DEX: Digital evidence provenance supporting reproducibility and comparison

The current standard and open formats for forensic data describe whole disk and memory image properties, but do not describe the products of detailed investigations. We propose a simple canonical description of digital evidence provenance that explicitly states the set of tools and transformations that led from acquired raw data to the resulting product. Our format, called Digital Evidence Exchange (DEX) is independent of the forensic tool that discovered the evidence, which has a number of advantages. Using a DEX description and the raw image file, evidence can be reproduced by other tools with the same functionality. Additionally, DEX descriptions can identify differences between two separate investigations of the same raw evidence. Finally, as a standard product of tools, DEX can allow quick fabrication of tool chains either as best-of-breed amalgams or for tool testing. We have implemented DEX as an open-source library.