has moved to this site, For information, please join the Google Group forensicswiki-reborn

Digital Evidence Bags

From Forensics Wiki
Revision as of 10:25, 3 May 2006 by imported>Uwe Hermann
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

The Digital Evidence Bag (DEB) format mimics in a digital environment the bags, tags and seals used to traditionally wrap evidence.

When a DEB is created three files are generated:

  1. A .tag file which is plain text and stores case specific metadata such and evidence reference identifier, examiner, location, timestamps and tag continuity blocks that record DEB access activity. In addition to this the tag file contains the cryptographic hashes (seals) that are used to maintain and assure the integrity of the DEB structure.
  2. An .index file is a plain text file that records device, file or data source metadata.
  3. A .bag file that holds the evidential data e.g. the raw device bit stream, logical files, network packet capture data.