A Formal Treatment of Expressiveness and Relevanceof Digital Evidence

Abstract

Digital investigations are largely concerned with reconstructing past events based on traces in digital systems. Given their importance, many concepts have been established to describe their quality—most of them concerned with procedural aspects, i.e., authenticity and integrity, for example. Besides that, there exist principal concepts that have been overlooked in the past: Two of those criteria are relevance and expressiveness of digital evidence. Unlike others, those are directly concerned with reaching the investigative goal. Therefore, we approach these two overlooked concepts of digital evidence by giving formal definitions. To illustrate the usefulness, we present two applications: First, we demonstrate that the notions of expressiveness and completeness can be used to guide investigations by presenting the Facet-oriented Criminalistic Cycle as a thinking model, which extends the well-established criminalistic cycle. Second, we put the concepts into practice by calculating the expressiveness of facets from a state machine representation of a digital system utilizing temporal logic and a model checker. Furthermore, we sketch out the implications of this improved way of defining relevance and expressiveness. Accordingly, this article aims to improve the understanding of these critical aspects of the overall investigative process.