ECo-Bag: An elastic container based on merkle tree as a universal digital evidence bag

Unique traits generated automatically or artificially, such as firewall logs, OS event logs, and various metadata, are well hidden in the digital evidence that cannot be easily perceived by the investigator in some cases. Digital data is invisible, and it is necessary that attention is focused on traditional management with integrity because of the involvement of various stakeholders in the secure preservation and analysis of the forensic process. Similar to file formats, digital evidence bags (DEB), such as E01 and L01, are widely used to contain digital data for certain facilities in a raw format, which also include metadata. The DEB can provide a way to obtain data through selective imaging, extracting and collecting only the parts necessary from the extensive data for proof. However, it cannot flexibly handle information obtained from large amounts of data or when sensitive data is involved or destroy superfluous materials that must be protected. Therefore, in this study, we propose a new container format based on the Merkle tree, which is used as a universal DEB. The proposed ECo-Bag can store physical and logical images from the storage medium, bit streams transmitted over networks, file segments in the cloud or distributed system, secondary outcomes, and metadata. Furthermore, it can support operations to destruct or seal the data initially collected while verifying the data integrity and tracking the provenance within the chain of custody. Thus, it is expected to contribute to the elastic management of addition and deletion of evidence in digital investigation and e-discovery.