This report describes the features and testing of Devlan, a software that searches for and collects evidence from large networks that span potentially thousands of devices, with minimal interruption of business operations.
Devlan addresses the problems of scale and diversity in large-scale networks by using the functions and computing power of the network under investigation. It leverages the libraries and processors of the network to locate and acquire forensic evidence. Devlan addresses the problems of disruption by being a digital forensics system that is brought to the network under investigation. Devlan is deployed, searches are executed, evidence acquired, and Devlan is removed; the evidence is taken into the possession of case investigators for analysis. Devlan operates uniformly for all computer operating systems. The current project defined and characterized Devlan’s architecture, workflow, and software implementation. A forensic acquisition mechanism was implemented with Devlan, along with a storage and preservation mechanism. An acquisition mechanism was developed to handle large volumes of data seamlessly; make proper use of compression; offload compression to the network edge in reducing computational load; use proper representational state transfer semantics; and asynchronously acquire data from across the network. The mechanism stores data in a new format developed in this project, based on the widely adopted ZIP standards, augmented for forensic purposes that include preservation of audit trails and other forensic metadata. Devlan was tested in comparison with a conventional forensic tool. Devlan achieved 95.1 percent precision, 95.8 percent recall, and 95.5 percent F1, at a speed 170 times faster than the conventional forensic acquisition tool. 3 figures