Conference PaperPDF Available

(Im) Proving Chain of Custody and Digital Evidence Integrity with Time Stamp

Authors:

Abstract and Figures

The integrity of digital evidence plays an important role in the digital process of forensic investigation. Proper chain of custody must include information on how evidence is collected, transported, analyzed, preserved, and handled with. There are several adapted methods for evidence digital signing to (im)prove the integrity of digital evidence. Most forensic tools and applications use a certain kind of hashing algorithm to allow investigators later to verify the disk or image integrity. In this process there is a problem of binding integrity, identity and date and time of access to digital evidence. In this paper the authors will present a valid time stamping method to signing a digital evidence in all stages of digital investigation process. Time stamp will be obtained from the secure third party (Time Stamp Authority). It will be used to prove the time when the staff access the evidence in any stages of forensic investigation.
Content may be subject to copyright.
(Im)Proving Chain of Custody and Digital Evidence Integrity
with Time Stamp
Jasmin osi and Miroslav Baa
IT Section of Police Administration
Ministry of Interior of Una-sana canton
502.V.bbr br.2, Bihac, B&H
Phone: +387 61 790 484 E-mail: jascosic@bih.net.ba;
Faculty of Organization and Informatics
University of Zagreb
Pavlinska 2, Varazdin, RH
Phone: +385 98 552 235 E-mail: miroslav.baca@foi.hr
Abstract - The integrity of digital evidence plays an
important role in the digital process of forensic
investigation. Proper chain of custody must include
information on how evidence is collected, transported,
analyzed, preserved, and handled with. There are
several adapted methods for evidence digital signing to
(im)prove the integrity of digital evidence. Most
forensic tools and applications use a certain kind of
hashing algorithm to allow investigators later to verify
the disk or image integrity. In this process there is a
problem of binding integrity, identity and date and
time of access to digital evidence.
In this paper the authors will present a valid time
stamping method to signing a digital evidence in all
stages of digital investigation process. Time stamp will
be obtained from the secure third party (Time Stamp
Authority). It will be used to prove the time when the
staff access the evidence in any stages of forensic
investigation.
I. INTRODUCTION
Chain of custody and integrity of digital evidence
play a very important role in the digital process of forensic
investigation, due to the fact that in every phase forensic
investigators must know where, when and how the digital
evidence was discovered, collected, handled with, when
and who came in contact with the evidence, etc. Proper
chain of custody must include documentation with answers
to all these questions. If one of these questions remains
unanswered, the chain of custody is compromised and
disrupted. In this case, when presenting evidence in court,
if one link was missing in the chain of evidence, the court
would not accept the evidence as relevant. The whole
investigation process would be futile.
The most common question that remains
unanswered in the presentation of digital evidence is:
"Who, when, where and for which reason came into contact
with digital evidence?”
The most sensitive variable is the “time of contact” with
digital evidence.
Digital evidence can be one file with or without an
extension, few files, one partition on a hard disc, the whole
hard disc, USB flash memory device, CD/DVD/Blue Ray
discs and any other removable media.
Whether the forensic investigation refers to some of the
removable media or hard disc, the aim of our investigation
and what we investigate is a computer file. We must always
make completely identical “bit to bit” copies of original
files. When the original digital evidence circulates through
its phases, or when passing through all stages of digital
investigation process, the staffs who handles it often
changes. We must document not only the changes but every
time of contact with the evidence as well.
II. CHAIN OF CUSTODY AND LIVE CYCLE OF
DIGITAL EVIDENCE
Chain of custody may be defined as “A road map that
shows how evidence was collected, analyzed, and
preserved in order to be presented as evidence in court”.
(John Vacca, P-154) [1] . Chain of custody plays a very
important role in digital investigation process. This is a
phrase that refers to the accurate auditing and control of
original evidence material that could potentially be used for
legal purpose. Knowing the current location of the
evidence is not enough; there should be accurate logs
tracking the movement and possession of evidence material
at all times [2] . Investigator must know how to answer
certain questions in the whole forensic investigation
process:
1. What is digital evidence?
2. Where was digital evidence discovered, collected,
handled and/or examined?
3. Who came into contact with digital evidence,
handled it, and discovered it?
4. What’s the reason for using the digital evidence?
5. When the digital evidence is discovered, accessed,
examined or transferred?
6. How is digital evidence used?
Proper chain of custody must include documentation on
how data is gathered, transported, analyzed, preserved, and
handled with (paying special attention to, for example,
international evidence).
This information is important in the verification of
electronic data since it can be easily altered if proper
precautions are not taken.
Maintaining a proper chain of custody is important to the
one who preserves data, as well as authorities who may
want to pursue legal action [1] . Adoption of the chain of
custody would help an investigator to prove that the
incriminating evidence was not destroyed or any external
evidence planted.
III. DIGITAL EVIDENCE INTEGRITY
According to Vanstone [3], digital integrity is “the
property whereby digital data has not been altered in an
unauthorized manner since the time it was created,
transmitted, or stored by an authorized source”. The
integrity of digital evidence ensures that the information
presented is complete and unaltered from the time of
acquiring until its final disposition. [SWGIT]
There are several adapted methods for evidence digital
signing in order to (im)prove its integrity. Today most
forensic tools and applications implement some type of
checksum or hashing algorithm to allow investigators later
to verify the disk or image integrity [4]. A cryptographic
hashing function or algorithm has the following technical
characteristics [Table 1]
TABLE I
Methods for digitally signing a evidence
Method Length Description Advantages Disadvantages
Cyclic
redundancy
checks:
CRC 16
CRC 32
CRC 64
16 bit
32 bit
64 bit
Circular Redundancy Check CRC
often used in file transfer to verify that
the data tranfer was successful.
Very simple to use
Very fast
Small data in
output
Non secure hash
function
Problem with
message analysis
It’s easy to generate
other messages that
result in the same
CRC
Cryptographic
hash function:
MD2
MD4
MD5
SHA1
SHA224/256
SHA384/512
128 bit
128 bit
128 bit
160 bit
224/256 bit
384/512 bit
Hashing function establishing
mathematical calculation that generates
a numerical value based on the input
data. This numerical value is referred to
as the hash value.
Its easy to
compute the hash
value for any
given message
Secure hash
function
Cryptographic
hash function
Collision and
Preimage attack ,
except SHA
224/256 and SHA
384/512
[5]
Digital signature
Depending
on the used
hash
function
The resulting hash (process used in a
hash) is encrypted with a specific
private key. File integrity can be verified
using hash value and the public key.
Binding identity to
the integrity
Very slow
Very complex to
implement
Time stamp
Depending
on the used
hash
function
Time stamps are typically used for
logging events, in which case each event
in a log is marked with a time stamp. In
file systems, time stamp may refer to the
stored date/time of the file creation or
modification.
Trusted time stamping is the process of
securely keeping track of the creation
and modification time of a document.
Bind date and time
with integrity
Very complex to
implement
Dependence on the
“third party”
Encryption Depending
on the used
algorithm.
Encryption is the process of
transforming information (referred to as
plaintext) using an algorithm (called
cipher) to make it unreadable to anyone
except those possessing special
knowledge, usually referred to as the
key. The result of the process is
encrypted information. Encryption itself
can protect the confidentiality of
messages.
Very secure
Very slow
Complex to
implement and
maintain
Watermarking
Depending
on the used
algorithm.
Watermarking is the process of
embedding information into another
object/signal. It combines aspects of
data hashing and digital
watermarking.[6]
Very secure and
simple to use
User cannot
significantly alter
some files without
sacrificing the
quality or utility of
the data.
IV. USING TIME STAMP FOR SIGNING DIGITAL
EVIDENCE
There are many definitions of a time stamp. In the
real world, a time stamp can represent some moment in
time; in the computer world (digital world) the time stamp
represents a specific moment of time but in digital format.
Time stamp and digital time stamping play a very
important role in the digital forensics, because there is a
need for knowing the time of certain moments in the
investigation process.
It is very important to know the answer to the
question which we can be asked in the courtroom: “When
was the digital evidence accessed, how long the staffs have
been in touch with the evidence? Next question could
be:”How long can we prove the integrity of the digital
evidence that we signed” [7]. Time is an important factor to
determine a question. We must prove the integrity of digital
evidence. We need to know the right time of the digital
evidence being accessed. Here a big problem is a trusted
source of time, due to the fact that in real and digital world
time always depends on the setting the clock that generates
it. For example, if we use a personal computer whose clock
is wrong, we will get a wrong time stamp. Because of that,
the time cannot be completely reliable. In this case time
stamp cannot be used as a vital factor to reconstructing
events in the digital forensics.
Problem of digital time stamping has been the subject of
several researches.
Hosmer [7] emphasizes the use of time to prove the
integrity of digital evidence, and states the 3 steps that we
must do in order to effectively use digital evidence to prove
the motif, opportunity and means of cybercrimes:
Step 1: Traceability to Legal Time Source
Step 2: Time Distribution
Step 3: Source Digital Time stamping
Weil [2002] and Boyd [2004] advocate the use of
correlating methods for time stamps stored on target
computer that were created by other clocks (e.g. time
stamps in dynamically generated web pages) [8]. In their
research of clock synchronization in computer networks,
Schatz, Mohay and Clark [9] suggest that clock drift can
be mitigated by correlating time stamps stored in web
cache of the web page with record obtained from web
servers.
There is a lack of research in using a time stamp to
improve the integrity of digital evidence, having in mind
the fact when the human factor (the staff) access the
evidence. There is a list of staff who can handle the digital
evidence: first responders, forensic investigators, court
expert witness, law enforcement personnel, police officers,
victim, suspect, passerby, etc.
Each of the above mentioned people can affect evidence in
particular situation, and therefore it is very important to
know who, when and where comes into contact with the
evidence.
Time when digital evidence is discovered and collected,
and the fact who comes into contact with it is vital to
reconstructing and proving integrity. We also must know
when digital evidence is transported.
A.Trusted Time Stamping
According to the RFC 3161 standard [10], a
trusted time stamp is a time stamp issued by a trusted third
party (TTP) acting as a time stamping authority (TSA). It is
used to prove the existence of certain data before a certain
point (e.g. contact with digital evidence) without the
possibility that the owner can backdate the time stamps.
We can use multiple TSAs to increase reliability and
reduce vulnerability.
Due to the problems with the time stamp implementation
and synchronization of internal clock, and the impossibility
of proving these facts to the court, the authors will
introduce the use of "trusted time stamp" and the third
party service providers.
There is a lot of TSA in the world, in some country a few,
and in some (e.g. Croatia) just one [11]. We can use
services of trusted Time Stamping Authority to prove the
consistency and integrity of digital evidence in every stage
of its existence. It is particularly important to have
recorded every moment of time when the digital evidence
is being accessed. In another situation, chain of custody
would be terminated and this would affect the outcome of
the investigation. This is very important in international
exchange of digital evidence and international digital
investigation.
When a Time Stamp Authority (TSA), which we contact to
get a Time stamp, proceeds our request, there are a few
“external auditors” acting as witness. In some case there is
one, in some two auditors [12] which document the chain
of evidence.
The process of obtaining a Time stamp from the TSA,
which will prove the existence and contact with the digital
evidence by all staff at any time, consists of several steps
divided in two separate parts:
On the client side:
Process of making a unique identifier, fingerprint
(creating a hash) of digital evidence (SHA-256,
MD5,etc.)
Process of sending a fingerprint to a Time Stamp
Authority
Process of verification with Public Key and local
storing
On the side of TSA:
Process of getting a official time from server
Process of adding a time stamp to fingerprint
Process of protecting (signing) with Private Key
Process of sending a digital signature to the client
These processes are illustrated in the Figure 1.
Let`s see what happened in this process? First,
investigators (or other staff who handled digital evidence)
must generate a unique identifier – fingerprint of a digital
evidence. In this process some of the previously mentioned
methods, hash function or, for better security, multiple hash
functions can be used. It is proposed to use a high-secured
SHA/MD algorithm.
After generating a hash of digital evidence, these “few bits”
are being sent to the “third party” - Time Stamp Authority.
It is important to mention that only the fingerprint (hash) is
transmitted to the TSA, never the original file. TSA cannot
see the actual document (not any file). Next what happens
is that the TSA on received hash adds a time stamp,
calculate new hash and digitally signing a file with
protected signing key.
TSA then sends this file back to the client (investigator),
who has another pair of signing key. In the next stage of
forensic investigation exactly the same process happens.
On this way we can prove the time of digital evidence
movement at any stages of forensic investigation.
V. CONCLUSION AND FURTHER RESEARCH
Because of the expansive development of ICT, especially
internet and digital communications, movement of
evidence is much greater today than ever before. As digital
evidence is in bit/byte form, it is very easy to transfer it to
another side of the world in a few seconds [13] . One of the
most important thing in forensic process is maintenance of
digital evidence chain of custody.
The purpose of this document is to show a trusted
time stamping method to signing a digital evidence in every
stage of digital investigation process.
Time stamp will be available from the secure third
party (Time Stamp Authority) and will be used to prove a
time when the staff access the evidence in any stage of
forensic investigation. Further research will be focused on
the next problem of the chain of custody - where is digital
evidence processed, and how can a secure “Digital
Evidence Management Framework” be developed. That
will help investigators to safely handle evidence, and store
a hash of files in a digital form, as well as biometric
signature, time stamp, and characteristics of places where
all evidence was accessed.
Figure 1:The process of time stamping digital evidence in all stages
of digital forensic investigation process
ACKNOWLEDGEMENTS
The presented data are from the scientific project
Methodology of biometrics characteristics evaluation
(016-0161199-1721) and practical project Multiple
biometric authentication using smart card (2008-043),
supported by the Ministry of Science, Education and Sport,
Republic of Croatia.
REFERENCES
[1] M.G.Nagaraya, „Investigators chain of custody in digital
evidence recovery“,
Bureau of Police Research and
Development, Indian Police Journal, 2006
[2] R. Yeager,, „Criminal Computer Forensics Management“,
InfoSecCD, ACM, Kennesaw, USA, 2006
[3] S.Vanstone, P. Van Oorschot,, & A. Menezes, „Handbook
of Applied Criptografy“, CRC Press, 1997
[4] C. Brown, „Digital evidence: Collecting and Preservation“,
2006
[5] Cryptographic hash function, http://en.wikipedia.org/wiki/
Cryptographic_hash_function#cite_note-13,
(accessed: 04.12.2010)
[6] J.osi, M.Baa, „Steganography and its implication on
forensic investigation“, INFOTEH 2010, Jahorina, B&H, in
press
[7] C. Hosmer, „Proving the Integrity of Digital Evidence with
Time“ , International Journal of Digital Evidence, Spring
2002, Vol.1, Issue 1
[8] S. Willassen, „Hypothesis based investigation of Digital
Time stamps“, IFIP, Advances in Digital Forensic IV,
pp.75-86, 2008
[9] B. Schatz, G. Mohay, A. Clark, A correlation method for
establishing the provenance of time stamps in digital
evidence“ , Digital Investigation, vol 3, 98-107,2006
[10] Internet X.509 PKI, Time Stamp Protocol (TSP),
http://tools.ietf.org/html/rfc3161 accessed: 01.01.2010
[11] Financial Agency of Croatia, http://www.fina.hr/ accessed:
31.12.2009
[12] E-TimeStamp, An Internet Notary,
http://www.digistamp.com/evidence.htm,
accessed: 02.01.2010
[13] M. Baa, Introduction in computer security, Narodne
novine, Zagreb, 2004, (on Croatian)
... Digital evidence may take the form of images, videos, text, or device logs. Additionally, it incorporates data from social media platforms such as Twitter, Instagram, and Facebook [3][4][5][6][7][8][9][10]. ...
... These techniques include cyclic redundancy checking, hashing functions, digital signatures, time stamps, encryption, and watermarking. Each technique has a number of benefits and drawbacks; see [8,[11][12][13][14] for more details. The majority of digital forensic tools and apps use some kind of hashing algorithm to ensure the integrity of digital evidence. ...
... If any one of these questions is left unanswered, the CoC is compromised and disturbed. Without a certificate of conformity, the evidence is useless [7][8][9][10][11][12][13][14][15]. ...
Article
Full-text available
Digital evidence is critical in cybercrime investigations because it is used to connect individuals to illegal activity. Digital evidence is complicated, diffuse, volatile, and easily altered, and as such, it must be protected. The Chain of Custody (CoC) is a critical component of the digital evidence procedure. The aim of the CoC is to demonstrate that the evidence has not been tampered with at any point throughout the investigation. Because the uncertainty associated with digital evidence is not being assessed at the moment, it is impossible to determine the trustworthiness of CoC. As scientists, forensic examiners have a responsibility to reverse this tendency and officially confront the uncertainty inherent in any evidence upon which they base their judgments. To address these issues, this article proposes a new paradigm for ensuring the integrity of digital evidence (CoC documents). The new paradigm employs fuzzy hash within blockchain data structure to handle uncertainty introduced by error-prone tools when dealing with CoC documents. Traditional hashing techniques are designed to be sensitive to small input modifications and can only determine if the inputs are exactly the same or not. By comparing the similarity of two images, fuzzy hash functions can determine how different they are. With the symmetry idea at its core, the suggested framework effectively deals with random parameter probabilities, as shown in the development of the fuzzy hash segmentation function. We provide a case study for image forensics to illustrate the usefulness of this framework in introducing forensic preparedness to computer systems and enabling a more effective digital investigation procedure.
... All the requirements on digital evidence are applied from this point in time. Those include timestamping, the chain of custody, and protecting it from unauthorized modification [11]. However, keeping the integrity and overall quality of potential evidence before it is seized improves the admissibility and trustworthiness of the evidence after it is seized [6]. ...
... This particular method is not only desirable during the development of a system, but also to testify integrity upon request from investigators or law enforcement. Another example is the verification of the system clock, and therefore correct timestamping, which is crucial for investigation [11]. ...
Preprint
Full-text available
With the increasing threat of cybercrime, there is also an increasing need for the forensic investigation of those crimes. However, the topic of systematic preparation on the possible forensic investigation during the software development, called forensic readiness, has only been explored since recently. Thus, there are still many challenges and open issues. One of the obstacles is ensuring the correct implementation. Moreover, the growing volume and variety of digital evidence produced by the systems have to be put into consideration. It is especially important in the critical information infrastructure domain where potential cyberattacks could impact the safety of people. In this paper, we present research towards verification of forensic readiness in software development, with a focus on digital evidence they produce, to assist the advancement of this research domain. Furthermore, we formulate a process that serves a template for designing, developing, and refining a verification method for forensic-ready software systems.
... In order to provide complete transparency throughout the inquiry process, the authors of [6] offer a reliable time stamping technique for digitally signing evidence. The time stamp, which is received from a trusted third party, serves as further proof of who accessed the evidence and when. ...
... The work in [12] established a reliable time stamping technique for protecting digital evidence during the investigative process. The timestamp will be acquired from the secure third party in order to establish the date and time of the staff's access to the evidence. ...
Article
Full-text available
Cybercrime investigations rely heavily on digital evidence to establish links between suspects and the criminal conduct they are allegedly involved in. As a result, digital evidence must be protected since it is complex, volatile, and susceptible to alteration. In the digital evidence method, the chain of custody (CoC) is essential. As a result of the CoC, it is possible to establish that the evidence was never tampered with. Due to the inherent uncertainty of digital evidence, the trustworthiness of the CoC cannot be judged at this time. It is the duty of forensic examiners to challenge this inclination and publicly admit the inherent ambiguity in whatever evidence they use to make their decisions. This article suggests a new paradigm for maintaining the integrity of digital evidence in order to overcome these challenges. To handle the uncertainty generated by error-prone technologies while dealing with CoC documents, the new paradigm used a fuzzy hash inside the blockchain data structure. Traditional hashing methods are only able to tell whether two inputs are precisely the same or not because they are sensitive to even the smallest input changes. Using fuzzy hash functions, we can figure out how dissimilar two images are by comparing their similarities. As an example of how this paradigm may be applied to computer systems and make digital investigations more successful, we utilize image forensics as the focus of an in-depth look at how it works.
... The initial phase of digital forensics examination starts with the acquisition of data from digital exhibits such as hard disks, USB storage devices etc. seized from the crime scene (Hosmer, 2002). This is done by creating a forensically sound copy of the storage media, which in turn, is achieved by creating a bit-stream image of it (Carlton, 2007). The essence, however, is to preserve the integrity of the exhibit and maintain a strict chain of custody (Kent et al., 2006;Kissel, 2013). ...
Article
In digital forensics, maintaining the integrity of digital exhibits is an essential aspect of the entire investigation and examination process, which is established using the technique of hashing. Lack of knowledge, while handling digital exhibits, might lead to unintentional alteration of computed hash, rendering the exhibit unacceptable in the court of Law. The hash value of a physical drive does not solely depend upon the data files present in it but also its file-system. Therefore, any change to the file-system might result in the change of the disk hash, even when the data files within it remain untouched. In this paper, our objective is to study the role of file-system in modification of the hash value. We examine and analyse the changes in the file-system of a NTFS formatted USB storage device, which leads to modification in its hash value when the device is plugged-in to the computer system without using write-blocker. The outcome of this research would justify the importance of write blockers while handling digital exhibits and also substantiate that the alteration in hash value of a storage device might not be an indication that data within the device has been tampered with.
Thesis
Full-text available
The area of Digital Forensics has long been described as the process of acquisition, preservation, examination, interpretation and reporting of digital evidence (Carrier & Spafford, 2003; Mushtaque, 2015). Over the last two decades, the world has experienced a cumulative evolution in IT technology and cybercrime (Arshad, Jantan, & Omolara, 2019). The technology field has become very dynamic and the number of types of digital devices with processing and storage capacity in common usage, such as notebook computers, iPods, cameras and mobile phones, has grown extremely rapidly (Silver et al., 2019). However, the advance in the technology poses a greater challenge to the digital forensic discipline. The digital data which exists mostly in an intangible form requires the use of forensic software for analysis. Digital storage media such as the hard disk drive, the USB flash disk and mobile phones are the most common sources of evidence in cybercrime and the data stored upon these devices is only examinable by using digital forensic tools capable of interpreting it and presenting it in a readable format (Horsman, 2019). As a result, law enforcement agencies, as well as digital forensic researchers, are fully reliant on digital forensic tools during an investigation to provide an accurate analysis of evidence (Guo, Slay, & Beckett, 2009). The rapid growth of the Internet in the 1990s was marked by the introduction of web browsers, which people used to perform different activities such as searching for information, joining online blogs or social networks, shopping online and communicating through emails or instant messaging (Herjavec, 2019). The ease of access and various benefits provided by web browsers not only attracted businesses and young people, it also opened a gateway for cybercriminals. Cybercrime is referred to as the act of performing a criminal act using cyberspace as the communication medium, such as computer-related frauds, cyber defamation, cyber harassment, child predation, identity theft, planning and carrying out terrorist activities, software piracy and other crimes (Arora, 2016). Web browsers are designed in a way that enables users to record and retain much information related to their online activities, which includes caching files, visited URLs, search items, cookies and others (Said, Mutawa, Awadhi, & Guimaraes, 2011). These web browser data could easily be retrieved by any user without using digital forensic tools, until the introduction of the web browser privacy mode known as private browsing (Horsman et al., 2019). The two essential objectives of private browsing are to protect users from local attackers, allowing users to browse the Internet without leaving any traces on machines, and protect them from web attackers, and allowing them to browse the Internet while limiting identity discoverability to website servers (Aggarwal, Bursztein, Jackson, & Boneh, 2010). However, the introduction of private browsing has prompted digital forensic researchers and law enforcement agencies to seek different approaches to solve the issue of browsing content absence, even though private browsing is claimed not to be an anti-forensics tool (Horsman et al., 2019). Commercial digital forensic tools such as the EnCase, X-Ways, and Pro-Discovery have been utilised by many law enforcement agencies and researchers despite issues such as high cost, strict licensing guidelines and proprietary source codes (Reverchuk, 2019). Furthermore, open-source tools were developed to counter the issues. This research aims to assess and compare the capabilities between commercial and open-source tools in the acquisition and analysis of web browser data during normal and private browsing.
Conference Paper
Full-text available
The design and development of secure systems is an important and challenging task. However, such systems should also be prepared for eventual disputes or occurrences of a security incident. To solve this, forensic-ready software systems are, by-design, prepared to assist in the forensic investigation and to provide on-point data with high evidentiary value. However, software engineering support for the systematic development of such software systems is rather sparse. This paper tackles the problem by introducing novel modelling notation, called BPMN for Forensic-Ready Software Systems (BPMN4FRSS), including its syntax and semantics. The notation aims to capture the forensic-ready controls and enable reasoning over them, primarily focusing on potential digital evidence. Importantly, it is made to support forensic readiness oriented risk management decisions. The approach is then demonstrated in a scenario where the controls, which mitigate security and business risks, are properly represented.
Preprint
Full-text available
The design and development of secure systems is an important and challenging task. However, such systems should also be prepared for eventual disputes or occurrences of a security incident. To solve this, forensic-ready software systems are, by-design, prepared to assist in the forensic investigation and to provide on-point data with high evidentiary value. However, software engineering support for the systematic development of such software systems is rather sparse. This paper tackles the problem by introducing novel modelling notation , called BPMN for Forensic-Ready Software Systems (BPMN4FRSS), including its syntax and semantics. The notation aims to capture the forensic-ready controls and enable reasoning over them, primarily focusing on potential digital evidence. Importantly, it is made to support forensic readiness oriented risk management decisions. The approach is then demonstrated in a scenario where the controls, which mitigate security and business risks, are properly represented.
Chapter
With development in technology, the scale of cybercrimes is increasing drastically, which in turn increases the workload to manage the digital evidence. Beside managing the evidence, ensuring the integrity and security of evidence is crucial for delivering correct verdicts. With the traditional system, the evidence is vulnerable to tampering, hence using a chain of custody is beneficial. In this paper, we have analyzed and compared various proposed systems over the past years and identified their pros and cons. This study would be beneficial in future to propose a better system for evidence management.KeywordsBlockchainChain of custodyDigital forensicsDigital evidenceCybercrime
Article
When handling a security incident, there is a lot of information that needs to be stored, processed, and analyzed. As a result of the volume of information and the necessity to deal with a security incident investigation promptly, different forensic tools have been developed to provide cyber threat intelligence and security incident response management platforms and solutions. These platforms enable responders to effectively collaborate in identifying and investigating incidents, manage their work on a case from creation until resolution or completion, and automate incident response tasks with the external threat information. Since incident response services are a growing priority at organizations, there is a pressing need for a trustworthy and transparent way to maintain the authenticity and integrity of investigative actions that is independently verifiable. Generally, security incident case management allows a security analyst to add related logs. Asides from the possibility of a log being deleted, it is difficult to audit the log for traceability and provenance if a user decides to be malicious. To address this problem, we propose utilizing a blockchain ledger for security investigative actions and associated metadata by extracting requirements for cybersecurity incident response from the models gathered through the analysis of an open-source incident management platform. We demonstrate the applicability of the proposed techniques and methods by investigating a case scenario of evidence actions within TheHive security incident response platform (SIRP).
Article
Full-text available
Establishing the time at which a particular event happened is a fundamental concern when relating cause and effect in any forensic investigation. Reliance on computer generated timestamps for correlating events is complicated by uncertainty as to clock skew and drift, environmental factors such as location and local time zone offsets, as well as human factors such as clock tampering. Establishing that a particular computer's temporal behaviour was consistent during its operation remains a challenge. The contributions of this paper are both a description of assumptions commonly made regarding the behaviour of clocks in computers, and empirical results demonstrating that real world behaviour diverges from the idealised or assumed behaviour. We present an approach for inferring the temporal behaviour of a particular computer over a range of time by correlating commonly available local machine timestamps with another source of timestamps. We show that a general characterisation of the passage of time may be inferred from an analysis of commonly available browser records.
Conference Paper
This research paper addresses the methodology and approaches to managing criminal computer forensic investigations in a law enforcement environment with management controls, operational controls, and technical controls. Management controls cover policy and standard operating procedures (SOP's), methodology, and guidance. Operational controls cover SOP requirements, seizing evidence, evidence handling, best practices, and education, training and awareness. Technical controls cover acquisition and analysis procedures, data integrity, rules of evidence, presenting findings, proficiency testing, and data archiving.
Article
puter xzkC ?kkC C rmatin iC"Mkk" t x?"" main f A??"--"C xzkC C C)C)C Cqq w A??"--"C xzkC C d, A??"--"C xzk disadvantages f adva Meth3Description CommonTypesAdvantages DisadvantagesChh3O3A method of checking for errors indigital data. Typically a 16- or 32-bitpolynomial is applied to each byte ofdigital data that you are trying toprotect. The result is a small integervalue that is 16 or 32 bits in length andrepresents the concatenation of thedata. This integer value must be saved...
Conference Paper
Timestamps stored on digital media play an important role in digital investigations. However, the evidentiary value of timestamps is questionable because timestamps can be manipulated or they could refer to a clock that is erroneous or improperly adjusted. This paper presents a formalism for defining clock hypotheses based on historical adjustments to clocks, and for testing the consistency of the hypotheses with respect to stored timestamps. Two consistency tests are proposed for justifying clock hypotheses without having to rely on timestamps from external sources. Full Text at Springer, may require registration or fee
Investigators chain of custody in digital evidence recovery
  • M G Nagaraya
M.G.Nagaraya, "Investigators chain of custody in digital evidence recovery", Bureau of Police Research and Development, Indian Police Journal, 2006
Digital evidence: Collecting and Preservation
  • C Brown
C. Brown, "Digital evidence: Collecting and Preservation", 2006
Steganography and its implication on forensic investigation
  • J Osi
  • M Ba A
J. osi, M.Ba a, "Steganography and its implication on forensic investigation", INFOTEH 2010, Jahorina, B&H, in press
Hypothesis based investigation of Digital Time stamps
  • S Willassen
S. Willassen, "Hypothesis based investigation of Digital Time stamps", IFIP, Advances in Digital Forensic IV, pp.75-86, 2008