Conference PaperPDF Available

(Im) Proving Chain of Custody and Digital Evidence Integrity with Time Stamp

Authors:
  • University of Zagreb Faculty of Organization and Informatics

Abstract and Figures

The integrity of digital evidence plays an important role in the digital process of forensic investigation. Proper chain of custody must include information on how evidence is collected, transported, analyzed, preserved, and handled with. There are several adapted methods for evidence digital signing to (im)prove the integrity of digital evidence. Most forensic tools and applications use a certain kind of hashing algorithm to allow investigators later to verify the disk or image integrity. In this process there is a problem of binding integrity, identity and date and time of access to digital evidence. In this paper the authors will present a valid time stamping method to signing a digital evidence in all stages of digital investigation process. Time stamp will be obtained from the secure third party (Time Stamp Authority). It will be used to prove the time when the staff access the evidence in any stages of forensic investigation.
Content may be subject to copyright.
(Im)Proving Chain of Custody and Digital Evidence Integrity
with Time Stamp
Jasmin osi and Miroslav Baa
IT Section of Police Administration
Ministry of Interior of Una-sana canton
502.V.bbr br.2, Bihac, B&H
Phone: +387 61 790 484 E-mail: jascosic@bih.net.ba;
Faculty of Organization and Informatics
University of Zagreb
Pavlinska 2, Varazdin, RH
Phone: +385 98 552 235 E-mail: miroslav.baca@foi.hr
Abstract - The integrity of digital evidence plays an
important role in the digital process of forensic
investigation. Proper chain of custody must include
information on how evidence is collected, transported,
analyzed, preserved, and handled with. There are
several adapted methods for evidence digital signing to
(im)prove the integrity of digital evidence. Most
forensic tools and applications use a certain kind of
hashing algorithm to allow investigators later to verify
the disk or image integrity. In this process there is a
problem of binding integrity, identity and date and
time of access to digital evidence.
In this paper the authors will present a valid time
stamping method to signing a digital evidence in all
stages of digital investigation process. Time stamp will
be obtained from the secure third party (Time Stamp
Authority). It will be used to prove the time when the
staff access the evidence in any stages of forensic
investigation.
I. INTRODUCTION
Chain of custody and integrity of digital evidence
play a very important role in the digital process of forensic
investigation, due to the fact that in every phase forensic
investigators must know where, when and how the digital
evidence was discovered, collected, handled with, when
and who came in contact with the evidence, etc. Proper
chain of custody must include documentation with answers
to all these questions. If one of these questions remains
unanswered, the chain of custody is compromised and
disrupted. In this case, when presenting evidence in court,
if one link was missing in the chain of evidence, the court
would not accept the evidence as relevant. The whole
investigation process would be futile.
The most common question that remains
unanswered in the presentation of digital evidence is:
"Who, when, where and for which reason came into contact
with digital evidence?”
The most sensitive variable is the “time of contact” with
digital evidence.
Digital evidence can be one file with or without an
extension, few files, one partition on a hard disc, the whole
hard disc, USB flash memory device, CD/DVD/Blue Ray
discs and any other removable media.
Whether the forensic investigation refers to some of the
removable media or hard disc, the aim of our investigation
and what we investigate is a computer file. We must always
make completely identical “bit to bit” copies of original
files. When the original digital evidence circulates through
its phases, or when passing through all stages of digital
investigation process, the staffs who handles it often
changes. We must document not only the changes but every
time of contact with the evidence as well.
II. CHAIN OF CUSTODY AND LIVE CYCLE OF
DIGITAL EVIDENCE
Chain of custody may be defined as “A road map that
shows how evidence was collected, analyzed, and
preserved in order to be presented as evidence in court”.
(John Vacca, P-154) [1] . Chain of custody plays a very
important role in digital investigation process. This is a
phrase that refers to the accurate auditing and control of
original evidence material that could potentially be used for
legal purpose. Knowing the current location of the
evidence is not enough; there should be accurate logs
tracking the movement and possession of evidence material
at all times [2] . Investigator must know how to answer
certain questions in the whole forensic investigation
process:
1. What is digital evidence?
2. Where was digital evidence discovered, collected,
handled and/or examined?
3. Who came into contact with digital evidence,
handled it, and discovered it?
4. What’s the reason for using the digital evidence?
5. When the digital evidence is discovered, accessed,
examined or transferred?
6. How is digital evidence used?
Proper chain of custody must include documentation on
how data is gathered, transported, analyzed, preserved, and
handled with (paying special attention to, for example,
international evidence).
This information is important in the verification of
electronic data since it can be easily altered if proper
precautions are not taken.
Maintaining a proper chain of custody is important to the
one who preserves data, as well as authorities who may
want to pursue legal action [1] . Adoption of the chain of
custody would help an investigator to prove that the
incriminating evidence was not destroyed or any external
evidence planted.
III. DIGITAL EVIDENCE INTEGRITY
According to Vanstone [3], digital integrity is “the
property whereby digital data has not been altered in an
unauthorized manner since the time it was created,
transmitted, or stored by an authorized source”. The
integrity of digital evidence ensures that the information
presented is complete and unaltered from the time of
acquiring until its final disposition. [SWGIT]
There are several adapted methods for evidence digital
signing in order to (im)prove its integrity. Today most
forensic tools and applications implement some type of
checksum or hashing algorithm to allow investigators later
to verify the disk or image integrity [4]. A cryptographic
hashing function or algorithm has the following technical
characteristics [Table 1]
TABLE I
Methods for digitally signing a evidence
Method Length Description Advantages Disadvantages
Cyclic
redundancy
checks:
CRC 16
CRC 32
CRC 64
16 bit
32 bit
64 bit
Circular Redundancy Check CRC
often used in file transfer to verify that
the data tranfer was successful.
Very simple to use
Very fast
Small data in
output
Non secure hash
function
Problem with
message analysis
It’s easy to generate
other messages that
result in the same
CRC
Cryptographic
hash function:
MD2
MD4
MD5
SHA1
SHA224/256
SHA384/512
128 bit
128 bit
128 bit
160 bit
224/256 bit
384/512 bit
Hashing function establishing
mathematical calculation that generates
a numerical value based on the input
data. This numerical value is referred to
as the hash value.
Its easy to
compute the hash
value for any
given message
Secure hash
function
Cryptographic
hash function
Collision and
Preimage attack ,
except SHA
224/256 and SHA
384/512
[5]
Digital signature
Depending
on the used
hash
function
The resulting hash (process used in a
hash) is encrypted with a specific
private key. File integrity can be verified
using hash value and the public key.
Binding identity to
the integrity
Very slow
Very complex to
implement
Time stamp
Depending
on the used
hash
function
Time stamps are typically used for
logging events, in which case each event
in a log is marked with a time stamp. In
file systems, time stamp may refer to the
stored date/time of the file creation or
modification.
Trusted time stamping is the process of
securely keeping track of the creation
and modification time of a document.
Bind date and time
with integrity
Very complex to
implement
Dependence on the
“third party”
Encryption Depending
on the used
algorithm.
Encryption is the process of
transforming information (referred to as
plaintext) using an algorithm (called
cipher) to make it unreadable to anyone
except those possessing special
knowledge, usually referred to as the
key. The result of the process is
encrypted information. Encryption itself
can protect the confidentiality of
messages.
Very secure
Very slow
Complex to
implement and
maintain
Watermarking
Depending
on the used
algorithm.
Watermarking is the process of
embedding information into another
object/signal. It combines aspects of
data hashing and digital
watermarking.[6]
Very secure and
simple to use
User cannot
significantly alter
some files without
sacrificing the
quality or utility of
the data.
IV. USING TIME STAMP FOR SIGNING DIGITAL
EVIDENCE
There are many definitions of a time stamp. In the
real world, a time stamp can represent some moment in
time; in the computer world (digital world) the time stamp
represents a specific moment of time but in digital format.
Time stamp and digital time stamping play a very
important role in the digital forensics, because there is a
need for knowing the time of certain moments in the
investigation process.
It is very important to know the answer to the
question which we can be asked in the courtroom: “When
was the digital evidence accessed, how long the staffs have
been in touch with the evidence? Next question could
be:”How long can we prove the integrity of the digital
evidence that we signed” [7]. Time is an important factor to
determine a question. We must prove the integrity of digital
evidence. We need to know the right time of the digital
evidence being accessed. Here a big problem is a trusted
source of time, due to the fact that in real and digital world
time always depends on the setting the clock that generates
it. For example, if we use a personal computer whose clock
is wrong, we will get a wrong time stamp. Because of that,
the time cannot be completely reliable. In this case time
stamp cannot be used as a vital factor to reconstructing
events in the digital forensics.
Problem of digital time stamping has been the subject of
several researches.
Hosmer [7] emphasizes the use of time to prove the
integrity of digital evidence, and states the 3 steps that we
must do in order to effectively use digital evidence to prove
the motif, opportunity and means of cybercrimes:
Step 1: Traceability to Legal Time Source
Step 2: Time Distribution
Step 3: Source Digital Time stamping
Weil [2002] and Boyd [2004] advocate the use of
correlating methods for time stamps stored on target
computer that were created by other clocks (e.g. time
stamps in dynamically generated web pages) [8]. In their
research of clock synchronization in computer networks,
Schatz, Mohay and Clark [9] suggest that clock drift can
be mitigated by correlating time stamps stored in web
cache of the web page with record obtained from web
servers.
There is a lack of research in using a time stamp to
improve the integrity of digital evidence, having in mind
the fact when the human factor (the staff) access the
evidence. There is a list of staff who can handle the digital
evidence: first responders, forensic investigators, court
expert witness, law enforcement personnel, police officers,
victim, suspect, passerby, etc.
Each of the above mentioned people can affect evidence in
particular situation, and therefore it is very important to
know who, when and where comes into contact with the
evidence.
Time when digital evidence is discovered and collected,
and the fact who comes into contact with it is vital to
reconstructing and proving integrity. We also must know
when digital evidence is transported.
A.Trusted Time Stamping
According to the RFC 3161 standard [10], a
trusted time stamp is a time stamp issued by a trusted third
party (TTP) acting as a time stamping authority (TSA). It is
used to prove the existence of certain data before a certain
point (e.g. contact with digital evidence) without the
possibility that the owner can backdate the time stamps.
We can use multiple TSAs to increase reliability and
reduce vulnerability.
Due to the problems with the time stamp implementation
and synchronization of internal clock, and the impossibility
of proving these facts to the court, the authors will
introduce the use of "trusted time stamp" and the third
party service providers.
There is a lot of TSA in the world, in some country a few,
and in some (e.g. Croatia) just one [11]. We can use
services of trusted Time Stamping Authority to prove the
consistency and integrity of digital evidence in every stage
of its existence. It is particularly important to have
recorded every moment of time when the digital evidence
is being accessed. In another situation, chain of custody
would be terminated and this would affect the outcome of
the investigation. This is very important in international
exchange of digital evidence and international digital
investigation.
When a Time Stamp Authority (TSA), which we contact to
get a Time stamp, proceeds our request, there are a few
“external auditors” acting as witness. In some case there is
one, in some two auditors [12] which document the chain
of evidence.
The process of obtaining a Time stamp from the TSA,
which will prove the existence and contact with the digital
evidence by all staff at any time, consists of several steps
divided in two separate parts:
On the client side:
Process of making a unique identifier, fingerprint
(creating a hash) of digital evidence (SHA-256,
MD5,etc.)
Process of sending a fingerprint to a Time Stamp
Authority
Process of verification with Public Key and local
storing
On the side of TSA:
Process of getting a official time from server
Process of adding a time stamp to fingerprint
Process of protecting (signing) with Private Key
Process of sending a digital signature to the client
These processes are illustrated in the Figure 1.
Let`s see what happened in this process? First,
investigators (or other staff who handled digital evidence)
must generate a unique identifier – fingerprint of a digital
evidence. In this process some of the previously mentioned
methods, hash function or, for better security, multiple hash
functions can be used. It is proposed to use a high-secured
SHA/MD algorithm.
After generating a hash of digital evidence, these “few bits”
are being sent to the “third party” - Time Stamp Authority.
It is important to mention that only the fingerprint (hash) is
transmitted to the TSA, never the original file. TSA cannot
see the actual document (not any file). Next what happens
is that the TSA on received hash adds a time stamp,
calculate new hash and digitally signing a file with
protected signing key.
TSA then sends this file back to the client (investigator),
who has another pair of signing key. In the next stage of
forensic investigation exactly the same process happens.
On this way we can prove the time of digital evidence
movement at any stages of forensic investigation.
V. CONCLUSION AND FURTHER RESEARCH
Because of the expansive development of ICT, especially
internet and digital communications, movement of
evidence is much greater today than ever before. As digital
evidence is in bit/byte form, it is very easy to transfer it to
another side of the world in a few seconds [13] . One of the
most important thing in forensic process is maintenance of
digital evidence chain of custody.
The purpose of this document is to show a trusted
time stamping method to signing a digital evidence in every
stage of digital investigation process.
Time stamp will be available from the secure third
party (Time Stamp Authority) and will be used to prove a
time when the staff access the evidence in any stage of
forensic investigation. Further research will be focused on
the next problem of the chain of custody - where is digital
evidence processed, and how can a secure “Digital
Evidence Management Framework” be developed. That
will help investigators to safely handle evidence, and store
a hash of files in a digital form, as well as biometric
signature, time stamp, and characteristics of places where
all evidence was accessed.
Figure 1:The process of time stamping digital evidence in all stages
of digital forensic investigation process
ACKNOWLEDGEMENTS
The presented data are from the scientific project
Methodology of biometrics characteristics evaluation
(016-0161199-1721) and practical project Multiple
biometric authentication using smart card (2008-043),
supported by the Ministry of Science, Education and Sport,
Republic of Croatia.
REFERENCES
[1] M.G.Nagaraya, „Investigators chain of custody in digital
evidence recovery“,
Bureau of Police Research and
Development, Indian Police Journal, 2006
[2] R. Yeager,, „Criminal Computer Forensics Management“,
InfoSecCD, ACM, Kennesaw, USA, 2006
[3] S.Vanstone, P. Van Oorschot,, & A. Menezes, „Handbook
of Applied Criptografy“, CRC Press, 1997
[4] C. Brown, „Digital evidence: Collecting and Preservation“,
2006
[5] Cryptographic hash function, http://en.wikipedia.org/wiki/
Cryptographic_hash_function#cite_note-13,
(accessed: 04.12.2010)
[6] J.osi, M.Baa, „Steganography and its implication on
forensic investigation“, INFOTEH 2010, Jahorina, B&H, in
press
[7] C. Hosmer, „Proving the Integrity of Digital Evidence with
Time“ , International Journal of Digital Evidence, Spring
2002, Vol.1, Issue 1
[8] S. Willassen, „Hypothesis based investigation of Digital
Time stamps“, IFIP, Advances in Digital Forensic IV,
pp.75-86, 2008
[9] B. Schatz, G. Mohay, A. Clark, A correlation method for
establishing the provenance of time stamps in digital
evidence“ , Digital Investigation, vol 3, 98-107,2006
[10] Internet X.509 PKI, Time Stamp Protocol (TSP),
http://tools.ietf.org/html/rfc3161 accessed: 01.01.2010
[11] Financial Agency of Croatia, http://www.fina.hr/ accessed:
31.12.2009
[12] E-TimeStamp, An Internet Notary,
http://www.digistamp.com/evidence.htm,
accessed: 02.01.2010
[13] M. Baa, Introduction in computer security, Narodne
novine, Zagreb, 2004, (on Croatian)
... Well-established forensic procedures are applied to address this concern [16]. In particular, preserving the chain of custody, especially in the digital context, calls for specific techniques and procedures [107]. This study takes into account attributes and properties associated with preserving the chain of custody. ...
... These elements translate into essential metadata that support the chronological history of evidence. As discussed in Section II-A3, this metadata should address questions such as: who, what, when, where, why, and how [27], [107]. ...
Article
Full-text available
Digital evidence plays an increasingly crucial role in judicial proceedings due to the exponential growth in the creation, storage, and transmission of digital data. However, its inherent volatility and susceptibility to tampering necessitate robust mechanisms to ensure integrity and authenticity, making an effective chain of custody (CoC) a fundamental requirement. While state-of-the-art reviews identify various aspects, it is necessary to include the use of Self-Sovereign Identity (SSI) systems within the scope of research. To address this challenge, this article conducts a systematic review of the literature on the use of blockchain and SSI in managing the chain of custody of digital evidence. The review began with 9,178 studies, which, after a rigorous process applying inclusion and exclusion criteria, resulted in 39 studies directly related to the research topic. The study maps and reviews techniques, tools, methods, approaches, and security components for managing the chain of custody of digital evidence. The findings confirm the widespread adoption of blockchain for preserving digital evidence while indicating that SSI remains an emerging and underexplored concept in forensic applications. The results highlight the need for further research on off-chain storage mechanisms, privacy-preserving techniques such as Zero-Knowledge Proofs (ZKPs) to enhance security, auditability, and interoperability when combined with Verifiable Credentials (VCs). By mapping the current state of research, this study provides valuable insights into CoC, Blockchain, and SSI in forensic-based proposals, identifying research gaps, limitations, and opportunities for developing more robust and scalable evidence management systems.
... All the requirements on digital evidence are applied from this point in time. Those include timestamping, the chain of custody, and protecting it from unauthorized modification [11]. However, keeping the integrity and overall quality of potential evidence before it is seized improves the admissibility and trustworthiness of the evidence after it is seized [6]. ...
... This particular method is not only desirable during the development of a system, but also to testify integrity upon request from investigators or law enforcement. Another example is the verification of the system clock, and therefore correct timestamping, which is crucial for investigation [11]. ...
Preprint
Full-text available
With the increasing threat of cybercrime, there is also an increasing need for the forensic investigation of those crimes. However, the topic of systematic preparation on the possible forensic investigation during the software development, called forensic readiness, has only been explored since recently. Thus, there are still many challenges and open issues. One of the obstacles is ensuring the correct implementation. Moreover, the growing volume and variety of digital evidence produced by the systems have to be put into consideration. It is especially important in the critical information infrastructure domain where potential cyberattacks could impact the safety of people. In this paper, we present research towards verification of forensic readiness in software development, with a focus on digital evidence they produce, to assist the advancement of this research domain. Furthermore, we formulate a process that serves a template for designing, developing, and refining a verification method for forensic-ready software systems.
... A comprehensive approach to establish and maintain the provenance information of a digital piece of evidence has been proposed using biometric information, cryptographic algorithms, GPS data and trusted time (Ćosić and Bača, 2010). Using a reliable time source is certainly beneficial and should ideally be verifiable by a third-party authority. ...
Article
Full-text available
Human activities produce more and more digital traces. Criminal activities are no exception: criminals often operate on computers, carry mobile phones, use GPS devices, or are recorded by surveillance cameras. Moreover, analyses of analog traces can produce results in a digital form. As digital information (evidence or results) becomes highly relevant in today's investigations, there is a pressing need for a trustworthy way to strengthen the chain of custody for digital content, especially its integrity component. The Horodocs timestamping system responds to the need for a scalable, robust, trustworthy, independently verifiable, chronological ledger preventing backdating and enabling integrity verification of a digital file. In order to make the system scalable and limit costs, submitted file hash values are grouped together into a local, temporary Merkle tree, called the Horodocs tree; this tree is discarded after its root value has been used to record both a derived identifier and an encrypted random control value on the Ethereum blockchain. 1 The main innovation resides in the way information about the Horodocs tree is provided to each participant having requested a timestamp during the lifespan of this tree. Each submitter gets a receipt with enough information to verify the timestamp for the hash values that were submitted to the Horodocs system: the receipt is only valid for the hash values of the original file and allows one to recalculate the root value of the corresponding discarded Horodocs tree independently. The root value is required to find the record in the Ethereum blockchain and to recover and decrypt the stored random control value to validate the date and time of the timestamp. Throughout its conception, the Horodocs system has been developed with a concern for strong robustness against backdating, privacy-by-design, transparency, usability, scalability, sustainability, automation, as well as cost and energy savings.
... However, MD5 hash alone may not sufficiently prove data integrity. In other instances, Ûosiü and Baþa [23] proposed using a third-party timestamp for evidence traceability to validate staff access. This method relies on a consistent time source, so any accidental clock changes could disrupt the process. ...
Article
Full-text available
Digital evidence plays a crucial role in cybercrime investigations by linking individuals to criminal activities. Data collection, preservation, and analysis can benefit from emerging technologies like blockchain to provide a secure, distributed ledger for managing digital evidence. This study proposes a blockchain-based solution for managing digital evidence in cybercrime cases in the judicial domain. The proposed solution provides the basis for the development of a new model that leverages a consortium blockchain, allowing secure collaboration among judicial stakeholders, while ensuring data integrity and admissibility in court. An extensive literature review demonstrates blockchain’s potential to create a more secure, efficient evidence management system. The proposed model was implemented in a test environment using a localised blockchain for developing and testing smart contracts, as well as integrating a web interface, with off-chain storage for managing evidence data. The system was subsequently deployed in both the Polygon and Ethereum test networks, simulating real-world blockchain environments, revealing that the operational cost in the Polygon network is reduced by 99.96% compared to Ethereum, thereby offering scalability without compromising security. This study underscores blockchain’s potential to revolutionise the chain of custody procedures, improving dependability and security in evidence management and providing more sustainable solutions within the criminal justice system.
... Then, the Forensic readiness controls extend this mapping to include FRSS4BPMN control concepts, which describe the technical details. This paper explicitly defines a trusted timestamping service based on PKI [63] and blockchain [62]. ...
Preprint
Full-text available
The importance of systems secure-by-design is well recognised. However, incidents or disputes requiring thorough investigation might occur even in highly secure systems. Forensic-ready software systems aim to ease the investigations by including requirements for reliable, admissible, and on-point data - potential evidence. Yet, the software engineering techniques for such systems have numerous open challenges. One of them, representation and reasoning, is tackled in this chapter by defining the syntax and semantics of modelling language BPMN for Forensic-Ready Software Systems (BPMN4FRSS). In addition to representing the requirements and specific controls, a semantic mapping to forensic-ready risk management is defined to support risk-oriented design. This approach of designing forensic-ready software systems, supported by BPMN4FRSS models, is then demonstrated.
... It motivates a timely creation of potential evidence relative to an action or event and assurance of the correctness of the time information. The reliability of the time is related to the Integrity [43] or can be corroborated by other time information. ...
Chapter
Full-text available
Forensic-ready software systems enhance the security posture by designing the systems prepared for potential investigation of incidents. Yet, the principal obstacle is defining their exact requirements, i.e., what they should implement. Such a requirement needs to be on-point and verifiable. However, what exactly comprises a forensic readiness requirement is not fully understood due to distinct fields of expertise in software engineering and digital forensics. This paper describes a forensic readiness qualitative factor reference model that enables the formulation of specific requirements for forensic-ready software systems. It organises the qualitative properties of forensic readiness into a taxonomy, which can then be used to formulate a verifiable requirement targeted at a specific quality. The model is then utilised in an automated valet parking service to define requirements addressing found inadequacies regarding a potential incident investigation.
... In order to provide complete transparency throughout the inquiry process, the authors of [6] offer a reliable time stamping technique for digitally signing evidence. The time stamp, which is received from a trusted third party, serves as further proof of who accessed the evidence and when. ...
Thesis
Full-text available
The area of Digital Forensics has long been described as the process of acquisition, preservation, examination, interpretation and reporting of digital evidence (Carrier & Spafford, 2003; Mushtaque, 2015). Over the last two decades, the world has experienced a cumulative evolution in IT technology and cybercrime (Arshad, Jantan, & Omolara, 2019). The technology field has become very dynamic and the number of types of digital devices with processing and storage capacity in common usage, such as notebook computers, iPods, cameras and mobile phones, has grown extremely rapidly (Silver et al., 2019). However, the advance in the technology poses a greater challenge to the digital forensic discipline. The digital data which exists mostly in an intangible form requires the use of forensic software for analysis. Digital storage media such as the hard disk drive, the USB flash disk and mobile phones are the most common sources of evidence in cybercrime and the data stored upon these devices is only examinable by using digital forensic tools capable of interpreting it and presenting it in a readable format (Horsman, 2019). As a result, law enforcement agencies, as well as digital forensic researchers, are fully reliant on digital forensic tools during an investigation to provide an accurate analysis of evidence (Guo, Slay, & Beckett, 2009). The rapid growth of the Internet in the 1990s was marked by the introduction of web browsers, which people used to perform different activities such as searching for information, joining online blogs or social networks, shopping online and communicating through emails or instant messaging (Herjavec, 2019). The ease of access and various benefits provided by web browsers not only attracted businesses and young people, it also opened a gateway for cybercriminals. Cybercrime is referred to as the act of performing a criminal act using cyberspace as the communication medium, such as computer-related frauds, cyber defamation, cyber harassment, child predation, identity theft, planning and carrying out terrorist activities, software piracy and other crimes (Arora, 2016). Web browsers are designed in a way that enables users to record and retain much information related to their online activities, which includes caching files, visited URLs, search items, cookies and others (Said, Mutawa, Awadhi, & Guimaraes, 2011). These web browser data could easily be retrieved by any user without using digital forensic tools, until the introduction of the web browser privacy mode known as private browsing (Horsman et al., 2019). The two essential objectives of private browsing are to protect users from local attackers, allowing users to browse the Internet without leaving any traces on machines, and protect them from web attackers, and allowing them to browse the Internet while limiting identity discoverability to website servers (Aggarwal, Bursztein, Jackson, & Boneh, 2010). However, the introduction of private browsing has prompted digital forensic researchers and law enforcement agencies to seek different approaches to solve the issue of browsing content absence, even though private browsing is claimed not to be an anti-forensics tool (Horsman et al., 2019). Commercial digital forensic tools such as the EnCase, X-Ways, and Pro-Discovery have been utilised by many law enforcement agencies and researchers despite issues such as high cost, strict licensing guidelines and proprietary source codes (Reverchuk, 2019). Furthermore, open-source tools were developed to counter the issues. This research aims to assess and compare the capabilities between commercial and open-source tools in the acquisition and analysis of web browser data during normal and private browsing.
Conference Paper
Full-text available
The design and development of secure systems is an important and challenging task. However, such systems should also be prepared for eventual disputes or occurrences of a security incident. To solve this, forensic-ready software systems are, by-design, prepared to assist in the forensic investigation and to provide on-point data with high evidentiary value. However, software engineering support for the systematic development of such software systems is rather sparse. This paper tackles the problem by introducing novel modelling notation, called BPMN for Forensic-Ready Software Systems (BPMN4FRSS), including its syntax and semantics. The notation aims to capture the forensic-ready controls and enable reasoning over them, primarily focusing on potential digital evidence. Importantly, it is made to support forensic readiness oriented risk management decisions. The approach is then demonstrated in a scenario where the controls, which mitigate security and business risks, are properly represented.
Preprint
Full-text available
The design and development of secure systems is an important and challenging task. However, such systems should also be prepared for eventual disputes or occurrences of a security incident. To solve this, forensic-ready software systems are, by-design, prepared to assist in the forensic investigation and to provide on-point data with high evidentiary value. However, software engineering support for the systematic development of such software systems is rather sparse. This paper tackles the problem by introducing novel modelling notation , called BPMN for Forensic-Ready Software Systems (BPMN4FRSS), including its syntax and semantics. The notation aims to capture the forensic-ready controls and enable reasoning over them, primarily focusing on potential digital evidence. Importantly, it is made to support forensic readiness oriented risk management decisions. The approach is then demonstrated in a scenario where the controls, which mitigate security and business risks, are properly represented.
Article
Full-text available
Establishing the time at which a particular event happened is a fundamental concern when relating cause and effect in any forensic investigation. Reliance on computer generated timestamps for correlating events is complicated by uncertainty as to clock skew and drift, environmental factors such as location and local time zone offsets, as well as human factors such as clock tampering. Establishing that a particular computer's temporal behaviour was consistent during its operation remains a challenge. The contributions of this paper are both a description of assumptions commonly made regarding the behaviour of clocks in computers, and empirical results demonstrating that real world behaviour diverges from the idealised or assumed behaviour. We present an approach for inferring the temporal behaviour of a particular computer over a range of time by correlating commonly available local machine timestamps with another source of timestamps. We show that a general characterisation of the passage of time may be inferred from an analysis of commonly available browser records.
Conference Paper
This research paper addresses the methodology and approaches to managing criminal computer forensic investigations in a law enforcement environment with management controls, operational controls, and technical controls. Management controls cover policy and standard operating procedures (SOP's), methodology, and guidance. Operational controls cover SOP requirements, seizing evidence, evidence handling, best practices, and education, training and awareness. Technical controls cover acquisition and analysis procedures, data integrity, rules of evidence, presenting findings, proficiency testing, and data archiving.
Article
puter xzkC ?kkC C rmatin iC"Mkk" t x?"" main f A??"--"C xzkC C C)C)C Cqq w A??"--"C xzkC C d, A??"--"C xzk disadvantages f adva Meth3Description CommonTypesAdvantages DisadvantagesChh3O3A method of checking for errors indigital data. Typically a 16- or 32-bitpolynomial is applied to each byte ofdigital data that you are trying toprotect. The result is a small integervalue that is 16 or 32 bits in length andrepresents the concatenation of thedata. This integer value must be saved...
Conference Paper
Timestamps stored on digital media play an important role in digital investigations. However, the evidentiary value of timestamps is questionable because timestamps can be manipulated or they could refer to a clock that is erroneous or improperly adjusted. This paper presents a formalism for defining clock hypotheses based on historical adjustments to clocks, and for testing the consistency of the hypotheses with respect to stored timestamps. Two consistency tests are proposed for justifying clock hypotheses without having to rely on timestamps from external sources. Full Text at Springer, may require registration or fee
Investigators chain of custody in digital evidence recovery
  • M G Nagaraya
M.G.Nagaraya, "Investigators chain of custody in digital evidence recovery", Bureau of Police Research and Development, Indian Police Journal, 2006
Digital evidence: Collecting and Preservation
  • C Brown
C. Brown, "Digital evidence: Collecting and Preservation", 2006
Steganography and its implication on forensic investigation
  • J Osi
  • M Ba A
J. osi, M.Ba a, "Steganography and its implication on forensic investigation", INFOTEH 2010, Jahorina, B&H, in press
Hypothesis based investigation of Digital Time stamps
  • S Willassen
S. Willassen, "Hypothesis based investigation of Digital Time stamps", IFIP, Advances in Digital Forensic IV, pp.75-86, 2008