Article

Forensic-chain: Blockchain based digital forensics chain of custody with PoC in Hyperledger Composer

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

Abstract

Advancements in Information Technology landscape over the past two decades have made the collection, preservation, and analysis of digital evidence an extremely important tool for solving cybercrimes and preparing court cases. Digital evidence plays an important role in cybercrime investigation, as it is used to link individuals with criminal activities. Thus it is of utmost importance to guarantee integrity, authenticity, and auditability of digital evidence as it moves along different levels of hierarchy in the chain of custody during cybercrime investigation. Modern day technology is more advanced in terms of portability and power. A huge amount of information is generated by billions of devices connected to the internet that needs to be stored and accessed, thus posing great challenges in maintaining the integrity and authenticity of digital evidence for its admissibility in the court of law. Handling digital evidences poses unique challenges because of the fact they are latent, volatile, fragile, can cross jurisdictional borders quickly and easily and in many cases can be time/machine dependent too. Thus guaranteeing the authenticity and legality of processes and procedures used to gather and transfer the evidence in a digital society is a real challenge. Blockchain technology's capability of enabling comprehensive view of transactions (events/actions) back to origination provides enormous promise for the forensic community. In this research we proposed Forensic-Chain: A Blockchain based Digital Forensics Chain of Custody, bringing integrity and tamper resistance to digital forensics chain of custody. We also provided Proof of Concept in Hyperledger Composer and evaluated its performance.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... The works classified in data management include these proposing novel models for data processing and chain of custody preservation methodologies. The use of permissioned blockchains [14,26,43] is stated as a measure to enhance scalability, as well as the use of lightweight consensus mechanisms [41]. Advanced evidence collection and feature classification [5], as well as the relevance of the timeline of events and chain of custody [42,6] are other features discussed by authors. ...
... Multimedia [20,39,46] Cloud [35,36,45] Data Management [5,14,26,[41][42][43] Internet of Things [7,18,23,38] Health [27] Mobile [15,16] Smart Grid [22] Transportation Systems [4,9,21,29] However, the main drawback of the proposed solutions is that they only offer architectural designs and they do not provide full exploitation of blockchain, with only a few of them offering practical implementations [26,41,6]. ...
... Multimedia [20,39,46] Cloud [35,36,45] Data Management [5,14,26,[41][42][43] Internet of Things [7,18,23,38] Health [27] Mobile [15,16] Smart Grid [22] Transportation Systems [4,9,21,29] However, the main drawback of the proposed solutions is that they only offer architectural designs and they do not provide full exploitation of blockchain, with only a few of them offering practical implementations [26,41,6]. ...
Chapter
As the digitization of information-intensive processes gains momentum in nowadays, the concern is growing about how to deal with the ever-growing problem of cybercrime. To this end, law enforcement officials and security firms use sophisticated digital forensics techniques for analysing and investigating cybercrimes. However, multi-jurisdictional mandates, interoperability issues, the massive amount of evidence gathered (multimedia, text, etc.) and multiple stakeholders involved (law enforcement agencies, security firms, etc.) are just a few among the various challenges that hinder the adoption and implementation of sound digital forensics schemes. Blockchain technology has been recently proposed as a viable solution for developing robust digital forensics mechanisms. In this chapter, we provide an overview and classification of the available blockchain-based digital forensic tools, and we further describe their main features. We also offer a thorough analysis of the various benefits and challenges of the symbiotic relationship between blockchain technology and the current digital forensics approaches, as proposed in the available literature. Based on the findings, we identify various research gaps, and we suggest future research directions that are expected to be of significant value both for academics and practitioners in the field of digital forensics.
... Blockchain technology is a game-changer in digital forensics, especially when multiple stakeholders are involved [7]. Blockchain is a series of append-only, immutable, transparent data structures (i.e., blocks) that store the details of every transaction on the peer-to-peer network [7,9]. Blockchain has become the most promising technology to achieve integrity, auditability, transparency, security, authenticity, etc. ...
... It is found that most of the work in forensics using blockchain focuses on auditability by ensuring the integrity of CoC as proposed in papers [9,[14][15][16][17]. ...
... The author Lone proposed two different models [9,16] to ensure integrity of CoC using blockchain. In his first model [16], he implements a forensic chain using Ethereum and smart contracts. ...
Article
Full-text available
In cloud forensics, ensuring the integrity of the evidence such that it is admissible in a court of law is essential. There is always a possibility that multiple stakeholders involved in the investigation of cloud incidents can collude to tamper with the evidence for their benefit. To ensure the integrity of evidence in the cloud, most researchers in this domain have proposed applying blockchain to cloud forensic artifacts. These artifacts include cloud logs, the chain of custody, and the metadata of files on the cloud. Most of the proposed solutions are computing the hash value of the forensic artifacts and pushing the hash value to the blockchain. Later, these hash values verify the integrity of the forensic artifact. In this paper, along with ensuring the integrity of evidence by using hash values, we propose an investigation model that provides tamper-proof and transparent investigation across the stakeholders involved in the investigation of the cloud virtual machines. Also, using blockchain technology in the proposed investigation model ensures the availability of evidence for analysis throughout the investigation to all participating stakeholders. We validated the proposed model using a case study for the proof of concept and evaluated its performance using Hyperledger Caliper.
... However, the current traditional digital forensic process lacks standardized procedures and mechanisms making it inherently vulnerable to various tampering and forgery occurrences against the recent cybercrime incidents. Such incidents typically occur due to the continuous technological advancements and lack of knowledge and expertise at the forensic expert level when they are collecting, storing and analyzing the forensic evidence for a particular cybercrime use case [5]. ...
... This traditional layered process is considered insecure, while collecting, preserving, and storing the digital evidence [10]. The database systems involved also can't maintain and preserve the integrity, originality and confidentiality of the collected evidence as well as the related chain of custody of various events that occurred in a specific sequence while collecting, transferring, storing, analyzing and interpreting the evidence to solve a cybercrime incident [11], [5]. While on the other hand cybercriminals instigate malicious activities through multimedia and network devices such as business credential leakages, information theft and unauthorized access [12]. ...
... 4. The proposed architecture is simulated using sequence diagrams in a private permissioned Hyperledger network. 5. Blockchain implementation open challenges are discussed with future research directions. ...
Article
Full-text available
Due to globalization and worldwide connectivity, multimedia data exchange has increased significantly over the Internet in the last decade. The life cycle of multimedia content is also getting more multifaceted as more people are accessing, sharing, modifying and re-using multimedia information. This poses serious challenges for the multimedia industry to provide integrity, reliability and trustworthiness for multimedia investigations against the growing cybersecurity threats. This paper bridges this gap by enabling a secure and transparent digital forensic investigations process using blockchain technology. MF-Ledger a Blockchain Hyperledger sawtooth-enabled novel, secure and efficient digital forensic investigation architecture is proposed where participating stakeholders create a private network to exchange and agree on different investigation activities before being stored on the blockchain ledger. We have created digital contracts (smart contracts) and implemented them using sequence diagrams to handle the stakeholders’ secure interaction in the investigation process. The proposed architectural solution delivers robust information integrity, prevention, and preservation mechanism to permanently and immutably store the evidence (chain of custody) in a private permissioned encrypted blockchain ledger.
... Furthermore, digital evidence handled online includes increasingly many video files, which occupy a substantial amount of storage space; hence, the storage of such evidence on the blockchain is infeasible. Auqib Hamid Lone et al. proposed forensic-chain, a blockchain-based digital forensics chain of custody with PoC in Hyperledger Compose [9]. As in reference [8], the authors did not consider the differences in evidence handling among different parties. ...
... Input: transaction proposal TP; Output: endorsement result; (1) if (C1 ∈ Org1&&C2 ∈ Org2) ||(C1 ∈ Org1&&C2 ∈ Org3) then (2) ACK � D(P C2 , TP.ack)//decrypt ACK with receiver's public key (3) if TP.ack is signed by TP.recI D then (4) if ACK.transactionID � � TP.txID && (5) ACK.R � � H (Root ({M(TP.prooflist.hash)})) then (6) simulate the transaction; (7) calculate the read-write set; (8) sign the endorsement file; (9) return signed endorsement file; (10) end if (11) end if (12) else (13) return false; (14) end if ALGORITHM 1: Chaincode of evidence sending. ...
... ∈ EV S D then (7) if SD evi .flag org r �� 1 then (8) for all organization org that has higher priority than org r do (9) if SD evi .valid org �� 0 then (10) if SD evi .flag ...
Article
Full-text available
In the process of handling criminal cases, it is crucial to avoid evidence tampering and ensure the integrity, consistency, and nonrepudiation of evidence transfer records, which is highly related to the fairness and credibility of the judiciary. To address this problem, we propose a consortium blockchain network to record evidence transfer events among different departments of China's judicial system. We design the format of a transaction and a block. In addition, the smart contracts for three types of transactions are also proposed. The Raft consensus algorithm is adopted to accomplish the consensus process. A security analysis shows that the proposed scheme can achieve the design goal (the integrity, consistency, and nonrepudiation of evidence transfer records stored in blockchain). Furthermore, a set of experiments were conducted to analyse the performance of the proposed scheme. The experiments results show that the throughput of the system is proportional to the send rate within a certain threshold. The latency decreases with increasing send rate if the send rate is within a certain threshold. Peer nodes in the system consume the most storage and communication cost. The values of block size and block generation interval time have a slight influence on the performance of the system.
... "Digital Forensic Chain of custody (CoC) can be defined as a process used to maintain and document the chronological history of handling digital evidence" [12] Recording the minute details related to digital evidence across the different levels of the hierarchy, that is, from the hierarchy rule to the highest authority responsible for cybercrime It is also used as a reference for collecting, analyzing and preserving evidence, the people responsible for it, the time and place of collecting evidence, and in some cases the evidence may be subject to change during its course in the absence of proper maintenance and preservation, which leads to its not being accepted by the Internet Crime Court [12]they categorize the attempts for improving the CoC to direct attempts including:  (DEMP) Digital Evidence Management Framework gives secure and reliable for CoC.  (DEC) Digital Evidence Cabinets for enhancing handling digital evidence. ...
... "Digital Forensic Chain of custody (CoC) can be defined as a process used to maintain and document the chronological history of handling digital evidence" [12] Recording the minute details related to digital evidence across the different levels of the hierarchy, that is, from the hierarchy rule to the highest authority responsible for cybercrime It is also used as a reference for collecting, analyzing and preserving evidence, the people responsible for it, the time and place of collecting evidence, and in some cases the evidence may be subject to change during its course in the absence of proper maintenance and preservation, which leads to its not being accepted by the Internet Crime Court [12]they categorize the attempts for improving the CoC to direct attempts including:  (DEMP) Digital Evidence Management Framework gives secure and reliable for CoC.  (DEC) Digital Evidence Cabinets for enhancing handling digital evidence. ...
... Indirect attempts including  (UMML) Unified Modelling methodology framework for planning, documenting and performing forensics tasks.  "Flow thing Model (FM) that involves six operations (create, release, transfer, arrive, accept, and process)" [12]. ...
Article
Full-text available
With the development of technology, crime has become not limited to traditional crimes, but has evolved in its modern sense into electronic crimes that have their own tools for penetration, extortion, theft, money laundering and electronic exchange, and concealing the effects of these crimes increases the difficulty of investigation. Therefore, there is an urgent need to develop electronic tools in forensic medicine to keep pace with this type of crime, search for criminals and collect evidence to be used against them before the court, and from here the topic of these tools has evolved, and we will also address in this scientific paper these tools and identify their strengths and weaknesses and suggest appropriate solutions and tools. That covers all aspects of the evidence to assist the investigators in selecting the appropriate tool.
... Digital evidence may take the form of images, videos, text, or device logs. Additionally, it incorporates data from social media platforms such as Twitter, Instagram, and Facebook [3][4][5][6][7][8][9][10]. ...
... Meanwhile, a Chain of Custody (CoC) is a critical process in the management of evidence and investigations. CoC is a term that refers to the process of preserving and documenting the chronological history of digital evidence [4][5][6]. CoC and integrity of digital evidence play a part in the digital process of forensic investigation since forensic investigators must know where, when, and how digital evidence was found, gathered, tracked, handled, and preserved throughout its trip to a court of law. A proper CoC must include documentation that addresses each of these points. ...
... There are many indications that may be used to identify problems with the management of CoC [6,[16][17][18][19]: (1) threats to the data integrity of digital evidence throughout its lifetime; (2) a massive amount of data is produced by billions of linked devices and must be stored, presenting significant difficulties in ensuring authenticity; (3) because digital evidence is complicated and volatile, and may be altered inadvertently or incorrectly after acquisition, the CoC must guarantee that the evidence gathered is admissible in court; (4) as the number of devices and types of software in the computer and information technology fields continues to increase, cybercrime faces difficulties in terms of the amount of evidence being examined; (5) documentation of the CoC is secure. This is a critical problem since digital evidence may be copied and transferred to other systems; and (6) CoC adaptability and capacity, which comes as a result of the growing amount of data produced by different new digital forensics technologies. ...
Article
Full-text available
Digital evidence is critical in cybercrime investigations because it is used to connect individuals to illegal activity. Digital evidence is complicated, diffuse, volatile, and easily altered, and as such, it must be protected. The Chain of Custody (CoC) is a critical component of the digital evidence procedure. The aim of the CoC is to demonstrate that the evidence has not been tampered with at any point throughout the investigation. Because the uncertainty associated with digital evidence is not being assessed at the moment, it is impossible to determine the trustworthiness of CoC. As scientists, forensic examiners have a responsibility to reverse this tendency and officially confront the uncertainty inherent in any evidence upon which they base their judgments. To address these issues, this article proposes a new paradigm for ensuring the integrity of digital evidence (CoC documents). The new paradigm employs fuzzy hash within blockchain data structure to handle uncertainty introduced by error-prone tools when dealing with CoC documents. Traditional hashing techniques are designed to be sensitive to small input modifications and can only determine if the inputs are exactly the same or not. By comparing the similarity of two images, fuzzy hash functions can determine how different they are. With the symmetry idea at its core, the suggested framework effectively deals with random parameter probabilities, as shown in the development of the fuzzy hash segmentation function. We provide a case study for image forensics to illustrate the usefulness of this framework in introducing forensic preparedness to computer systems and enabling a more effective digital investigation procedure.
... It possesses necessary features for preserving transactions authenticity which has made it a technology of choice for applications requiring validity. Blockchain is a computer security tool that is adequate for guaranteeing transparency, authenticity, and audit of digital records [15]. ...
... Forensic-Chain [15] was built on top of Hyperledger. It is a permissioned blockchain solution for recording evidence during the digital forensic investigation process. ...
Article
Full-text available
The originality of data is very important for achieving correct results from forensic analysis of data for resolving the issue. Data may be analysed to resolve disputes or review issues by finding trends in the dataset that can give clues to the cause of the issue. Specially designed foolproof protection for data integrity is required for forensic purposes. Collaborative Integrity Checking Mechanism (CICM), for securing the chain-of-custody of data in a blockchain is proposed in this paper. Existing consensus mechanisms are fault-tolerant, allowing a threshold for faults. CICM avoids faults by using a transparent 100% agreement process for validating the originality of data in a blockchain. A group of agreement actors check and record the original status of data at its time of arrival. Acceptance is based on general agreement by all the participants in the consensus process. The solution was tested against practical byzantine fault tolerant (PBFT), Zyzzyva, and hybrid byzantine fault tolerant (hBFT) mechanisms for efficacy to yield correct results and operational performance costs. Binomial distribution was used to examine the CICM efficacy. CICM recorded zero probability of failure while the benchmarks recorded up to 8.44%. Throughput and latency were used to test its operational performance costs. The hBFT recorded the best performance among the benchmarks. CICM achieved 30.61% higher throughput and 21.47% lower latency than hBFT. In the robustness against faults tests, CICM performed better than hBFT with 16.5% higher throughput and 14.93% lower latency than the hBFT in the worst-case fault scenario.
... Essentially, these categories of applications are intertwined, as they complement each other and gather similar elements of value. Real-world examples can be found in the agri-food sector [23,24], luxury market [25,26], digital forensics [27], pharmaceuticals [28,29], and international cargo logistics [30], to mention just a few. ...
Article
Full-text available
Doping is a well-known problem in competitive sports. Along the years, several cases have come to public, evidencing corrupt practices from within the sports environment. To guarantee fair play and prevent public health issues, anti-doping organizations and sports authorities are expected to cooperate in the fight against doping. To achieve this mission, doping-related data must be produced, stored, accessed, and shared in a secure, tamperproof, and privacy-preserving manner. This paper investigates the processes and tools established by the World Anti-Doping Agency for the global harmonization of doping control activities. From this investigation, it is possible to conclude that there is an inherent trust problem, in part due to a centralized data management paradigm and to the lack of fully digitalized processes. Therefore, this paper presents two main contributions: the concept of a multiorganizational decentralized data governance model and a blockchain-based design for one of the most sensitive data-sharing processes within the anti-doping ecosystem. Throughout this article, it is shown that the adoption of a permissioned blockchain can benefit the whole anti- doping community, creating more reliable processes for handling data, where privacy and security are enhanced.
... Differently from incident response, the investigation of cryptocurrency-driven blockchains also concerns transactions related to fraud, extortion, money laundering, and tax evasion during forensic accounting exercises [37,38]. Finally, permissioned/private blockchains can be useful for chain-of-custody management of digital evidence [39,40]. ...
Article
Programming errors in Ethereum smart contracts can result in catastrophic financial losses from stolen cryptocurrency. While vulnerability detectors can prevent vulnerable contracts from being deployed, this does not mean that such contracts will not be deployed. Once a vulnerable contract is instantiated on the blockchain and becomes the target of attacks, the identification of exploit transactions becomes indispensable in assessing whether it has been actually exploited and identifying which malicious or subverted accounts were involved. In this work, we study the problem of post-factum investigation of Ethereum attacks using Indicators of Compromise (IoCs) specially crafted for use in the blockchain. IoC definitions need to capture the side-effects of successful exploitation in the context of the Ethereum blockchain. Therefore, we define a model for smart contract execution, comprising multiple abstraction levels that mirror the multiple views of code execution on a blockchain. Subsequently, we compare IoCs defined across the different levels in terms of their effectiveness and practicality through EtherClue, a prototype tool for investigating Ethereum security incidents. Our results illustrate that coarse-grained IoCs defined over blocks of transactions can detect exploit transactions with less computation; however, they are contract-specific and suffer from false negatives. On the other hand, fine-grained IoCs defined over virtual machine instructions can avoid these pitfalls at the expense of increased computation which are nevertheless applicable for practical use.
... Additionally, the complexity of the tasks to be carried out and the required compliance with law and courts' regulations has led to the establishment of strict protocols and procedures to be followed [10]- [12]. The continuous appearance of new forms of cybercrime also requires adaptive investigation process models, new technology, and advanced techniques to deal with such incidents [13]- [15]. ...
Preprint
Full-text available
Due to its critical role in cybersecurity, digital forensics has received much focus from researchers and practitioners. The ever increasing sophistication of modern cyberattacks is directly related to the complexity of evidence acquisition, which often requires the use of different technologies. To date, researchers have presented many surveys and reviews in the field. However, such works focused on the advances of each domain of digital forensics individually. Therefore, while each of these surveys facilitates researchers and practitioners to keep up with the latest advances in a particular domain of digital forensics, the overall picture is missing. By following a sound research methodology, we performed a qualitative meta-analysis of the literature in digital forensics. After a thorough analysis of such literature, we identified key issues and challenges that spanned across different domains and allowed us to draw promising research lines, facilitating the adoption of strategies to address them.
... It introduces a membership service that establishes rules and regulations by which different stakeholders are governed, authenticated, validated, and verified to be part of the blockchain network and allowed to access the ledger for ensuring secrecy, privacy, and confidentiality. The membership service is a new comprehensive novel design that revamps the whole process of nondeterminism, resource exhaustion, and performance attacks for the participating stakeholders [76]. Access control lists can be used to provide additional layers of permission. ...
Preprint
Full-text available
Cloud computing is a well-known technology that provides flexible, efficient, and cost-effective IT solutions for multinationals to offer improved and enhanced quality of business services to end-users. The Cloud computing paradigm is instigated from the grid and parallel computing models. It uses virtualization, server consolidation, utility computing, and other computing technologies and models for providing better IT solutions for large-scale computational data centres. It encompasses different services for supporting data storage, networking, and computing facilities and amenities for businesses and multinational corporations. The enormous elastic on-demand cloud provisioning resources and services and datasets are processed and stored in tier-level virtualized cloud data centres operated by third-party service providers called cloud owners. The primary issue with these cloud service providers is to provide and maintain data security, privacy, and confidentiality and service availability and data support for end-users. This paper reviews, highlights and discusses some of the common cloud computing vulnerabilities primarily related to virtualization platforms and their implementations while outsourcing services and resources to different end-users and business enterprises. We then provided block-chain-enabled solutions for virtualized cloud platforms involving both the end-users and cloud service providers (CSP) to address and solve various security and privacy-related vulnerabilities. These solutions will help the data centre industry to improve its virtualized cloud services and resource provisioning facilities. Finally, we discussed different blockchain-related implementation challenges in cloud infrastructures.
... Hyperledger Composer aims to simplify modeling to implement business network and transaction logic. It is a collaboration tool that accelerates smart contracts development and distributed ledger structure [40], [41]. With this tool, collaboration networks can be modeled and integrated into systems. ...
... The works classified in data management topic present different models for data processing based on scalable solutions such as permissioned blockchains (Gopalan et al. 2019;Lone and Mir 2019;Xiong and Du 2019) and blockchains using lightweight consensus mechanisms (Tian et al. 2019). Other relevant features showcased by authors are the verifiability of the trail of events (Weilbach and Motara 2019; Bonomi et al. 2020) and the classification of the evidence in terms of features, enabling further data processing (Billard 2018). ...
Article
Full-text available
The financial crime landscape is evolving along with the digitisation of financial services. Laws, regulations and forensic methodologies cannot efficiently cope with the growth pace of novel technologies, which translates into late adoption of measures and legal voids, providing a fruitful landscape for malicious actors. In this regard, the features offered by blockchain technology, such as immutability, verifiability, and authentication, enhance the robustness of financial forensics. This paper provides a taxonomy of the prevalent financial investigation techniques and a thorough state-of-the-art of blockchain-based digital forensic approaches. Moreover, we design and implement a forensic investigation framework based on standardised procedures and document the corresponding methodology for embezzlement scheme investigations. The feasibility and adaptability of our approach can be extended and embrace all types of fraud investigations and regular internal audits. We provide a functional Ethereum-based implementation, and we integrate standardised forensic flows and chain of custody preservation mechanisms. Finally, we discuss the challenges of the symbiotic relationship between blockchain and financial investigations, along with the managerial implication and future research directions.
... The information stored inside their proposed systems is publicly accessible, which does not preserve the privacy of an organization. Hyperledger composer concept was introduced here with necessary evaluation in [8]. Only semantic details can be accumulated in this system. ...
Conference Paper
Full-text available
Forensic Science includes scientific methods to find out the actual cause of a crime and to bring justice to the victims. Forensic reports incorporate information regarding different crimes. These details are considered as extremely valuable and confidential as it helps the law enforcement agencies and prosecutors to ensure punishment to the blameworthy persons. These reports require security only to restrict access to the authorized persons. Blockchain stores every transaction occurring in the system and these transactions cannot be removed or modified because of their immutability. In this work, Inter-Planetary File System (IPFS) and Hyperledger based private blockchain are assembled to implement a secure forensic information storing system. Our system enables the tracing of any illegitimate en-trance or data tempering by the intruders. Our proposed hybrid approach surpasses the classical public blockchain systems i.e. Bitcoin and Ethereum in terms of transaction processing time achieving an average of 11.99 seconds per transaction. This system also facilitates the storing of heavyweight features which is not possible inside the existing blockchain frameworks.
... Differently from incident response, the investigation of cryptocurrency-driven blockchains also concerns transactions related to fraud, extortion, money laundering and tax evasion during forensic accounting exercises [31,32]. Finally, permissioned/private blockchains can be useful for chain-of-custody management of digital evidence [33,34]. ...
Preprint
Full-text available
Programming errors in Ethereum smart contracts can result in catastrophic financial losses from stolen cryptocurrency. While vulnerability detectors can prevent vulnerable contracts from being deployed, this does not mean that such contracts will not be deployed. Once a vulnerable contract is instantiated on the blockchain and becomes the target of attacks, the identification of exploit transactions becomes indispensable in assessing whether it has been actually exploited and identifying which malicious or subverted accounts were involved. In this work, we study the problem of post-factum investigation of Ethereum attacks using Indicators of Compromise (IoCs) specially crafted for use in the blockchain. IoC definitions need to capture the side-effects of successful exploitation in the context of the Ethereum blockchain. Therefore, we define a model for smart contract execution, comprising multiple abstraction levels that mirror the multiple views of code execution on a blockchain. Subsequently, we compare IoCs defined across the different levels in terms of their effectiveness and practicality through EtherClue, a prototype tool for investigating Ethereum security incidents. Our results illustrate that coarse-grained IoCs defined over blocks of transactions can detect exploit transactions with less computation; however, they are contract-specific and suffer from false negatives. On the other hand, fine-grained IoCs defined over virtual machine instructions can avoid these pitfalls at the expense of increased computation which are nevertheless applicable for practical use.
... Authors in [11] propose Forensic-chain, a blockchain-based solution emphasizing on Chain of Custody (CoC). Proof of Concept (PoC) is developed in Hyperledger Composer. ...
Article
Digital forensic in Internet-of-Thing (IoT) paradigm is critical due to its heterogeneity and lack of transparency of evidence processing. Moreover, cross-border legalization makes a hindrance in such process pertaining to the cloud forensic issues. This urges a forensic framework for IoT which provides distributed computing, decentralization, and transparency of forensic investigation of digital evidences in cross-border perspectives. To this end, we propose a framework for IoT forensics that addresses the above mentioned issues. The proposed solution called Internet-of-Forensics (IoF) considers a blockchain tailored IoT framework for digital forensics. It provides a transparent view of the investigation process that involves all the stakeholders (e.g., heterogeneous devices, and cloud service providers) in a single framework. It uses blockchain-based case chain to deal with the investigation process including chain-of-custody and evidence chain. Consensus is used for consortium to solve the problems of cross-border legalization. This is also beneficial for a transparent and ease of forensic reference. The programmable lattice-based cryptographic primitives produce reduced complexities. It shows benefits for power-aware devices and puts an add-on to the novelty of the presented idea. IoF is generic; hence, it can be used by autonomous security operation centres, cyber-forensic investigators and manually initiated evidences under chain-of-custody for man-made crimes.Security services are assured as required by the framework. IoF is experimented and compared with the other state-of-the-art frameworks. The outcomes and analysis prove the efficiency of IoF concerning complexity, time consumption, memory and CPU utilization, gas consumption, and energy analysis.
... Mir R and others pointed out that as a new way of applying cryptography, blockchain technology can be used to record financial information. Such changes will have a breakthrough impact on corporate governance [5]. Then, a comprehensive assessment of these impacts was made, pointing out that these changes not only have a significant impact on the company's management, but also have hidden dangers for the departments involved in corporate governance. ...
Article
Full-text available
Blockchain technology has attracted widespread attention from all walks of life due to its decentralization, openness and transparency, and data that cannot be tampered with. At the same time, it has a good development prospect in the accounting and auditing industries. This article is based on the consensus algorithm research experiment. In the network environment, computers will be attacked in many situations, which may cause unexpected behaviors of the computer and the network. The consensus algorithm can deal with these unpredictable behaviors. The experiment uses a questionnaire survey method, and the survey objects rank the importance of accounting informatization, the necessity and feasibility of applying blockchain technology and other related issues, and different scores form different results. The experimental data shows that it is necessary to analyze and build a credibility guarantee mechanism for audit information systems based on blockchain technology. Each aspect includes its own specific content and details, and an average score is obtained for each category of options. Let’s compare the importance levels of the four factors. The experimental results show that, overall, the average scores of the four factors are between 3.9-4.4 points, with little difference in importance levels. Audit information quality issues scored the highest at 4.37 points, followed by management control issues and security issues at 4.24 and 4.21 points respectively. Although blockchain technology in the audit system is still in the research and development stage, the application of blockchain in the audit industry is a major trend. Researchers are working hard to solve the problems of blockchain storage and confidentiality.
... Then, there are two types of Business Network Archive deployments. It can be deployed in Hyperledger Fabric or via Web Browser [16,18]. Hyperledger Composer's framework also provides a flexible development platform, an object-oriented programming language to define Assets, and a JavaScript engine to create Smart Contracts [19]. ...
Article
Full-text available
With the advancement of Building Information Modeling (BIM) technology, BIM gains more importance and becomes a prerequisite in building projects. BIM is useful throughout a building lifecycle; from building bid, design, construction, completion, operation, and maintenance to building demolition. However, current information exchange surrounding BIM is still limited and bound to a single participant or organization and is also limited to a particular phase in the building lifecycle. This paper aims to explore BIM information exchange among many parties involved in a secure manner using a blockchain platform throughout the whole building lifecycle. In this research, many parties involved in the building project will be able to recognize one another through deployment of a permissioned blockchain. This information exchange uses Hyperledger Composer, a permissioned blockchain running on a blockchain platform called Hyperledger Fabric. Our experiment shows that BIM information exchange could be further improved. In this study, BIM information exchange can be implemented not only in one building phase but throughout the whole building lifecycle. It also facilitates BIM information exchange among multiple participants in a secure manner via a permissioned blockchain.
... In addition, the need of evaluating the trustworthiness of collected data clearly emerged in the context of forensics science and has been initially dealt with by defining a systematic and reliable methodology for data collection and analysis [10]. Some solutions based on blockchain have been also proposed to guarantee availability, integrity, and verifiability of collected data (e.g., [6,16,19]). Their goal was to show the feasibility of using blockchain to guarantee integrity and traceability of digital forensics evidence, while not focusing on the quality and accuracy of stored results. ...
Article
Internet of Things (IoT) is composed of physical devices, communication networks, and services provided by edge systems and over-the-top applications. IoT connects billions of devices that collect data from the physical environment, which are pre-processed at the edge and then forwarded to processing services at the core of the infrastructure, on top of which cloud-based applications are built and provided to mobile end users. IoT comes with important advantages in terms of applications and added value for its users, making their world smarter and simpler. These advantages, however, are mitigated by the difficulty of guaranteeing IoT trustworthiness, which is still in its infancy. IoT trustworthiness is a must especially in critical domains (e.g., health, transportation) where humans become new components of an IoT system and their life is put at risk by system malfunctioning or breaches. In this article, we put forward the idea that trust in IoT can be boosted if and only if its automation and adaptation processes are based on trustworthy data. We therefore depart from a scenario that considers the quality of a single decision as the main goal of an IoT system and consider the trustworthiness of collected data as a fundamental requirement at the basis of a trustworthy IoT environment. We therefore define a methodology for data collection that filters untrusted data out according to trust rules evaluating the status of the devices collecting data and the collected data themselves. Our approach is based on blockchain and smart contracts and collects data whose trustworthiness and integrity are proven over time. The methodology balances trustworthiness and privacy and is experimentally evaluated in real-world and simulated scenarios using Hyperledger fabric blockchain.
... Im forensischen Kontext ergeben sich aus den Eigenschaften von digitalen Spuren unerbittliche Anforderungen an Werkzeuge und Anwendungen für die Sicherung und Analyse. Dazu gehört die Chain of Custody [10]. Dies bedeutet, dass der Nachweis über den Verbleib und die Bearbeitung einer digitalen Spur, ab dem Zeitpunkt der Erfassung, lückenlos erbracht werden muss. ...
Article
Full-text available
Zusammenfassung Die seit Jahrhunderten verwendeten Methoden in der Forensik basieren auf der Annahme eines Austausches von Materie und Mustern. Durch die Digitalisierung sind diese Annahmen nur noch eingeschränkt gültig und werden hier erweitert und diskutiert. In dem Zusammenhang ist es erforderlich, den Spurenbegriff grundlegend zu überdenken. Gleichzeitig werfen der ständige technische Fortschritt und die immer größer werdende Flut von auszuwertenden Daten die Ermittlungsbehörden immer wieder zurück. Dieser Entwicklung ist nur durch Automatisierung Herr zu werden. Verfahren der Künstlichen Intelligenz können und werden die Ermittlungsbehörden zukünftig dabei zunehmend unterstützen.
... According to article 1 Section 3.1.1 of the Budapest Convention on Cybercrime (European Treaty Series No. 185) [5] digital/computer data is the representation of facts, information or concepts in a form that an information/computer system can process (e.g., photo, video, sound, text). According to the National Standard ISO/IEC 27037:2012 [6], which provides guidelines for specific activities (identification, collection, acquisition and preservation in a way that strengthens their evidential value) in handling digital evidence, the latter are identified as information or data, stored or transmitted in binary form, which may be relied on as evidence and act as an extremely important tool for solving cybercrimes [7]. Digital evidence are by nature extremely fragile and durable at the same time. ...
Article
Full-text available
Fighting crime in cyberspace requires law enforcement authorities to immerse in a digital ocean of vast amount of information and also to acquire and objectify the evidence of criminal activity. Handling digital evidence is a complex and multifaceted process as they can provide critical evidentiary information in an unquestionable and irrefutable way. When digital evidence resides in a cloud storage environment the criminal investigation is faced with unprecedented contemporary legal challenges. In this paper, the authors identify three main legal challenges that arise from the current cloud-based technological landscape, i.e., territoriality (the loss of location), possession (the cloud content ownership) and confiscation procedure (user authentication/data preservation issues). On the onset of the identified challenges, the existing American, European and International legal frameworks are thoroughly evaluated. Finally, the authors discuss and endorse the Power of Disposal, a newly formed legal notion and a multidisciplinary solution with a global effect as a result of collaboration between technical, organizational and legal perspectives as an effective first step to mitigate the identified legal challenges.
... It introduces a membership service that establishes rules and regulations by which different stakeholders are governed, authenticated, validated, and verified to be part of the blockchain network and allowed to access the ledger for ensuring secrecy, privacy, and confidentiality. The membership service is a new comprehensive novel design that revamps the whole process of nondeterminism, resource exhaustion, and performance attacks for the participating stakeholders [76]. Access control lists can be used to provide additional layers of permission. ...
Preprint
Full-text available
This paper reviews, discusses, and highlights some of the standard cloud computing vulnerabilities primarily related to virtualization platforms and their implementations while outsourcing services and resources to different end-users and business enterprises. Furthermore, we provide Blockchain-enabled solutions for virtualized cloud computing platform involving both the end-users as well as cloud service providers (CSP) to address and solve different security and privacy-related vulnerabilities using blockchain-enabled solutions to improve their cloud services and resource provisioning facilities.
... Additionally, the complexity of the tasks to be carried out and the required compliance with law and courts' regulations has led to the establishment of strict protocols and procedures to be followed [10]- [12]. The continuous appearance of new forms of cybercrime also requires adaptive investigation process models, new technology, and advanced techniques to deal with such incidents [13]- [15]. ...
Article
Full-text available
Due to its critical role in cybersecurity, digital forensics has received significant attention from researchers and practitioners alike. The ever increasing sophistication of modern cyberattacks is directly related to the complexity of evidence acquisition, which often requires the use of several technologies. To date, researchers have presented many surveys and reviews on the field. However, such articles focused on the advances of each particular domain of digital forensics individually. Therefore, while each of these surveys facilitates researchers and practitioners to keep up with the latest advances in a particular domain of digital forensics, the global perspective is missing. Aiming to fill this gap, we performed a qualitative review of all the relevant reviews in the field of digital forensics, determined the main topics on digital forensics topics and identified their main challenges. Despite the diversity of topics and methods, there are several common problems that are faced by almost all of them, with most of them residing in evidence acquisition and pre-processing due to counter analysis methods and difficulties of collecting data from devices, the cloud etc. Beyond pure technical issues, our study highlights procedural issues in terms of readiness, reporting and presentation, as well as ethics, highlighting the European perspective which is traditionally stricter in terms of privacy. Our extensive analysis paves the way for closer collaboration among researcher and practitioners among different topics of digital forensics.
... It introduces a membership service that establishes rules and regulations by which different stakeholders are governed, authenticated, validated, and verified to be part of the blockchain network and allowed to access the ledger for ensuring secrecy, privacy, and confidentiality. The membership service is a new comprehensive novel design that revamps the whole process of nondeterminism, resource exhaustion, and performance attacks for the participating stakeholders [76]. Access control lists can be used to provide additional layers of permission. ...
Article
Full-text available
Cloud computing is a well-known technology that provides flexible, efficient, and costeffective IT solutions for multinationals to offer improved and enhanced quality of business services to end-users. The cloud computing paradigm is instigated from the grid and parallel computing models. It uses virtualization, server consolidation, utility computing, and other computing technologies and models for providing better IT solutions for large-scale computational data centres. It encompasses different services for supporting data storage, networking, and computing for facilities and amenities for businesses and multinational corporations. The enormous elastic on-demand cloud provisioning resources and services and datasets are processed and stored in tier-level virtualized cloud data centres operated by third-party service providers called cloud owners. The primary issue with these cloud service providers is to provide and maintain data security, privacy, and confidentiality and service availability and data support for end-users. This paper reviews, highlights, and discusses some of the common cloud computing vulnerabilities primarily related to virtualization platforms and their implementations while outsourcing services and resources to different end-users and business enterprises. We then provided blockchain-enabled solutions for virtualized cloud platforms involving both the end-users and cloud service providers (CSP) to address and solve various security and privacy-related vulnerabilities. These solutions will help the data centre industry to improve its virtualized cloud services and resource provisioning facilities. Finally, we discussed different blockchain-related implementation challenges in cloud infrastructures.
... As a final note, we sustain that enabling technologies such as blockchain could enhance the auditability and transparency of several procedures performed during investigations. Several proposals that prove the capabilities of such a technology in the context of forensic investigations have been provided in the literature [37,81,86,145]. Moreover, blockchain could be used to automate several of the previously discussed procedures (e.g., evidence exchange). ...
Preprint
Full-text available
Digital evidence underpin the majority of crimes as their analysis is an integral part of almost every criminal investigation. Even if we temporarily disregard the numerous challenges in the collection and analysis of digital evidence, the exchange of the evidence among the different stakeholders has many thorny issues. Of specific interest are cross-border criminal investigations as the complexity is significantly high due to the heterogeneity of legal frameworks which beyond time bottlenecks can also become prohibiting. The aim of this article is to analyse the current state of practice of cross-border investigations considering the efficacy of current collaboration protocols along with the challenges and drawbacks to be overcome. Further to performing a legally-oriented research treatise, we recall all the challenges raised in the literature and discuss them from a more practical yet global perspective. Thus, this article paves the way to enabling practitioners and stakeholders to leverage horizontal strategies to fill in the identified gaps timely and accurately.
... The Hyperledger composer is a modular tool from Hyperledger Fabric containing a modeling language, and a set of APIs that make it easy for developers to create blockchain applications [29]. It is a collaboration tool that accelerates the development of smart contracts and distributed ledger structures [7]. The Hyperledger composer contains eleven components, namely: Blockchain Satet Storage: Hyperledger basically has two storage areas, a distributed ledger and a state database [16]. ...
Article
In this paper, we proposed the blockchain-assisted shared audit framework (BSAF) to analyze digital forensic data in the IoT platform. The proposed framework was designed to detect the source/cause of data scavenging attacks in virtualized resources (VR). The proposed framework implements blockchain technology for access log and control management. Access log information is analyzed for its consistency of adversary event detection using logistic regression (LR) machine learning and cross-validation. An adversary event detected by LR is filtered using cross-validation to retain the precision of data analysis for varying user density and VRs. Experimental results prove the consistency of the proposed method by improving the data analysis, as well as reducing analysis time and the adversary event rate.
Chapter
Difficulties with accessing device content or even the device itself can seriously hamper smartphone forensics. Mobile cloud storage, which extends on-device capacity, provides an avenue for a forensic collection process that does not require physical access to the device. Rather, it is possible to remotely retrieve credentials from a device of interest through undercover operations, followed by live cloud forensics. While technologically appealing, this approach raises concerns with evidence preservation, ranging from the use of malware-like operations, to linking the collected evidence with the physically absent smartphone, and possible mass surveillance accusations. In this paper, we propose a solution to ease these concerns by employing hardware security modules to provide for controlled live cloud forensics and tamper-evident access logs. A Google Drive-based proof of concept, using the SEcube hardware security module, demonstrates that D-Cloud-Collector is feasible whenever the performance penalty incurred is affordable.
Chapter
Cybercrime involves unlawful activities done by the individual in cyberspace using the internet. It is cyberbullying, financial theft, code-hack, cryptojacking, hacking, etc. The main difference between cybercrime and cyberattack is that cybercrime victims are humans. The crime associated with the latter is that of a computer network, hardware or software. Cyberattack activities include ransomware, viruses, worms, SQL injection, DDoS attacks, and government and corporate are potential targets. Cyber security provides a specialised approach to the protection of computer systems from cybercrimes and cyberattacks. As of now, no cyber defence is 100% safe. What is considered safe today may not be secure tomorrow. Blockchain enables a new way of recording transactions or any other digital interaction within the network with security, transparency, integrity, confidentiality, availability, and traceability. This chapter explains in detail about cyber risks and how blockchain can be used to avoid risks in financial and insurance frauds.
Article
Full-text available
In recent times, the new revolution of IoT facilitates communication and information sharing among people in different domains like a smart city. This revolution came with a risk of cyber‐attacks that target devices and shared data. The digital evidence resulting from the digital forensics process applied to IoT devices must be kept safe for later analysis. Preserving digital evidence on a centralized server raises the risk of a single point of failure. Evidence preserving on cloud servers raises the tampering risk with the evidence or even sharing them with malicious third parties. Therefore, this paper presents a novel framework called Forensics Chain for Evidence Preservation System for IoT‐based smart city security. The proposed framework aims to integrate blockchain with digital forensics to overcome the problems faced by forensic investigators; single point of failure and/or evidence modifications and enhance the security of preserving digital evidence via applying blockchain. Applying blockchain guarantees the immutability and data integrity of the preserved evidence. Furthermore, preserving the digital evidence among the forensic participant nodes eliminates the possibility of the single‐point failure of a centralized storage server. The results provided a Proof of Concept for forensic evidence preservation based on blockchain and evaluated its performance.
Chapter
This article presents an introduction to the definition of a set of metrics to address the performance, scalability and workload analysis of blockchain technologies, mainly with tools applied to the Argentine Federal Blockchain and Hyperledger Fabric. Issues to consider in the application of this technology for the protection of digital evidence are also raised. Although there are known methods to measure performance, there is still no common framework that facilitates the task of achieving a comparative measurement between the different blockchain solutions, which, considering the sustained use of this technology in a wide field of application, it is shown as a vacant area for which we consider that it is necessary to advance in order to evaluate the performance in different use cases and scenarios.
Article
Full-text available
Small and medium-sized enterprises (SMEs) organize themselves into clusters by sharing a set of limited resources to achieve the holistic success of the cluster. However, these SMEs often face conflicts and deadlock situations that hinder the fundamental operational dynamics of the cluster due to varied reasons, including lack of trust and transparency in interactions, lack of common consensus, and lack of accountability and non-repudiation. Blockchain technology brings trust, transparency, and traceability to systems, as demonstrated by previous research and practice. In this paper, we explore the role of blockchain technology in building a trustworthy yet collaborative environment in SME clusters through the principles of community self-governance based on the work of Nobel Laureate Elinor Ostrom. We develop and present a blockchain commons governance framework for the three main dimensions i.e., interaction, autonomy, and control, based on the theoretical premise of equivalence mapping and qualitative analysis. This paper examines the role of blockchain technology to act as a guiding mechanism and support the smooth functioning of SMEs for their holistic good. The study focuses on sustainability and improving productivity of SMEs operating in clusters under public and private partnership. This is the first study to address the operational challenges faced by SEMs in clusters by highlighting the dimensions of blockchain commons governance dimensions.
Article
Log files are the primary source of recording users, applications and protocols, activities in the cloud ecosystem. Cloud forensic investigators can use log evidence to ascertain when, why and how a cyber adversary or an insider compromised a system by establishing the crime scene and reconstructing how the incident occurred. However, digital evidence acquisition in a cloud ecosystem is complicated and proven difficult, even with modern forensic acquisition toolkit. The multi-tenancy, Geo-location and Service-Level Agreement have added another layer of complexity in acquiring digital log evidence from a cloud ecosystem. In order to mitigate these complexities of evidence acquisition in the cloud ecosystem, we need a framework that can forensically maintain the trustworthiness and integrity of log evidence. In this paper, we design and implement a Blockchain Cloud Forensic Logging (BCFL) framework, using a Design Science Research Methodological (DSRM) approach. BCFL operates primarily in four stages: (1) Process transaction logs using Blockchain distributed ledger technology (DLT). (2) Use a Blockchain smart contract to maintain the integrity of logs and establish a clear chain of custody. (3) Validate all transaction logs. (4) Maintain transaction log immutability. BCFL will also enhance and strengthen compliance with the European Union (EU) General Data Protection Regulation (GDPR). The results from our single case study will demonstrate that BCFL will mitigate the challenges and complexities faced by digital forensics investigators in acquiring admissible digital evidence from the cloud ecosystem. Furthermore, an instantaneous performance monitoring of the proposed Blockchain cloud forensic logging framework was evaluated. BCFL will ensure trustworthiness, integrity, authenticity and non-repudiation of the log evidence in the cloud.
Article
The Chain of Custody is an intrinsic part of any inspection. Maintaining and evaluating the integrity of evidence procured from a crime scene is an important part that needs to be done properly by following a certain set of protocols to make the evidence admissible in the court. Keeping track of the evidence right from the moment it was collected from the crime scene till the time it reaches court is also a major task. It is important for the investigator to know how, where and who handles the evidence during analysis at each phase in order to safeguard the integrity of the evidence. Over a period of time, various tools and technologies have been created to handle evidence. Researchers from across the globe have presented various techniques on how evidence should be handled. Many researchers have even incorporated blockchain technology with the chain of custody or life cycle of evidence to make the process stronger. The growth in this domain has been at a rapid pace. This paper presents a method on “Maintaining and Evaluating the Integrity of a Digital Evidence in Chain of Custody” using a global positioning system. The methodology focuses on the use of global positioning system tags or chips which when embedded with the collected evidence enables an investigator to track the evidence throughout its life cycle. The proposed methodology aims to help the investigators to keep track of the evidence throughout its life cycle using very basic tools like FTK Imager and technology like a global positioning system.
Article
With the increasing usage of information technology on the criminal side, the digital forensic analysis, especially multimedia forensics, becomes an emerging technique for cybercrime investigators to improve examination efficiency. The study focuses on the digital triage problem for evidence location during the automatic forensic process. After defining the multi-scale knowledge base for storing digital forensic investigators’ prior knowledge, a variable scale case-based reasoning method (VSCBR) is proposed to support investigators predicting evidential areas. The variable-scale clustering algorithm based on the scale transformation strategy (VSC-STS) is also put forward, which could identify highly similar past cases containing candidate evidence in the case reuse and revise phase. A case study is established using a real 15.9 GB bidding case dataset, which contains both text bidding documents and image technical drawings. Numerical experimental results show that the validation of the proposed VSC-STS is significantly improved compared with the traditional single-scale clustering algorithm, and it is insensitive to the initial parameter threshold. Moreover, the proposed method VSCBR is able to help investigators locate suspicious rule-violating evidences in practice.
Chapter
Blockchain technology has in many ways shown a promising technology where trust can be created between parties. With blockchain, trusted parties can easily transact or exchange information over a cryptographically secured distributed environment. However, based on the blockchain architecture, conducting digital forensic processes faces several problems and challenges. This chapter, therefore, explores the key open problems and challenges experienced while conducting digital forensic processes in blockchain technologies. The authors have leveraged design science research (DSR) to achieve the objectives of this study. Furthermore, the authors have also proposed high-level solutions to the identified problems and challenges.
Article
Full-text available
Blockchain technology is a distributed data recording system developed to monitor and secure all encrypted transactions with the shortest identification. Blockchain technology made a name for itself in 2008. However, the real development of this technology has been realized with use of smart contracts in Blockchain technology. In the cryptocurrency world, a smart contract can be defined as an application or program running on the Blockchain. They operate as digital deals that have to comply with certain rules. These rules are predetermined by computer codes and then copied and implemented by the servers in the entire network. The use of the word “smart” as a term in smart contracts comes from the fact that it is not made manually and is realized digitally. In this study, it is aimed to contribute to future studies in the transformation of smart contracts into real “smart” contract structures by applying artificial intelligence algorithms. First of all, there are no research or review articles on artificial intelligence and smart contract integration in the literature. We have included a comprehensive literature review on smart contracts and Blockchain networks in our work. In addition, we shared our research on the use of artificial intelligence in smart contracts, which is the most lacking in the literature. Finally, we shared the problems that can be solved using artificial intelligence and smart contracts. We believe that our work will pave the way for forward‐looking efforts, especially at the point of integration of two major technologies, artificial intelligence, and smart contracts.
Chapter
Cybercrimes are exponentially rising in number and the forensic investigations are now being actively conducted to get to the root of problem. There are many challenges to conduct a smooth forensics investigation. It suffers from the problem of maintaining integrity, ownership, auditability and authenticity of digital evidence. In this work, we elaborately cover as to how blockchain can be used to tackle the challenges faced by forensic investigations. In particular, we propose a framework based on blockchain which can assist in maintaining Chain of Custody while preserving integrity, accountability and authenticity of the acquired digital evidence. We devise our own smart contracts for the execution of scripts under different circumstances as governed by the phases of forensic investigation. We conclude our work by discussing future research directions and open challenges for the same.
Article
Full-text available
On considering the integrity of electronic evidence, in particular,we can see that such evidence needs to be protected from a number of undesirable outcomes namely, alteration or destruction. We need to guard against these events and others when trying to maintain system integrity and preserve the purity of evidence so that it could be acceptable in the court. Chain of Custody is nothing but the consecutive documentation of records. The Chain of Custody has all the necessary steps that a crime investigator must follow to make sure whether the information is honest. The Chain of Custody is significant because it cannot be proven that evidence was not altered during the time between collection and its usage in court. Then the collected evidence is not credible. Blockchain technology,a decentralized network currently used by Bitcoins and other Cryptocurrency networks, helps provide a secure database with the help of hashing the data and storing it in blocks.We propose to implement blockchain technology for the process of Chain of Custody, which helps in tracking the people whoaccess the data and assist in assuring the credibility of the data provided during the time of submission in court. Keywords-Chain of Custody(CoC), Blockchain-Based Chain of Custody (B-CoC), Proof of Work (PoW).
Chapter
Evidence gathering is at the core of every analysis process. The ability to verify the results and have appropriate paperwork, especially if a case lasts for several years, is vital. In later periods, information gathered at the outset of a prosecution may become crucial. If the documentation is handled by a system, the judicial authority can find the important facts in the appropriate time quicker. This system provides knowledge about electronic evidence collecting, processing, transportation and handling. Maintaining documents based on paper may be a tedious job that is exposed to human interference by mistakes and modifications. Security issues emerge from stored electronic records in a centralized consolidated archive. Any evidence obtained five or six years ago is very difficult to preserve in a paper-based evidence storage system. We propose a secure evidence management system to store evidence in a secure, distributed peer-to-peer (p2p) file storage network(IPFS) using blockchain technology. The system is designed with a custom transaction family on Hyperledger Sawtooth to document every transaction from the moment the evidence is collected, ensuring that only approved individuals can access or possess evidence. Our proposed framework provides a safe compromise between different stakeholders such as law enforcement agencies, attorneys, and forensic professionals that protects the integrity and permissibility of evidence.
Article
When handling a security incident, there is a lot of information that needs to be stored, processed, and analyzed. As a result of the volume of information and the necessity to deal with a security incident investigation promptly, different forensic tools have been developed to provide cyber threat intelligence and security incident response management platforms and solutions. These platforms enable responders to effectively collaborate in identifying and investigating incidents, manage their work on a case from creation until resolution or completion, and automate incident response tasks with the external threat information. Since incident response services are a growing priority at organizations, there is a pressing need for a trustworthy and transparent way to maintain the authenticity and integrity of investigative actions that is independently verifiable. Generally, security incident case management allows a security analyst to add related logs. Asides from the possibility of a log being deleted, it is difficult to audit the log for traceability and provenance if a user decides to be malicious. To address this problem, we propose utilizing a blockchain ledger for security investigative actions and associated metadata by extracting requirements for cybersecurity incident response from the models gathered through the analysis of an open-source incident management platform. We demonstrate the applicability of the proposed techniques and methods by investigating a case scenario of evidence actions within TheHive security incident response platform (SIRP).
Article
Full-text available
Digital evidence plays an important role in cyber crime investigation, as it is used to link persons with criminal activities. Thus it is of extreme importance to guarantee integrity, authenticity, and auditability of digital evidence as it moves along different levels of hierarchy in chain of custody during cyber crime investigation. Blockchain technology’s capability of enabling comprehensive view of transactions (events/actions) back to origination provides enormous promise for the forensic community. In this research we proposed to use a blockchain that can be leveraged for forensic applications in particular bringing integrity and tamper resistance to digital forensics chain of custody.
Conference Paper
Full-text available
Traditionaly, a chain of custody (chain of evidence) refers to the chronological documentation , or paper trail, showing storing, controling, transfer, analysis and handling with evidence. Chain of custody plays very important role in digital forensic investigation process. To prove chain of custody, investigators must know all details on how the evidence was handle.„Five W`s (and one H) “must be applied. Life cycle of digital evidence is very complex, and at each stage there is more impact that can violate a chain of custody. Proper chain of custody must include information on how evidence is collected, transported, analyzed, preserved, and handled with. In most countries there is no standard unique protocol or procedures for this. In this paper authors will presents a digital evidence management framework – DEMF, which can im(prove) chain of custody of digital evidence in all stages of digital investigation process. In proposed framework will be used a SHA-2 hash function for digital fingerprint of evidence, biometric characteristics for authentification and identification a personal who handled with evidence, a digital trusted timestamp for determining a “right” time when evidence is discovered or when is accessed to evidence and a gps coordinates for determining a location of evidence. Use of all these factors in the right way provide safe and secure chain of custody, to ensure that digital evidence will be accepted by the court.
Article
Full-text available
Chain of custody of digital evidence in digital forensic field are today essential part of digital investigation process. In order the evidence to be accepted by the court as valid, chain of custody for digital evidence must be kept, or it must be known who exactly, when, where, why and how came into contact with evidence in each stage of the digital investigations process. This paper deals with digital evidence and chain of custody of digital evidence. Authors define taxonomy and use an ontological approach to manage chain of custody of digital evidence. The aim of this paper was to develop ontology to provide a new approach to study and better understand chain of custody of digital evidence. Additionally, developed ontology can be used as a method to further develop a set of standard and procedures for secure management with digital evidence.
Article
Full-text available
Chain of custody is the procedure to do a chronological documentation of evidence, and it is an important procedure in the investigation process. Both physical and digital evidence is an important part in the process of investigation and courtroom. However, handling the chain of custody for digital evidence is more difficult than the handling of physical evidence. Nevertheless, the handling of digital evidence should still have the same procedure with the handling of physical evidence. Until now handling the chain of custody for digital evidence is still an open problem with a number of challenges, including the business model of the interaction of the parties that deal with digital evidence, recording of metadata information as well as issues of access control and security for all the handling digital chain of custody. The solution offered in this research is to build a model of Digital Evidence Cabinets as a new approach in implementing the digital evidence handling and chain of custody. The model is constructed through three approaches: Digital Evidence Management Frameworks, Digital Evidence Bags with Tag Cabinets as well as access control and secure communication. The proposed framework is expected to be a solution for the availability of an environment handling of digital evidence and to improve the integrity and credibility of digital evidence.
Article
Full-text available
Forensic investigators should acquire and analyze large amount of digital evidence and submit to the court the technical truth about facts in virtual worlds. Since digital evidence is complex, diffuse, volatile and can be accidentally or improperly modified after acquired, the chain of custody must ensure that collected evidence can be accepted as truthful by the court. In this scenario, traditional paper-based chain of custody is inefficient and cannot guarantee that the forensic processes follow legal and technical principles in an electronic society. Computer forensics practitioners use forensic software to acquire copies or images from electronic devices and register associated metadata, like computer hard disk serial number and practitioner name. Usually, chain of custody software and data are insufficient to guarantee to the court the quality of forensic images, or guarantee that only the right person had access to the evidence or even guarantee that copies and analysis only were made by authorized manipulations and in the acceptable addresses. Recent developments in forensic software make possible to collect in multiple locations and analysis in distributed environments. In this work we propose the use of the new network facilities existing in Advanced Forensic Format (AFF), an open and extensible format designed for forensic tolls, to increase the quality of electronic chain of custody.
Conference Paper
Full-text available
The integrity of digital evidence plays an important role in the digital process of forensic investigation. Proper chain of custody must include information on how evidence is collected, transported, analyzed, preserved, and handled with. There are several adapted methods for evidence digital signing to (im)prove the integrity of digital evidence. Most forensic tools and applications use a certain kind of hashing algorithm to allow investigators later to verify the disk or image integrity. In this process there is a problem of binding integrity, identity and date and time of access to digital evidence. In this paper the authors will present a valid time stamping method to signing a digital evidence in all stages of digital investigation process. Time stamp will be obtained from the secure third party (Time Stamp Authority). It will be used to prove the time when the staff access the evidence in any stages of forensic investigation.
Article
Full-text available
Forensic analysis requires the acquisition and management of many different types of evidence, including individual disk drives, RAID sets, network packets, memory images, and extracted files. Often the same evidence is reviewed by several different tools or examiners in different locations. We propose a backwards-compatible redesign of the Advanced Forensic Format—an open, extensible file format for storing and sharing of evidence, arbitrary case related information and analysis results among different tools. The new specification, termed AFF4, is designed to be simple to implement, built upon the well supported ZIP file format specification. Furthermore, the AFF4 implementation has downward comparability with existing AFF files.
Conference Paper
Full-text available
Non-repudiation of digital evidence is required by various use cases in today's business cases for example in the area of medical products but also in public use cases like congestion charges. These use cases have in common that at a certain time an evidence record is generated to attest for the occurrence of a certain event. To allow for non-repudiation of such an evidence record it is required to provide evidence on the used device itself, its configuration, and the software running at the time of the event. Digital signatures as used today provide authenticity and integrity of the evidence record. However the signature gives no information about the state of the Measurement Instrument at the time of operation. The attestation of the correct operation of the evidence collector is discussed in this paper and an implemented solution is presented.
Article
Full-text available
Recent advances in computer internetworking and continued increases in Internet usage have been accompanied by a continued increase in the inc idence of computer related crime. At the same time, the number of sources of potential evide nce in any particular computer forensic investigation has grown considerably, as evidence o f the occurrence of relevant events can potentially be drawn not only from multiple computers, networks, and electronic systems but also from disparate personal, organizational, and g overnmental contexts. Potentially, this leads to significant improvements in forensic outco mes but is accompanied by an increase in both the complexity and scale of event information. In order for forensic investigators to effectively investigate this mass of data, semantic ally strong representational models and automated methods of correlating such event data is becoming a necessity. The contribution of the work described in this paper is the automate d detection of a computer forensic scenario, based upon facts automatically derived from digital event logs. We present an expert systems based approach that has the ability to manage the s calability and semantic issues arising in such inter-domain forensics, using an extensible, s emantic domain model specified using the Web Ontology Language (OWL). We have developed a prototype system, Forensics of Rich Events (FORE), which supports investigation of hete rogeneous event data using a novel form of manipulation of hypothetical knowledge, while su pporting the application of standard rule and signature based event correlation techniques. W e demonstrate proof of concept of our approach by applying the prototype we have developed to a test case scenario that demonstrates the flexibility of the approach in a s ingle domain context.
Chapter
The Hyperledger Project is a Linux Foundation initiative to develop an open source ecosystem of blockchain development. The Linux Foundation aims to create an environment in which communities of software developers and companies meet and coordinate to build blockchain frameworks. Hyperledger itself is not another cryptocurrency, but rather an open hub for enterprise-grade blockchain projects to incubate and mature through all stages of development and commercialization. In this chapter, we talk about the current state of the Hyperledger Project, with a focus on the currently incubating projects, a summary of the project scope being implemented, and a review of the comprehensive set of technologies involved in creating an open source enterprise-grade blockchain.
Article
Most forensic models focus on the investigative process and its different phases and are characterized by a rather informal and intuitive approach. This paper proposes an abstract model of the digital forensic model based on a new flow-based specification methodology. It is shown in examples that the method can uniformly specify the forensic process in various phases and across roles. It also provides more exact description where "things" (e.g., information, evidence) are separated into different streams of flow.
Article
A purely peer-to-peer version of electronic cash would allow online payments to be sent directly from one party to another without going through a financial institution. Digital signatures provide part of the solution, but the main benefits are lost if a trusted third party is still required to prevent double-spending. We propose a solution to the double-spending problem using a peer-to-peer network. The network timestamps transactions by hashing them into an ongoing chain of hash-based proof-of-work, forming a record that cannot be changed without redoing the proof-of-work. The longest chain not only serves as proof of the sequence of events witnessed, but proof that it came from the largest pool of CPU power. As long as a majority of CPU power is controlled by nodes that are not cooperating to attack the network, they'll generate the longest chain and outpace attackers. The network itself requires minimal structure. Messages are broadcast on a best effort basis, and nodes can leave and rejoin the network at will, accepting the longest proof-of-work chain as proof of what happened while they were gone.
Conference Paper
This paper is presented to identify research goals for the modeling of experiences, lessons learned, and knowledge discovered during the analysis of digital evidence in a forensic investigation. Additionally this paper suggests how such models might be used to facilitate automated computer forensics media analysis tools. The scope of this paper, with respect to computer forensics, is limited to the search for, identification of, and analysis of evidence found on digital storage media. Probing questions are presented that the authors are intending to answer in this research, as well as an idea of what products might be produced in this research effort.
Article
This paper questions the current approach to forensic incident response and network investigations. Although claiming to be ‘forensic’ in nature it shows that the basic processes and mechanisms used in traditional computer forensics are rarely applied in the live incident investigation arena. This paper demonstrates how the newly proposed Digital Evidence Bag (DEB) storage format can be applied to a dynamic environment. A DEB is a universal container for digital evidence from any source. It allows the provenance to be recorded and continuity to be maintained throughout the life of the investigation. With a small amount of forethought a forensically rigorous approach can be applied to incident response, network investigations and system administration with minimal overhead.
Article
Computers have become an important part of our lives and are becoming fundamental to activities in the home and workplace. Individuals use computer technology to send emails, access banking information, pay taxes, purchase products, surf the internet and so on. Business also use computers and the Internet to perform accounting tasks, manage customer information, store trade secrets, and develop new products and services. State, Federal and Local government agencies use the computer and Internet to create and access information. Similarly, digital systems have become the mainstay of criminal activity. Legal proceedings have always been influenced by tradition and court decisions. These legal traditions and decisions have necessitated the development of complex sets of rules that are used to assess forensic evidence in legal matters. Information and communication technology has impacted enterprise investigation and associated legal matters by requiring electronic evidence to be considered. However, not all evidence presented by digital forensic investigators in legal proceedings has been admissible. The digital forensics investigator must adopt procedures that adhere to the standards of admissibility for evidence in a court of law; proper content inspection of a computer system, proper analysis documentation and professional court representation to ensure a successful outcome. This paper presents an overview of issues in the discipline of digital forensics and explores some areas in the legal system where digital forensics evidence is most likely to be questioned. These include case jurisdiction, search and seizure, spoliation of evidence and issues of “good faith”, evidence preservation, investigation and analysis.
Survey of Disk Image Storage Formats
  • C W Dfrws
  • Group
Disk imaging with the advanced forensic format, library and tools
  • Garfinkel
Cyber forensics: representing and managing tangible chain of custody using the linked data principles
  • Gayed