SWGDE). (2006). Data integrity within computer forensics. Retrieved from https://www.swgde.org/documents/Current Documents/2006-04-12

SWGDE Data Integrity Within Computer Forensics v1.0 Shields, C., Frieder, O., & Maloof, M. (2011). A system for the proactive, continuous, and efficient collection of digital forensic evidence. In Digital Investigation (Vol. 8, pp. S3–S13). Elsevier Ltd. doi:10.1016/j.diin.2011.05.002

Shvachko, K., Kuang, H., Radia, S., & Chansler, R. (2010). The Hadoop Distributed File System. 2010 IEEE 26th Symposium on Mass Storage Systems and Technologies (MSST), 1–10. doi:10.1109/MSST.2010.5496972

sKyWIper Analysis Team. (2012). Skywiper (a.K.a Flame a.K.a Flamer): a Complex Malware for Targeted Attacks (Vol. 05). Budapest. Retrieved from http://www.crysys.hu/skywiper/skywiper.p df\npapers2://publication/uuid/1A396077- EBAB-47F8-A363-162BDAF34247

Stone-Gross, B. (2012). The Lifecycle of Peerto-Peer ( Gameover ) ZeuS. Retrieved from http://www.secureworks.com/cyberthreatintelligence/threats/The_Lifecycle_of_Pee r_to_Peer_Gameover_ZeuS/

Van Baar, R. B., van Beek, H. M. a., & van Eijk, E. J. (2014). Digital Forensics as a Service: A game changer. Digital Investigation, 11, S54–S62. doi:10.1016/j.diin.2014.03.007

Yu, J., Ramana Reddy, Y. V., Selliah, S., Reddy, S., Bharadwaj, V., & Kankanahalli, S. (2005). TRINETR: An architecture for collaborative intrusion detection and knowledge-based alert evaluation. Advanced Engineering Informatics, 19(2), 93–101. doi:10.1016/j.aei.2005.05.004

Zonouz, S., Joshi, K., & Sanders, W. (2011). Floguard: cost-aware systemwide intrusion defense via online forensics and on-demand IDS deployment. In Computer Safety, Reliability, and … (pp. 338–354). Naples, Italy: Springer-Verlag, Berlin, Heidelberg. doi:10.1007/978-3-642-24270-0_25





To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.