No full-text available
To read the full-text of this research,
you can request a copy directly from the author.
Proving the Integrity of Digital Evidence with Time.
Abstract
puter xzkC ?kkC C rmatin iC"Mkk" t x?"" main f A??"--"C xzkC C C)C)C Cqq w A??"--"C xzkC C d, A??"--"C xzk disadvantages f adva Meth3Description CommonTypesAdvantages DisadvantagesChh3O3A method of checking for errors indigital data. Typically a 16- or 32-bitpolynomial is applied to each byte ofdigital data that you are trying toprotect. The result is a small integervalue that is 16 or 32 bits in length andrepresents the concatenation of thedata. This integer value must be saved...
... Vanstone et al. (1997) defined data integrity as digital data that has not been altered in an unauthorized manner since the time it was created, transmitted, or stored by an authorized source. Hosmer (2002) extended this definition to propose models to prove digital evidence e.g. checksum, one-way hash algorithm, digital signatures. ...
... Search on google scholar for Data integrity and customer perception yielded virtually no significant results as EBSCOnet and Jstor. Rather design literatures that enforces technical improvement of ICT artefact are mostly underscored (Asabere et al., 2012;Hosmer, 2002;Rocheleau, 2014;Ettredge and Srivastava, 1999). ...
... To the extent that what they perceive from their modeling environment is very crucial in shaping their decision is positioning of the bank to ensure timely resolution of data integrity issues relating to the ATM and general banking services over a period. As observed from the responses and the thoughts expressed by (Hosmer, 2002), consistent improvement in the resolution of these data integrity issues over a period would affect and change the perception of frequent users of the system. Thus, the cognitive inconsistency erstwhile experienced is gradually catered for in the continuous timely resolution of these data integrity issues. ...
In spite of the numerous studies exploring customers’ perception of their banks, there is limited understanding of customers’ perceptions of Automated Teller Machines (ATM) data integrity issues. We therefore sought to understand customers’ perception of data integrity issues in ATM using Ghana Commercial Bank as case study. The objective was to understand the extent to which customers’ perception of ATM data integrity affect their relationship with the bank. Thus, the main research question is “To what extent is ATM data integrity issues affecting how customers transact business with the bank? The Adenta branch of Ghana Commercial Bank in Accra was used as case study. A Qualitative research approach was adopted given the exploratory nature of this study. Empirical data were gathered using a combination of observations and interviews. The informants were selected via purposive sampling technique. The study has shown that fairness expectation, assured customer delight, well-structured media post and settled perception of customer delight are the major factors that affect customers’ perception of ATM data integrity.
... (Pollitt, 2013) Both these factors are required of the digital evidence as well as the activities performed within the digital forensics process model, that is: the preparation and identification of evidence, the acquisition of the evidence sources, the analysis, and the reporting of findings. (Casey, 2007) (Dykstra and Sherman, 2012) Trustworthiness is gauged through the level of integrity of the acquired digital evidence (Hosmer, 2002), as well as the reliability of the activities performed throughout the digital investigation. ...
... Hosmer states that "digital evidence originates from a multitude of sources including seized computer hard-drives and backup media, real-time e-mail messages, chat-room logs, ISP records, web-pages, digital network traffic, local and virtual databases, digital directories, wireless devices, memory cards, and digital cameras." (Hosmer, 2002) The variety and forms of digital evidence and their sources are continuously in a state of flux as technological advancements change the digital landscape. Beebe (Beebe, 2009) identified the increasing occurrence of non-standard computing environments as an upcoming challenge in digital forensics research. ...
... Furthermore there has been a need to authenticate the trustworthiness of the digital evidence in order to ascertain that no unauthorized modifications have been made from the time it was acquired from the digital crime scene. (Hosmer, 2002) This has led to the maintenance of the "chain of custody" documentation that requires recording information about who was involved, where, when and how digital evidence was collected or changed hands. (Casey, 2011) It also requires the verification of the integrity of the evidence through the use of hashing functions. ...
Cybercrime and related malicious activity in our increasingly digital world has become more prevalent and sophisticated, evading traditional security mechanisms. Digital forensics has been proposed to help investigate, understand and eventually mitigate such attacks. The practice of digital forensics, however, is still fraught with various challenges. Some of the most prominent of these challenges include the increasing amounts of data and the diversity of digital evidence sources appearing in digital investigations.
Mobile devices and cloud infrastructures are an interesting specimen, as they inherently exhibit these challenging circumstances and are becoming more prevalent in digital investigations today. Additionally they embody further characteristics such as large volumes of data from multiple sources, dynamic sharing of resources, limited individual device capabilities and the presence of sensitive data. These combined set of circumstances make digital investigations in mobile and cloud environments particularly challenging.
This is not aided by the fact that digital forensics today still involves manual, time consuming tasks within the processes of identifying evidence, performing evidence acquisition and correlating multiple diverse sources of evidence in the analysis phase. Furthermore, industry standard tools developed are largely evidence-oriented, have limited support for evidence integration and only automate certain precursory tasks, such as indexing and text searching.
In this study, efficiency, in the form of reducing the time and human labour effort expended, is sought after in digital investigations in highly networked environments through the automation of certain activities in the digital forensic process. To this end requirements are outlined and an architecture designed for an automated system that performs digital forensics in highly networked mobile and cloud environments. Part of the remote evidence acquisition activity of this architecture is built and tested on several mobile devices in terms of speed and reliability. A method for integrating multiple diverse evidence sources in an automated manner, supporting correlation and automated reasoning is developed and tested. Finally the proposed architecture is reviewed and enhancements proposed in order to further automate the architecture by introducing decentralization particularly within the storage and processing functionality. This decentralization also improves machine to machine communication supporting several digital investigation processes enabled by the architecture through harnessing the properties of various peer-to-peer overlays.
Remote evidence acquisition helps to improve the efficiency (time and effort involved) in digital investigations by removing the need for proximity to the evidence. Experiments show that a single TCP connection client-server paradigm does not offer the required scalability and reliability for remote evidence acquisition and that a multi-TCP connection paradigm is required. The automated integration, correlation and reasoning on multiple diverse evidence sources demonstrated in the experiments improves speed and reduces the human effort needed in the analysis phase by removing the need for time-consuming manual correlation. Finally, informed by published scientific literature, the proposed enhancements for further decentralizing the Live Evidence Information Aggregator (LEIA) architecture offer a platform for increased machine-to-machine communication thereby enabling automation and reducing the need for manual human intervention.
... From the computing perspective, it could be termed as the time an event(s) is(are) recorded by a computer. Time as a quantifiable value has become very important in most aspects of commerece and security as an order for binding validity, granting access and reconstruction of event orders(Hosmer 2002). Secure and auditable time issues have paved way to the realization of the importance of authenticating time sources, given that ost computing systems posses varying time representations. ...
... This concept also seem to exploit the techniques of public key infrastructute (PKI) as used by third party (certificate) authorities combined with the official world source of time. Hence, this methodology is seen to efficiently secure the time and simulteneously provide the evudentiary trail of the time source within the time stamp(Hosmer 2002).Proving the integrity of digital evidence with time requires several standards and actions which; the advancement of accuracy and trust of digital time, the binding of such trusted electronic time with digital data and computer events routinely, standardizing timing routines throughout the digital world and ensuring that such trusted time are traceable to a legal time source(s)(Hosmer 2002) ...
... This concept also seem to exploit the techniques of public key infrastructute (PKI) as used by third party (certificate) authorities combined with the official world source of time. Hence, this methodology is seen to efficiently secure the time and simulteneously provide the evudentiary trail of the time source within the time stamp(Hosmer 2002).Proving the integrity of digital evidence with time requires several standards and actions which; the advancement of accuracy and trust of digital time, the binding of such trusted electronic time with digital data and computer events routinely, standardizing timing routines throughout the digital world and ensuring that such trusted time are traceable to a legal time source(s)(Hosmer 2002) ...
Virtual machine technology has emerged with relishing features such as versioning, isolation and encapsulation. These features have made evidence acquisition and preservation difficult and impracticable. Virtual machines have proved excellence in anti-forensics, such that conventional approaches to integrity preservation have not yielded the best results required to facilitate admissibility. Issues around virtual machine forensics, its relationship with digital evidence integrity, and effects to admissibility have been resolutely investigated. In this work, we focused on the identification of threats to the integrity of evidence in a virtual machine environment using VMware hypervisor as case study. A conceptual framework, EIPF for preserving integrity of evidences resident in a virtual machine environment is introduced. The framework emphasises rules, processes and parameters necessary for upholding the accuracy, reliability and trustworthiness of digital evidence. The framework adopts the widely known Clark-Wilson‟s principles on Data Integrity. In our investigation, the key parameters used are the security strength of the hash algorithms, the relative Number of Evidence Attributes), and the Number of Evidence Circles. To simplify the analysis further, a reliability rating factor has been introduced as a means of defining conceptual integrity levels. We have mathematically modelled all the penalty parameters for data integrity in our model following widely known and recommended standards and processes. Although a demonstration of the behaviour of EIPF had not been exhaustively featured, the proposed framework has offered a starting point towards adopting an improved way of ensuring integrity. While opening up a path for unification, it has amplified the trust level for a court‟s acceptance of a claimed integrity state for digital evidence.
... In the present paper we pull together old and new ideas in establishing a model of input-output which is suitable for digital investigations where proof of reproducibility of the results is required. In developing this model, we draw on work of Gerber and Leeson [Gerber and Leeson, 2004] on the Hadley model of input-output layers evolved from the standardized Open Systems Interconnection (OSI) layers, on the work of Carrier [Carrier, 2003], who argues for the freedom to choose input-output layers appropriate to the requirements of the investigations, and of Hosmer [Hosmer, 2002] who proposes the use of digital time-stamps to prove the integrity of digital evidence. Our model comprises a threestage process including the determination of inputoutput layers, the assignment of read and write operations, and the time-stamping of those operations during the investigation. ...
... In a distributed system, the correct order of occurrence of each operation relies on accurate and precise time-synchronization between all entities. Hosmer [Hosmer, 2002] recognizes this as an issue for the forensic investigator and suggests the use of secure and auditable digital time-stamps when handling digital evidence in an investigation. He argues that such time-stamps can supply accuracy, authentication, integrity, nonrepudiation and accountability. ...
... Hosmer proposes in [Hosmer, 2002] to apply globally-synchronized time-stamps in order to maintain the integrity of digital evidence in a forensic investigation. Applying this idea, we define a timing algorithm on 'read' and 'write' operations which allows us to linearly order time throughout the investigation as follows: ...
We present a three-component model of a digi- tal investigation which comprises: determination of input-output layers, assignment of read and write operations associated with use of forensic tools, and time-stamping of read and write operations. This builds on work of several authors, culminating in the new model presented here which is generic, scal- able and compatible with all functions in the sys- tem, and which is guaranteed to produce a high quality of reproducibility.
... Digital evidence, which forms an integral part of every digital forensic investigation process, is defined as a piece of data that is recorded, stored or transferred through a computer system or similar digital or electronic de-vices, and can be read, understood and interpreted by a person, computer or similar digital device [1]. Evidence can originate from multiple sources such as seized computer hard-drives and backup media, ISP records, USB flash drives, e-mail messages, network traffic etc. [3,4]. However, the trustworthiness of this data, source device or both is an important question, which must be looked into carefully by forensic examiners. ...
... Digital information is very delicate and fragile and even a minute mistake can prove to be costly. Therefore, not just data tampering but lack of proper knowledge regarding handling of digital evidences might also lead to change in computed hash value [3,7]. The objective of our research is to conduct various experiments to determine various practices (such as modifying file metadata, filename and file extension, file encryption, file compression, file printing, storing the same file in different formats, use of different versions of Windows OS and steganography), that can lead to alteration of computed hash value of digital evidences. ...
Digital forensic investigation is the scientific process of collection, preservation, examination, analysis, documentation and presentation of digital evidence from digital devices, so that the evidence is in compliance with legal terms and acceptable in a court of law. Integrity of the digital evidence is an indispensable part of the investigation process and should be preserved to maintain the chain of custody. This is done through hashing technique using standardized forensic tools. However, while handling the evidences , lack of knowledge might lead to unintentional alteration of computed hash. This violates the chain of custody and makes the evidence inadmissible in a court of law. In this paper, our objective is to determine the different conditions under which the original hash value of a digital evidence changes. For this, we create different scenarios using sample data files and compute their hash values. A comparative study and analysis are done to determine in which scenario the original hash value of the data file changes. The results of the research will prove useful and essential for Criminal Justice Functionaries in gaining knowledge about various conditions leading to the change in hash value of digital evidence and therefore, avoid its accidental alteration during forensic investigation/examination.
... First of all, the authenticity of printed copies or captured images of a web site has to be validated by the witness in order to be admitted [20], a procedure that many times is still questionable especially when the witness is not independent (e.g. is not a police officer). Moreover, the exact time that the specific content was accessible online cannot be proven, since standard time-signing techniques cannot be applied [10]. ...
... Next, a hashing of the (scrambled or unscrambled) content is performed, producing the "digest", which will be later utilized for the verification of the content. A timestamp (which has been produced at the time of the request) is concatenated to the digest, in order for the date and time to be bind to it, according to [10]. The concatenated "digest + timestamp" is fed once more to the hash module, producing the final hash value. ...
It is an undisputable fact that nowadays many different types of crime are conducted by utilizing some type of electronic device - communication. To address this new situation, modern forensics tools evolved, becoming sophisticated enough to handle almost all kinds of digital content. However, surprisingly enough, collecting and validating the authenticity of online content remains, until now, a problem to resolve. The common practice is to capture (screen-shot) or save a web page, the authenticity of which is usually validated in a judicial process by an expert’s testimony. In this paper, we introduce ProCAVE , a simple software architecture with a set of accompanying procedures, and we argue that their combined use can deliver evidence from online sources in the court, in a sound and privacy-preserving manner.
... It is very important to know the answer to the question which we can be asked in the courtroom: "When was the digital evidence accessed, how long the staffs have been in touch with the evidence? Next question could be:"How long can we prove the integrity of the digital evidence that we signed" [7]. Time is an important factor to determine a question. ...
... Problem of digital time stamping has been the subject of several researches. Hosmer [7] emphasizes the use of time to prove the integrity of digital evidence, and states the 3 steps that we must do in order to effectively use digital evidence to prove the motif, opportunity and means of cybercrimes: [2004] advocate the use of correlating methods for time stamps stored on target computer that were created by other clocks (e.g. time stamps in dynamically generated web pages) [8]. ...
The integrity of digital evidence plays an important role in the digital process of forensic investigation. Proper chain of custody must include information on how evidence is collected, transported, analyzed, preserved, and handled with. There are several adapted methods for evidence digital signing to (im)prove the integrity of digital evidence. Most forensic tools and applications use a certain kind of hashing algorithm to allow investigators later to verify the disk or image integrity. In this process there is a problem of binding integrity, identity and date and time of access to digital evidence. In this paper the authors will present a valid time stamping method to signing a digital evidence in all stages of digital investigation process. Time stamp will be obtained from the secure third party (Time Stamp Authority). It will be used to prove the time when the staff access the evidence in any stages of forensic investigation.
... It is very important to know the answer to the question which we can be asked in the courtroom: "When was the digital evidence accessed, how long the staffs have been in touch with the evidence? Next question could be:"How long can we prove the integrity of the digital evidence that we signed" [7]. Time is an important factor to determine a question. ...
... Problem of digital time stamping has been the subject of several researches. Hosmer [7] emphasizes the use of time to prove the integrity of digital evidence, and states the 3 steps that we must do in order to effectively use digital evidence to prove the motif, opportunity and means of cybercrimes: Weil [2002] and Boyd [2004] advocate the use of correlating methods for time stamps stored on target computer that were created by other clocks (e.g. time stamps in dynamically generated web pages) [8]. ...
The integrity of digital evidence plays an important role in the digital process of forensic investigation. Proper chain of custody must include information on how evidence is collected, transported, analyzed, preserved, and handled with. There are several adapted methods for evidence digital signing to (im)prove the integrity of digital evidence. Most forensic tools and applications use a certain kind of hashing algorithm to allow investigators later to verify the disk or image integrity. In this process there is a problem of binding integrity, identity and date and time of access to digital evidence. In this paper the authors will present a valid time stamping method to signing a digital evidence in all stages of digital investigation process. Time stamp will be obtained from the secure third party (Time Stamp Authority). It will be used to prove the time when the staff access the evidence in any stages of forensic investigation.
... Casey, (2004) described this to mean whatever information kept digitally/sent electronically which may assist in unravelling any of those unbecoming acts. Hosmer (2002) held that, there are number of inhibitions to the use of electronic evidences which needs some particular and unique processes. This is not without challenges, among many is sustaining the in the use of electronic evidences, because of the fragility of electronic information as it could be manipulated. ...
... Bu hatto yangi boshlang'ich kompyuter foydalanuvchisi tomonidan qasddan yoki tasodifan bajarilishi mumkin va bu ekspert uchun muammo tug'diradi hamda hushyorlikni talab qiladi. Aslida, raqamli dalillarning yaxlitligini isbotlash, raqamli sud ekspertlarining kompyuter fanlari va axborot xavfsizligi kompleks usullari va vositalarini qo'llash bo'yicha bilim, ko'nikma va tajribaga ega bo'lishini talab qiladi [5]. Raqamli sud ekspertlari dalillarning yaxlitligi va ishonchliligiga doir aniq dalillarni olish uchun yoki elektron ma'lumotlarning haqiqiyligiga shubha qiladigan dalillar va guvohliklarni taqdim etish uchun o'z bilim va ko'nikmalaridan foydalanadilar. ...
Ushbu maqolada ayrim xorijiy mamalakatlarning raqamli kriminalistika bo‘yicha amaliyoti va qonunchiligining ba’zi jihatlari tahlil qilingan. Ushbu maqolada, asosan, raqamli dalillardan foydalanish amaliyoti bilan bog‘liq bo‘lib, unda raqamli dalillarni to‘plash, tekshirish, baholash hamda sudga taqdim etish bilan bog‘liq qoidalar yoritilgan. Shuningdek, raqamli dalillarning yaxlitligini ta’minlash va baholash usullari tadqiq etilgan.
... due to an update, the IRI may stay the same. Thus, any agent retrieving the dataset could not infer the integrity of the dataset just from the reference but would have to employ additional measures, e.g. as done today via checksums or digital signatures of the underlying content [3]. The original intention of the creator of the link may thus be violated without actually knowing about the violation. ...
The distribution of information through web protocols is today based on the client-server model. Recently, decentralized protocols with greater availability appear as well as blockchain-based attestation methods, allowing for proving the existence of information. In combination, these methods promise a secure, decentralized and long-term storage. However, there exist two major problems: (1) the scalability of blockchains limits their storage capacity and (2) various (de)centralized web protocols are in use and could alleviate this problem, but they do not support blockchain-based attestations. In this paper, we extend an approach for blockchain-based attestation with compatibility for multi-protocol storage. Instead of specific protocols or blockchains, the extended approach aims to contribute novel concepts to the discussion on blockchain scalability. It augments the capabilities of existing protocols for applications such as certification or timestamping of digital artifacts. With the use of decentralized protocols such as IPFS, further availability and inherent resilience properties are gained, allowing for applications such as open research repositories and digital registries. We discuss the architecture of the extended approach, a possible implementation in a smart contract on the Ethereum blockchain with IPFS and Git, and evaluate the time and cost of attestations.
... The initial phase of digital forensics examination starts with the acquisition of data from digital exhibits such as hard disks, USB storage devices etc. seized from the crime scene (Hosmer, 2002). This is done by creating a forensically sound copy of the storage media, which in turn, is achieved by creating a bit-stream image of it (Carlton, 2007). ...
In digital forensics, maintaining the integrity of digital exhibits is an essential aspect of the entire investigation and examination process, which is established using the technique of hashing. Lack of knowledge, while handling digital exhibits, might lead to unintentional alteration of computed hash, rendering the exhibit unacceptable in the court of Law. The hash value of a physical drive does not solely depend upon the data files present in it but also its file-system. Therefore, any change to the file-system might result in the change of the disk hash, even when the data files within it remain untouched. In this paper, our objective is to study the role of file-system in modification of the hash value. We examine and analyse the changes in the file-system of a NTFS formatted USB storage device, which leads to modification in its hash value when the device is plugged-in to the computer system without using write-blocker. The outcome of this research would justify the importance of write blockers while handling digital exhibits and also substantiate that the alteration in hash value of a storage device might not be an indication that data within the device has been tampered with.
... Who. We must perform an authentication and give an answer to the question regarding the procedure of investigations at each level and stage who had access to the digital evidence and any manipulations of evidence [18]. For this purpose, the good method is use a biometric identification and authentication for digital signing (Who). ...
Chain of custody plays an important role to determine integrity of digital evidence, because the chain of custody works on a proof that evidence has not been altered or changed through all phases, and must include documentation on how evidence is gathered, transported, analyzed and presented. The aims of this work is first to find out how the chain of custody has been applied to a wide range of models of the digital forensic investigation process for more than ten years. Second, a review of the methods on digitally signing an evidence that achieves the successful implementation of chain of custody through answering a few questions "who, when, where, why, what and how", and thus providing digital evidence to be accepted by the court. Based on the defined aims, an experimental environment is being setup to outline practically an acceptable method in chain of custody procedure. Therefore, we have adopted SHA512 for hashing and regarding encryption RSA and GnuGP is applied where according to the defined requirement a combination of these algorithms could be adopted as a practical method.
... How long can we prove the integrity of the digital evidence that we signed? A secure and auditable time stamping mechanism or function is a solution to these questions (Hosmer 2002). When the forensic copy is done, a time stamp that is resistant to manipulation and provides an authenticated audit trail is created. ...
The growth in the computer forensic field has created a demand for new software (or increased functionality to existing software) and a means to verify that this software is truly forensic i.e. capable of meeting the requirements of the trier of fact. In this work, we review our previous work---a function oriented testing framework for validation and verification of computer forensic tools. This framework consists of three parts: function mapping, requirements specification and reference set development. Through function mapping, we give a scientific and systemized description of the fundamentals of computer forensic discipline, i.e. what functions are needed in the computer forensic investigation process. We focus this paper on the functions of media preparation, write protection and verification. Specifically, we complete the function mapping of these functions and specify their requirements. Based on this work, future work can be conducted to develop corresponding reference sets to test any tools that possess these functions.
... Postoji više preporuka i pokušaja standardizacije u ovom polju. Prva organizacija koja je uspostavljena sredinom 90tih sa ciljem da " osigura harmonizaciju metoda i prakse na međunarodnoj razini i garantira upotrebu digitalnih dokaza u sudovima drugih država " [94] je bila međunarodna organizacija za digitalne dokaza (engl. Prema preporukama SWGIT [95] postoji više metoda za osiguranje integriteta dokaza: funkcija sažetka, vizualna verifikacija, digitalni potpis, pisana dokumentacija, CRC (engl. ...
The ultimate goal of every digital forensic investigation is lawfully acquired and by the court accepted digital evidence. This means that all the evidence must be collected through the process of digital forensic investigation, which cannot begin without the order of the court, prosecution or administrative case of internal investigations in enterprises. The integrity of digital evidence must be preserved and prove, on the way proving the inviolability of the chain of evidence. This means that we anytime must: know, who, what, when, how, why and where they come into contact with digital evidence. If there is an interruption of the chain, the court will not accept the evidence. The main aim of this thesis is scientific research that will give insight into the methods of maintaining the chain of digital evidence, methods to prove the integrity of digital evidence and clarification of the life cycle of digital evidence. The goal is to address the shortcomings of existing methods, and defining new directions of research in solving chain of digital evidence problems using the ontology of digital evidence through " DEMF "- Digital Evidence Management Framework. The reason is to exactly know answer all the important questions participants in the digital investigation, but would also maintain the chain of evidence. The ultimate goal is to formally describe concepts that occur in the process of managing digital evidence, and build a framework to help judges and other persons engaged in the admissibility of digital evidence.
Ontology of digital evidence and the chain of evidence are developed, basic business rules (ifthen rules) are defined, which are the main driver framework that allows determining which evidence is formally acceptable and which is not. Validation and evaluation of ontology are constructed, and few instances created, that were used for the framework testing.
In addition, in this paper is presented, a preliminary research conducted at the courts in Bosnia and Herzegovina, related to digital evidence, proving the inviolability of the chain of evidence, and construct the admissibility of digital evidence.
Keywords: digital forensic, digital evidence, chain of custody, acceptability of digital evidence, ontology, knowledge modeling
... It uses checksum as other ICMPv6 messages. However, in the sense of security, checksum has some disadvantages as summarized in [26]. First, it has low assurance against malicious attack. ...
... How long can we prove the integrity of the digital evidence that we signed? A secure and auditable time stamping mechanism or function is a solution to these questions (Hosmer 2002). When the forensic copy is done, a time stamp that is resistant to manipulation and provides an authenticated audit trail is created. ...
This paper introduces the Digital Records Forensics project, a research endeavour located at the University of British Columbia in Canada and aimed at the development of a new science resulting from the integration of digital forensics with diplomatics, archival science, information science and the law of evidence, and of an interdisciplinary graduate degree program, called Digital Records Forensics Studies, directed to professionals working for law enforcement agencies, legal firms, courts, and all kind of institutions and business that require their services. The program anticipates the need for organizations to become “forensically ready,†defined by John Tan as “maximizing the ability of an environment to collect credible digital evidence while minimizing the cost of an incident response (Tan, 2001).†The paper argues the need for such a program, describes its nature and content, and proposes ways of delivering it.
... [SWGIT] According to the recommendations of SWGIT [2] there are few methods for demonstrating integrity: hashing function, visual verification, digital signature, written documentation, checksum (CRC), encryption, watermarks and proprietary methods. Hosmer [8] recommended a checksum method with CRC16, CRC32, one-way hash algorithm, SHA-1, MD5, MD4, MD2 and digital signature RSA, SA and PGP in order to prove integrity of digital evidence. ...
... Existing protection digital evidence measures including [2] : check the checksum, unidirectional hash operation and digital signature and so on. Because the process model of Computer Forensics has introduced generally evidence supervising mechanism [3][4][5][6][7][8] , judicial officials' computer evidence collection process is supervised by the supervisor. ...
To protect digital evidence during Computer Forensics, the measure of protection digital evidence was analyzed, and a project of protection digital evidence (Digital Evidence Protection System, called DEPS) was designed. In this paper, the framework and element of DEPS was introduced, and the mechanism of multi-digital-signature and digital time-stamp of DEPS was described.
... There are certain methods and tools available that ensures evidence not altered either willingly or accidently. A decade back Chet Hosmer[16] gave several methods for finding integrity of digital evidence like Checksum, Hash algorithms and digital signatures; those can be applicable for current trends also. There is a need of proper care for hashing because some of recent studies showing chance of having same hash value.Some of the example tools are Write Blocker and hashing techniques. ...
... 6 Open Questions Chet Hosmer, CEO of WetStone Technologies, Inc. [Hos02], points out that time data needs to have information assurance (IA) attributes: Accuracy | Time is derived from an authoritative source and has the requisite precision. ...
... Digital integrity is defined as "the property whereby digital data has not been altered in an unauthorised manner since the time it was created, transmitted, or stored by an authorised source" [17] in [18]. Again, a reminder that digital evidence must be able to sustain or disprove a hypothesis [19] while emphasizing integrity. ...
Virtual machine technology has emerged with powerful features, offering several benefits and promising revolutionary outcomes. It is one technology that combines into one package several computing concepts like resource management, emulation, time-sharing, isolation and partitioning. These features have made evidence acquisition and preservation difficult and in some cases unfeasible. The aftermath is that conventional approaches to integrity preservation have not yielded the best results required to facilitate acceptability. Subjects around virtualization forensics, its affiliation with digital evidence integrity, and impacts on admissibility have been decisively examined. A part of this discourse dwelt on recognising potential threats to the integrity and reliability of evidence from a virtual environment; specifically using VMware Virtual Machine Monitor as a case study. A theoretical framework for preserving the integrity of digital evidence from such environments is introduced. This structure highlights guidelines, processes and parameters essential for keeping the accuracy, consistency and trustworthiness of digital evidence, made possible via abstractions from eminent integrity principles of well-formed transactions and separation of duties as proposed by Clark and Wilson. Key parameters in the model include; strength of hash functions, number of evidence attributes, and number of evidence cycle covered; all represented conceptually in a mathematical model. This is further consolidated with the introduction of an integrity rating factor/threshold and the definition of an integrity enforcement process in line with globally recommended standards. While still working on practical demonstration of the proposed model, the work done so far is seen to open a path for unification and amplification of trust levels required for the admissibility of virtual environment evidence.
... Another important aspect of e-transactions is time (Hosmer, 2002). Secure and auditable time stamping to digital evidence eliminates the possibilities for fraud and unintended errors, and can provide evidence of priority for financial records and other business documents. ...
The effective management of information and its associated infrastructure is critical in electronic business. Failure to exercise due diligence in information assurance and security may lead to lost revenue or business opportunities, brand and reputation erosion, adverse media publicity, scrutiny from consumer advocates and even lawsuits. Traditionally, information security was approached in terms of goals. Yet, the goals- oriented approach may be a flawed one. In this paper, we adopt a conceptual analytical approach and propose a tri -dimensional understanding of information security in electronic business. Our approach can help managers better understand and communicate the information security's role in e -business and the inter-dependencies between business and legal requirements, for devising the goals, objectives and policies relevant to their organization.
... Tampering frauds comprise firstly, the change in metadata and contents of the file for which existing tools, in most of the cases, provide satisfactory solutions. Secondly, the tampering of modification, access and creation date and time stamps (MAC DTS ) of digital documents (Boyd et al., 2004; Hosmer, 1998; Weil, 2002; Hosmer, 2002) with ease pose a great threat and proves to be a major hurdle in digital forensic investigation . MAC DTS entities reveal the fundamental information regarding when the file was first created and the following modification and access information, which plays an important role in reconstruction of sequence of events in digital * Corresponding author. ...
a b s t r a c t As electronic documents become more important and valuable in the modern era, at-tempts are invariably made to take undue-advantage by tampering with them. Tampering with the modification, access and creation date and time stamps (MAC DTS) of digital doc-uments pose a great threat and proves to be a major handicap in digital forensic investiga-tion. Authentic date and time stamps (ADTS) can provide crucial evidence in linking crime to criminal in cases of Computer Fraud and Cyber Crimes (CFCC) through reliable time lin-ing of digital evidence. But the ease with which the MAC DTS of stored digital documents can be changed raises some serious questions about the integrity and admissibility of dig-ital evidence, potentially leading to rejection of acquired digital evidence in the court of Law. MAC DTS procedures of popular operating systems are inherently flawed and were created only for the sake of convenience and not necessarily keeping in mind the security and digital forensic aspects. This paper explores these issues in the context of the Ext2 file system and also proposes one solution to tackle such issues for the scenario where sys-tems have preinstalled plug-ins in the form of Loadable Kernel Modules, which provide the capability to preserve ADTS.
... Digital integrity has been defined as the property whereby digital data has not been altered in an unauthorized manner since the time it was created, transmitted, or stored by an authorized source [16]. Today, several methods [17] exist that can be used to prove the integrity of digital evidence include:- 1. Checksum; a method for checking for errors in digital data. ...
... 62 Digital evidence includes not only business records introduced by a litigant or defence counsel, but also materials that may be found in seized computer hard drives and backup media, real-time email messages, chat-room logs, ISP records, web pages, digital network traffic, local and virtual databases, digital directories, wireless devices, memory cards, and digital cameras. 63 These belong not only to business enterprises, but to private individuals. How can the context of the extracted information be presented and understood, and subsequently protected, in such a way that the integrity of the data is preserved? ...
This article analyzes the adequacy of The Uniform Electronic Evidence Act, twelve years after its adoption, in dealing with the complexity of the records created, used, or stored in the digital environment. In the face of rapidly changing technology, the authors believe that the nature and characteristics of electronic records cannot be accounted for by simple modifications to the existing law of evidence, but require a new enactment following upon a close collaboration among records professions, legal and law enforcement professions, and the information technology profession. The new rules, comprehensively encompassing issues of relevance, admissibility, and weight of electronic documentary evidence, must be based on the body of knowledge of each profession, on the findings of interdisciplinary research, and on existing records-related standards. The enactment of such rules would help the courts make accurate findings of fact, based on electronic records that are created in a reliable environment and preserved in an authentic form for as long as they might be needed, and would alleviate ongoing confusion about the admissibility and use of electronic records in litigation.
... [SWGIT] According to the recommendations of SWGIT [2] there are few methods for demonstrating integrity: hashing function, visual verification, digital signature, written documentation, checksum (CRC), encryption, watermarks and proprietary methods. Hosmer [8] recommended a checksum method with CRC16, CRC32, one-way hash algorithm, SHA-1, MD5, MD4, MD2 and digital signature RSA, SA and PGP in order to prove integrity of digital evidence. ...
Chain of custody plays an important role in digital forensic investigation. Contact with different variables occurs through a life cycle of digital evidence. To prove chain of custody, investigators must know all details on how the evidence was handled every step of the way. ”Five WS (and one H) “must be applied. Life cycle of digital evidence is very complex, and at each stage there is more impact that can violate a chain of custody. This paper presents a life cycle of digital evidence and problems with implementation of chain of custody in digital investigation. The authors also warn of certain shortcomings in terms of answering specific questions, and give some recommendation for further research. New framework based on Five WS will be presented.
The area of Digital Forensics has long been described as the process of acquisition, preservation, examination, interpretation and reporting of digital evidence (Carrier & Spafford, 2003; Mushtaque, 2015). Over the last two decades, the world has experienced a cumulative evolution in IT technology and cybercrime (Arshad, Jantan, & Omolara, 2019). The technology field has become very dynamic and the number of types of digital devices with processing and storage capacity in common usage, such as notebook computers, iPods, cameras and mobile phones, has grown extremely rapidly (Silver et al., 2019). However, the advance in the technology poses a greater challenge to the digital forensic discipline. The digital data which exists mostly in an intangible form requires the use of forensic software for analysis. Digital storage media such as the hard disk drive, the USB flash disk and mobile phones are the most common sources of evidence in cybercrime and the data stored upon these devices is only examinable by using digital forensic tools capable of interpreting it and presenting it in a readable format (Horsman, 2019). As a result, law enforcement agencies, as well as digital forensic researchers, are fully reliant on digital forensic tools during an investigation to provide an accurate analysis of evidence (Guo, Slay, & Beckett, 2009).
The rapid growth of the Internet in the 1990s was marked by the introduction of web browsers, which people used to perform different activities such as searching for information, joining online blogs or social networks, shopping online and communicating through emails or instant messaging (Herjavec, 2019). The ease of access and various benefits provided by web browsers not only attracted businesses and young people, it also opened a gateway for cybercriminals. Cybercrime is referred to as the act of performing a criminal act using cyberspace as the communication medium, such as computer-related frauds, cyber defamation, cyber harassment, child predation, identity theft, planning and carrying out terrorist activities, software piracy and other crimes (Arora, 2016). Web browsers are designed in a way that enables users to record and retain much information related to their online activities, which includes caching files, visited URLs, search items, cookies and others (Said, Mutawa, Awadhi, & Guimaraes, 2011). These web browser data could easily be retrieved by any user without using digital forensic tools, until the introduction of the web browser privacy mode known as private browsing (Horsman et al., 2019).
The two essential objectives of private browsing are to protect users from local attackers, allowing users to browse the Internet without leaving any traces on machines, and protect them from web attackers, and allowing them to browse the Internet while limiting identity discoverability to website servers (Aggarwal, Bursztein, Jackson, & Boneh, 2010). However, the introduction of private browsing has prompted digital forensic researchers and law enforcement agencies to seek different approaches to solve the issue of browsing content absence, even though private browsing is claimed not to be an anti-forensics tool (Horsman et al., 2019). Commercial digital forensic tools such as the EnCase, X-Ways, and Pro-Discovery have been utilised by many law enforcement agencies and researchers despite issues such as high cost, strict licensing guidelines and proprietary source codes (Reverchuk, 2019). Furthermore, open-source tools were developed to counter the issues. This research aims to assess and compare the capabilities between commercial and open-source tools in the acquisition and analysis of web browser data during normal and private browsing.
Bu tezde elektronik imzalı (e-imzalı) belgelerin delil değeri arşivsel güvenilirlik açısından incelenmektedir. Problem, kurumların elektronik belge yönetim sistemlerinde (EBYS) üretilip arşivlenen bu belgelerin zaman içerisinde özgünlüğünü koruyamama riskidir. Bu durum, özellikle uzun süre saklanacak e-imzalı belgelerin delil değerini tehdit edip güvenilirliklerinden şüphe duyulmasına neden olabilir. Hipotez, “e-imza, zaman damgası ve e-mühür gibi yapıların kırılganlıkları ve kurumların gerekli denetimleri uygulamamasından dolayı arşivlenen e-imzalı belgelerin uzun süre saklanmaları sürecinde delil değerinde kayıplar yaşanabilir” şeklindedir. Tezde karma yöntem benimsenmiş, nitel ve nicel araştırma yapılmıştır. Saha araştırmasının nitel kısmında örneklem olarak Türkiye’de farklı kurumlardaki e-belge yönetimi uygulamalarını değerlendirmiş uzmanlar seçilmiştir. Dokuz (9) kişi ile görüşme yapılmıştır. Nicel kısımda ise Türkiye’de en çok kamu personeli çalıştıran organizasyonların kümesi olan bakanlıklar örnekleminden altı (6) kurum incelenmiştir. Nitel araştırmada literatür okumaları neticesinde oluşan kanaatlerin saha uzmanları tarafından da benimsenip benimsenmediği sorulmuş ve bu kanaatlerin biri hariç hepsi kabul görmüştür. Nicel araştırmada ise arşivsel bağın muhafazası, gerekli teknolojik koşulların sağlanması ve belgelerin güvenilirliğinin korunmasına yönelik politika ve prosedürlerin çıkarılmasına ilişkin uygulamalar değerlendirilmiştir. Kurumların bu alanlarda yeteri kadar pratiğinin olmadığı tespit edilmiştir. Teknolojik koşulların sağlanmasında ise diğerlerine göre daha başarılı oldukları gözlenmiştir. Sahada e-belge yönetiminin süreç olarak değerlendirilmeyip, uygulama yazılımından ibaretmiş gibi görüldüğü anlaşılmıştır. Tezde e-imzalı belgelerin güvenilirliğinin korunup delil değerinin riske girmemesi için uzun dönemli korumaya yönelik politikaların geliştirilmesi, gerekli teknolojik koşulların sağlanması ve belge hiyerarşisi koparılmadan arşivsel bağın muhafaza edilmesi gerektiği sonucuna varılmıştır.
In this thesis, the evidential value of electronic signed (e-signed) records is examined in terms of archival trustworthiness. The problem is that the risk of these records generated and archived in organizations’ electronic records management systems can not preserve their authenticity over time. Therefore it may threaten the evidential value of the particularly e-signed records that will be stored for a long time and cause doubts about their trustworthiness. The hypothesis is as follows: “Due to the fragility of structures such as e-signature, timestamp and e-seal and the failure of institutions to adopt necessary controls, the evidential value of archived e-signed records may be lost over time in the process of long term preservation.” A mixed method was adopted in the thesis, qualitative and quantitative research was conducted. In the qualitative part of the field research, experts who have evaluated e- records management practices in different organizations in Turkey were selected as a sample. Nine (9) people were interviewed. In the quantitative part, six (6) institutions from the ministries sample, which are the cluster of organizations that employ the most public personnel in Turkey, were examined. In the qualitative research, it was asked whether the experts also adopted the opinions that emerged from the literature readings, and it was understood that all of these opinions were accepted, except for one. In the quantitative research, practices of the institutions regarding the maintenance of the archival bond, provision of the necessary technological conditions and enacting of policies and procedures for the preservation of trusworthiness of the records were criticized. In the light of the answers given to the questions, it has been seen that the institutions do not have enough successful practices in these areas. Institutions are more successful in providing technological conditions. It has been understood that e- records management is not considered as a process, but adopted just as a software in the field. In order to preserve the trustworthiness of e-signed records and prevent their evidential value from risking, it has been conducted that policies and procedures for long-term preservation should be enacted, the necessary technological conditions should be provided, and the archival bond should be maintained without breaking the record hierarchy.
Information systems have transitioned from being designed for sophisticated users to systems for general populace. Have information security thoughts evolved likewise? The traditional understanding of security gravitated towards physical/network/platform/security and audit logging mechanisms. This chapter looks into evolution of information security, with the current impetus towards boundary-less enterprises, federated identities, the contemporary standards, and the need for federal governments to be involved in information security, ethics, and privacy concerns. With such a gamut of influencing forces, information security needs to be inbuilt with SDLC as a natural process rather than as an afterthought. This chapter covers information security trends in relation to cloud, mobile devices, and Bring Your Own Device. Convergence of information security with risk management and business process continuity is discussed. The authors indicate a few emerging research topics in the field of information security and outline the trends for future.
Digital forensics is an emerging research field involving critical technologies for obtaining evidence in digital crime investigations. Several methodologies, tools, and techniques have been developed to deal with the acquisition, preservation, examination, analysis, and presentation of digital evidence from different sources. However, new emerging infrastructures such as service-oriented architecture has brought new serious challenges for digital forensic research to ensure that evidence will be neutral, comprehensive, and reliable in such complex environment is a challenging research task.
To address this issue, the authors propose in this article a generic conceptual model for digital forensics methodologies to enable their application in a service-oriented architecture. Challenges and requirements to construct a forensically sound evidence management framework for these environments are also discussed. Finally, the authors show how digital forensics standards and recommendations can be mapped to service-oriented architecture.
Elektronik delilin ceza yargılamasında kullanılabilmesi veri bütünlüğünün korunmuş olmasına bağlıdır. Zira bir elektronik delilin veri bütünlüğünün bozulmuş olması onun geçerliliğini de olumsuz etkileyecek ve ispat fonksiyonunun ortadan kalkmasına neden olabilecektir. Bir elektronik verinin bozulmasına neden olabilecek durumların başında ise onun uygun koşullarda toplanmamış ve muhafaza edilmemiş olması yer almaktadır. Bu bakımdan elektronik delilin yapısı itibariyle hassas özellik arz etmesi ve kolay bozulabilen nitelikte olması bu delilin toplanması sırasında bazı temel ilkelere uyulmasını, delil toplama sürecinde canlı analiz, imaj alma, hash değeri alma, zaman damgası ve koruma zinciri gibi bazı işlemlerin yapılmasını ve toplanan elektronik verilerin uygun şartlarda muhafaza edilmesini gerekli kılmaktadır. Biz de bu çalışmamızda elektronik delilin toplanması ve muhafazası sürecinde uyulması gereken prensipleri ve yapılması gereken işlemleri ele aldık.
The effect of digitization has led to an increased dependency on the internet. At the same time, cyber-attacks are on the rise due to this increased digitization. In cybercrime cases, digital evidence is of utmost importance. The forensic investigation process always begins after the incident occurred, by that time intelligent attackers got enough time to destroy the traces. This paper proposes a prior evidence capture protocol, that will help in the simultaneous collection of evidence when the crime has occurred. This collected evidence is in the form of device fingerprint which will uniquely identify the fingeprintee client device. In the future, if the dispute arises these prior captured device fingerprints can be used as legal evidence and help in the process of forensic investigation. The proposed protocol uses the concept of a trusted time stamping server (TTSS) to prove the integrity and non-repudiation of the collected evidence. The timestamps are attached by the trusted third party TTSS with all collected evidence, these timestamps cannot be changed by local client devices. The paper also provides security validation of the proposed protocol by using Burrows–Abadi–Needham (BAN) logic. The formal verification is also done by using the AVISPA tool. The results of AVISPA shows that the proposed protocol is safe under OFMC and Cl-AtSe model.
Cloud computing becomes widely used as virtual data storage substituting the old-fashioned physical storage like hard disk. Users choose this service as some reasons, among others, cost efficiency and flexibility. As a storage, it is not only functioned for good-faith aims. Some illicit contents are also deposited herein. More so, evildoers take benefits from Cloud storage for the commission of their unlawful activities. For the sake of law enforcement, the circumstance that Cloud is utilized for crimes has become a certain challenge to the law enforcement personnel as Cloud computing is novel and may push the law enforcement personnel to expand their abilities to the field that they have not been familiar with. Worse, challenge increases because law enforcement agencies lack sophisticated tools and standards to maximize their work. When evidence is acquired, processed, and ready to be presented in the court, digital evidence does not
stop demanding.
Cyber and technology related crime is gradually increasing in Bangladesh. It is a significant issue in Bangladesh. It has already been seen that a glomming threat becomes visible in the arena of information technology. Recently the hacking of RAB website, ATM card skimming, Bangladesh Bank heist, Terrorist Activities in social Medias are few examples of them. In addition, Cyber bullying is becoming a major concern for parents on the subject of their children using the internet as majority of students in Bangladesh have experienced being bullied or disturbed online or being bullied by the same person both online or offline. Moreover, cybercrime is becoming a threat to government itself. Due to lack of necessary legislation to tackle such type of crime, cyber criminals are almost in the safe side to commit such crime. In the Information and Communication Technology Act-2006 and ICT (Amendment) Act-2013 there are several clauses against cybercrime. But this Information and Communication Technology act is not the concrete one. By enacting this act, there is a chance to become safe side after committing crimes. So, considering these facts a comprehensive Cybercrime Protection Act should be imposed. This research work incorporates the recent trend and issues of cybercrime in Bangladesh especially focus on the area of Personal life, Workplace as well as Policy making Bodies or Thinkers. I believe that this work would help all relevant concerns and especially policy makers.
In this paper, a saliency and phase congruency based digital image watermarking scheme has been projected. The planned technique implants data at least significant bits (LSBs) by means of adaptive replacement. Here more information is embedded into less perceptive areas within the original image determined by a combination of spectral residual saliency map and phase congruency map. The position of pixels with less perceptibility denotes the most unimportant region for data hiding from the point of visibility within an image. Therefore any modification within these regions will be less perceptible to one observer. The model gives a concept of the areas which has excellent data hiding capacity within an image. Superiority of the algorithm is tested through imperceptibility, robustness, along with data hiding capacity.
Digital forensics is a major area where researches are still being conducted on a large-scale basis as the growth of computer-assisted crimes are innumerous and the fine-tuned approaches to investigate cybercrimes are still in its infancy. Related manuscripts were obtained from previously published literature which discusses about the challenges that exist within the domain, from the increasing volume of data to the varying technology platforms and systems that exist. We conducted an extensive study and found that the lack of effective evidence data acquisition methods because of diversity of technology and their deployment platforms and the lack of effective models to process large volumes of data to analyze are key limiting factors in this domain. This paper reviews the existing forensic models, defines cybercrime, focuses on challenges and move on to proposing an enhancement of cyber forensic approach which includes an operating system assisted profiling and evidence preserving using virtualized secure logging scheme which can be applied to majority of technology platforms.
In this paper, a saliency and phase congruency based digital image watermarking scheme has been projected. The planned technique implants data at least significant bits (LSBs) by means of adaptive replacement. Here more information is embedded into less perceptive areas within the original image determined bya combination of spectral residual saliency map and phase congruency map. The position of pixels withless perceptibility denotes the most unimportant region for data hiding from the point of visibility withinan image. Therefore any modification within these regions will be less perceptible to one observer. Themodel gives a concept of the areas which has excellent data hiding capacity within an image. Superiorityof the algorithm is tested through imperceptibility, robustness, along with data hiding capacity.
The release of trusted computing (TC) technology and its features, such as full disk encryption, has had several implications on the digital forensic investigation process. Today, it is clear from the number of proposed works that trusted computing forensics is a non-trivial topic. This paper presents the state of the art in trusted computing forensics. It starts by establishing the context of the research area by introducing the concept of trusted computing. Then, it reviews the existing trusted computing forensic researches related to all of the branches of digital forensics and investigation steps. Finally, this paper discusses the current open issues and future research directions in the field of trusted computing forensics. To the best of our knowledge, this paper is the first research to investigate the state of trusted computing forensics using a classification way based on the digital forensic types and investigation steps.
Information systems have transitioned from being designed for sophisticated users to systems for general populace. Have information security thoughts evolved likewise? The traditional understanding of security gravitated towards physical/network/platform/security and audit logging mechanisms. This chapter looks into evolution of information security, with the current impetus towards boundary-less enterprises, federated identities, the contemporary standards, and the need for federal governments to be involved in information security, ethics, and privacy concerns. With such a gamut of influencing forces, information security needs to be inbuilt with SDLC as a natural process rather than as an afterthought. This chapter covers information security trends in relation to cloud, mobile devices, and Bring Your Own Device. Convergence of information security with risk management and business process continuity is discussed. The authors indicate a few emerging research topics in the field of information security and outline the trends for future.
Özet. Günümüzde adõnõ çok sõk duymaya baladõğõmõz biliim suçlarõ, hacmini gittikçe arttõrarak gelece ğe yönelik büyük tehditler oluturmaktadõr. Biliim suçlarõnõn tespit edilmesi ve cezalandõrõlmasõnda en önemli hususlardan bir tanesi de olay yerinden elde edilen dijital delillerdir. Dijital deliller yapõ itibariyle çok hassas olup, kolay birekilde de ğitirilmeye veya bozulmaya müsait verilerdir. Bu yüzden delillerin tespiti, toplanmasõ, ta � õnmasõ, analiz edilmesi gibi konularda belirli prosedür ve metotlar izlenmeli ve aynõ zamanda dijital delillerin mahkeme esnasõnda mutlak delil özelliği gösterebilmeleri için toplandõğõ andan itibaren hiçbirekilde de ğitirilmediğinin, bütünlü ğünün bozulmadõğõnõn, hangi tarihte kimlerden ve kimler tarafõndan alõndõğõnõn mutlak suretle ispat edilmesi gerekmektedir. Bu makalede biliim suçlarõ kapsamõnda dijital deliller çeitli boyutlarõyla ele alõnacak olup, mevcut sõkõntõlar ve gelece ğe yönelik çözüm önerileri de ğerlendirilecektir. Anahtar Kelimeler: Biliim Suçlarõ, dijital delil, dijital delillendirme, bilgisayar adli tõbbõ Abstract. Cyber crime, the name of which we are more aware of today, leads new future threats by increasing its scale. One of the most important issues in detection and prosecution of a cyber crime is the digital evidences seized from the crime scene. Digital evidences have a fragile structure and are convenient to be easily changed and disrupted. For this reason it must be followed some particular procedures and methods while seizing, transferring, analyzing the evidences. For the digital evidences in order to be able to have certain evidence properties in the course of trial, it must be proved that they haven't been changed since they were seized, by whom and at which date they were seized. In this paper digital evidences in terms of cyber crime will be covered from different aspects and the exiting difficulties and the future proposals will be evaluated.
Digital evidences have a paramount importance in the prosecution of a cyber crime however their legal acceptance in the courtroom has some fundamental prerequisites. This is because of their fragile structure enabling the adversary to delete, to modify as well as to corrupt them before the prosecution takes place. In this paper we present A3D3M as a system model that provides the security of the process for capturing digital evidences in the cyber crime scene. Public key cryptography and digital signatures are among the tools A3D3M employs to establish an integrated solution. As a part of our work, we also try to tackle some of the inherent problems public key technology has when it is applied to the verification of digital evidences.
How to Capture and Preserve Digital Evidence Securely? For the investigation and prosecution of criminal activities that involve
computers, digital evidence collected in the crime scene has a vital importance. On one side, it is a very challenging task
for forensics professionals to collect them without any loss or damage. On the other, there is the second problem of providing
the integrity and authenticity in order to achieve legal acceptance in a court of law. By conceiving digital evidence simply
as one instance of digital data, it is evident that modern cryptography offers elegant solutions for this second problem.
However, to our knowledge, there is not any previous work proposing a systematic model having a holistic view to address all
the related security problems in this particular case of digital evidence verification. In this paper, we present PKIDEV (Public
Key Infrastructure based Digital Evidence Verification model) as an integrated solution to provide security for the process
of capturing and preserving digital evidence. PKIDEV employs, inter alia, cryptographic techniques like digital signatures
and secure time-stamping as well as latest technologies such as GPS and EDGE. In our study, we also identify the problems
public-key cryptography brings when it is applied to the verification of digital evidence.
The field of digital forensics is faced with a number of challenges, given the constant growth in technologies. The reliability and integrity associated with digital evidence from disparate sources is also a perpetual challenge, requiring considerable human interpretation in the reconstruction of any particular sequence of events. In this paper we present a framework for an integrity-aware forensic evidence management system (FEMS). In an effort to automate the analysis process, this system would provide investigators with a holistic view of the forensic evidence at hand; thereby providing insights into the quality of investigative inferences. The Biba integrity model is incorporated to preserve the integrity of digital evidence, while Casey's Certainty Scale is chosen as the integrity classification scheme. A finite state automaton (FSA) is used to model the behaviour of the FEMS. In so doing, cyber crime profiling is achieved.
Non-repudiation of digital evidence is required by various use cases in today's business cases for example in the area of medical products but also in public use cases like congestion charges. These use cases have in common that at a certain time an evidence record is generated to attest for the occurrence of a certain event. To allow for non-repudiation of such an evidence record it is required to provide evidence on the used device itself, its configuration, and the software running at the time of the event. Digital signatures as used today provide authenticity and integrity of the evidence record. However the signature gives no information about the state of the Measurement Instrument at the time of operation. The attestation of the correct operation of the evidence collector is discussed in this paper and an implemented solution is presented.
The main challenge in Network Forensics, especially during the Trial session, is to protect the evidences and preserve the
contents from malicious attempts to modify and tamper it. Any potential evidences that are not accurate, complete, reliable
and verifiable will certainly affect the decision among the jury and judges. In this paper, we classify the potential evidences
that will be stored in the network storage based on their contents, characteristics and functions. We also propose a Secure
Storage Model, which implements components that preserve evidences using Cryptographic Hashing and Logging Report. As a result,
we present the flow of our storage mechanisms and show the importance of hashing for forensics work to secure collected network
evidences.
ResearchGate has not been able to resolve any references for this publication.