Devlan: Automated Acquisition of Digital Evidence from Large Networks

Large-scale computer networks are often a potential source of valuable digital evidence in criminal justice investigations ranging from combating terrorism to economic crimes. Yet, law enforcement organizations, especially at the State and local level, typically lack the resources, technology, and staff needed to acquire this valuable evidence. Due to five key challenges inherent to large-scale networks--data size and scale, distribution, disruption, diversity, and dynamics--no satisfactory forensic tool for network based evidence has been developed.

We argue that the paradigm of traditional digital forensics cannot be extended to large-scale networks. However, we present a new paradigm, involving leveraging capabilities already inherent to the network, and applying them to search for, locate and acquire evidence in a forensically sound manner. We describe the architecture of a tool based on this paradigm, known as Devlan (Digital EVidence from LArge Networks), and present a plan to design, develop, test, demonstrate, and disseminate it. Devlan uses an open architecture to draw on the network's inherent capabilities, applying them to the acquisition of evidence, and is designed to fulfill relevant legal requirements, such as the limits of warrants, the obligation to find exculpatory evidence, and the evidentiary requirements of authentication and chain-of-custody.

Our research will be done in collaboration with the Baltimore Police Department of Baltimore, Maryland, and the Lakewood Police Department, of Lakewood, NJ, and will result in a tool that allows law enforcement organizations nationwide to properly acquire evidence from large-scale networks. ca/ncf